Complex deployments of connected devices require a joint effort by various stakeholders to ensure information security and physical safety.
By Walter Haydock
A nation-state actor deploys malware targeting connected devices around the globe, attempting to infiltrate through the software supply chain. The attackers gain access to critical assets in sectors such as healthcare, wreaking havoc by preventing access to medical records, disrupting procedure scheduling, and even disabling life support equipment. All of this happens during a global pandemic, where hospitals are already taxed to the limit in the face of a highly contagious pathogen.
This hypothetical situation might seem like a nightmare scenario, but it is quite conceivable based on a chain of events that occurred in the leadup to and backdrop of the COVID-19 pandemic:
Throughout early 2020, the FBI warned organizations about the “Kwampirs” malware, which has impacted the healthcare and energy sectors across the United States, Europe, and Asia. Media reports and expert observers suggest it is the work of the Iranian government, which has a history of aggressively targeting all manner of networks through cyber intrusions.
In 2017 the WannaCry ransomware almost brought the United Kingdom’s National Health Service to a standstill, causing cancelled appointments and diversions of ambulances through the havoc it wrought.
With COVID-19 beginning to ravage the globe, INTERPOL warned about cybercriminals ramping up their attacks to capitalize on the chaos, and cybersecurity experts voiced renewed concerns about the potential risks of hackers shutting down medical devices, either intentionally or simply as “collateral damage” of their financially motivated attacks.
Although the situation described at the beginning of the article is a composite of several real-world incidents that occurred independently, it serves to reveal the security challenges inherent to the burgeoning Internet of Things (IoT). As companies, governments, and individuals continue to capitalize on these interconnected networks of devices, effectively securing them will require a new paradigm of cooperation and coordination between various stakeholders.
With that said, however, it is important to understand the benefits to human health and safety that these technologies – especially industrial IoT – provide. Smart connected products such as thermometers, glucose monitors, electrocardiograms, and even beds have the potential to substantially increase the efficiency and effectiveness of care delivered to patients. In factories across the globe, industrial IoT deployments have allowed workers to either stay at home or maintain appropriate physical distancing in the face of the COVID-19 pandemic.
With the wealth of benefits to productivity and safety that these systems provide, enterprises need to balance concerns with respect to cyber risks against the clear benefits to be had from digital transformation. No large-scale process or business operation is without risk, and wise leaders should strive to mitigate potential threats in a manner that still allows for capitalizing on the potential upsides.
The key to controlling such risk lies in embracing a shared framework for industrial IoT security. A wholistic definition of the participants in this model would include many different groups, but the key parties are device manufacturers, the enterprises that operate them, industrial IoT software companies, public cloud providers, systems integrators and technology partners, and government regulators.
Without having a physical device capable of some productive function, there would be no use for a networked industrial IoT. Such equipment can take many forms, from pressure or temperature sensors to massive industrial robots to driverless cargo vehicles. The functional requirements for each type of product vary widely based on the use case but all must share a minimum baseline of security measures. To maintain these standards, device manufactures should police their supply chains, incorporate secure design principles, and integrate with lifecycle management systems.
Once these devices leave the factory and their operators take control, enterprises actually implementing industrial IoT solutions become responsible for using them securely. In addition to hardening their deployments by disabling unnecessary functionality and isolating networks as appropriate, these operators have ongoing duties to maintain and protect their networks against attackers. This includes using a defense-in-depth methodology to impede cyber threat actors attempting to infiltrate enterprise networks. Organizations also need to train their employees on security best practices with respect to not only cyber hygiene but also specific information security guidelines for their given job duties.
General requirements for individual users include physically securing and updating their workstations, creating strong passwords (and not re-using them between various accounts), and identifying and avoiding malicious content. In addition to not falling victim to classic spearphishing emails, employees need to be aware of more advanced attack vectors such as waterholing.
Depending on the method by which an enterprise deploys its industrial IoT solution, it might have additional responsibilities. If actively managing it, either physically on-premises or virtually via a commercial cloud services provider, these duties include deploying intrusion detection and prevention systems, patching software involved in their industrial IoT deployment to take advantage of security improvements, and updating the third-party application stack upon which the solution operates. Applying industry-standard encryption to data-at-rest and data-in-motion should go without saying, but unfortunately does not always.
When enterprises turn to publicly-available hyperscale clouds, they can take advantage of the flexibility and cost effectiveness of Infrastructure-as-a-Service (IaaS) or a Platform-as-a-Service (PaaS) offerings while at the same time maintaining some control over their deployments. Diverse voices from academia, major technology companies, and even the United States National Security Agency have sought to lay out exactly which parties are responsible for what actions in this environment. The simplest way to describe this breakdown is that cloud providers are responsible for the security “of” the cloud while its customers should ensure security “in” the cloud. Direct communication and negotiation between the two parties, however, is critical to establish clear roles and responsibilities and to prevent security gaps – frequently exploited by malicious actors – from emerging.
As industrial IoT device operators look to offload the maintenance and support costs of operating complex applications, they are increasingly taking advantage of managed or Software-as-a-Service (SaaS) models. In this paradigm, the maker of the software in question also hosts it for the customer purchasing and using it. In this case, the security responsibilities incumbent upon customers in an on-premises model shift to the software provider and its hosting organization.
Whether or not they are actually managing their customers’ deployments, the makers of industrial IoT software have their own separate and unique obligations. These include securely testing, releasing, documenting, and supporting their products already in the field. Furthermore, vendors should encourage a security-centric mindset in both technical employees such as software developers and professional services teams and also business professionals like product managers and salespeople. By ensuring that all members of the organization understand the importance of secure development and configuration, companies can not only provide their customers with the relevant tools but also help these enterprises to implement them securely.
Along with the makers of industrial IoT platforms themselves are a host of other technology providers such as systems integrators, third-party software makers, and even hobbyist developers. All of these groups have a similar obligation to follow industry standard practices with respect to coding and maintenance. Companies that are operating industrial IoT solutions in production environments should ensure that they take appropriate steps to vet these outside organizations – through background checks and references – and their products. Technical steps such as static (when possible), dynamic, and/or software compositions analysis as well as requiring third-party certifications and attestations can help to investigate the latter.
Finally, governments also have a role to play. Efforts such as California’s now-enacted Senate Bill 327 outlawed the sale of connected devices with non-unique default passwords throughout the state, setting an example for the nation and the world. At the level of the American federal government, the Internet of Things Cybersecurity Improvement Act is another excellent initiative that would mandate the development of security standards and vulnerability reporting guidelines for contractors selling IoT devices or software to the government. Although this bill still languishes in committee without further action, its existence represents a growing awareness on behalf of legislators with respect to the urgency of formally codifying cybersecurity requirements for connected devices. Other participants in the shared security framework should collaborate with legislators and regulators to help craft – and facilitate passing – rules that incentivize proper security behaviors.
Implementing a useful and manageable Industrial IoT solution requires efforts from a variety of stakeholders. Doing so securely is perhaps even more important and requires explicit coordination and understanding between the various parties involved. Using the aforementioned framework as a starting point, however, can provide an initial understanding of the shared responsibilities involved in deploying networks of connected devices. By leveraging this model, organizations can reap the productivity and cost-saving benefits of the industrial IoT while mitigating the inherent security risks of connecting powerful and valuable physical assets.
Walter Haydock is a product manager at PTC, where he leads cybersecurity strategy for the ThingWorx Industrial IoT Solutions Platform.