Kaspersky Lab provides its perspective on securing the Internet of Things and the five main myths surrounding industrial network security.
As manufacturing starts to really embrace the concept of the Industrial Internet of Things (IIoT) and becomes rapidly more connected and potentially more vulnerable, Kaspersky Lab’s Kirill Slavin explains some of the myths surround the security of industrial control systems so that specifiers, administrators and network specialists can approach the task of ensuring security with their eyes open to the realities.
At the heart of the problem of securing the IIoT, there is a long held belief that isolating industrial systems physically and obtaining “Security by obscurity” is enough. Kirill explains that this is most certainly not the case and sets out to explain the most common five myths held in the world of manufacturing and how the traditional air-gap and perimeter-based approaches to cyber security are no longer enough to protect industrial systems.
1 – Not connected to the internet so therefore secure – MYTH
Connections exist where you think they don’t. One energy company did an internal survey which showed that most of its business unit managers thought that the industrial systems were isolated from enterprise networks despite the fact that 89% of the systems were in fact connected.
According to Kirill, business network security at the organisation was geared towards general business processes only, with no regard to critical process systems. Multiple connection types between the enterprise network and the internet were in place, including intranets, direct internet connection, wireless and dial-up modems.
This kind of patchy security can leave you wide open. Take the “Slammer” worm for example. It affected critical infrastructure as diverse as emergency services, air traffic control and ATMs, achieved its full scanning rate (55 million per second) in under three minutes — thanks to the internet.
The average Industrial Control System (ICS) has 11 direct connections to the internet. Kirill has this advice for industrial network administrators, “If you think yours is an exception, it might be worth taking another look.”
2 – Firewalls keep networks safe from outside threats – MYTH
Although some protection is afforded by firewall, they aren’t infallible and a recent study showed that nearly 80% allowed unsecured access to the firewall itself and nearly 70% of 37 firewalls studied allowed machines from outside the perimeter to access and manage the firewall.
3 – There is a lack of understanding of industrial networks amongst hackers – MYTH
The “blackhat” conferences favoured by the hacker community are buzzing with SCADA and process control system topics as they can prove to be very lucrative targets. Here are some of the reasons why companies should believe that hackers are interested in industrial control systems and have the capability of attacking them:
* Targeted worms and other exploits are now being tailored for specific applications or targets.
* Off-the-shelf SCADA specifications can be bought or readily accessed online. These make great reading for hackers, providing a level of understanding that they would not have had otherwise.
* The Shodan search engine makes it easy to locate unsecured industrial devices and systems globally. Criminals are all-too-aware that, in many instances, these devices are still operating under factory settings with generic passwords and login details such as “admin” and “1234”
* Project Basecamp, Nessu plug-ins and Metasploit modules help with penetration testing but can also be used for criminal purposes.
4 – There’s no reason for a hacker to target us – MYTH
According to Kirill Slavin, thinking in this way is a dangerous game and whether an organisation is a target or not is largely irrelevant. To be a victim of a cyber attack, a company doesn’t even need to be a target since 80% of control system security incidents are unintentional but nonetheless cause harm. Slammer, for instance, was aimed at taking down as many systems globally as possible. It didn’t specifically target energy companies or emergency services, but it had a significant impact on many of them.
Secondly, many systems are already exposed and vulnerable to attacks, thanks to the insecure operating systems they are based on. Extensive research by Kaspersky Lab, using data from the Kaspersky Security Network (KSN) indicates that there is a growing number of computers running SCADA software that encounter the same malware afflicting business systems (IT), including well known culprits such as Trojans viruses, worms, potentially unwanted and dangerous programs (PUPs) and other exploits targeting vulnerabilities in the Windows operating system.
5 – Safety systems provide the right protection – MYTH
Most of the safety systems available today are technically flawed. This is the reason why Kaspersky Lab is working on a secure operating system that has been built from the very beginning with security in mind. Some of the main issues with the current systems are that:
* IEC 61508 Certification (SIL) doesn’t evaluate security.
* Modern SIS are micro-processor-based, programmable systems that are configured with a Windows PC.
* It has become commonplace to integrate control and safety systems using Ethernet communication with open insecure protocols (Modbus TCP, OPC.)
* Many SIS communication interface modules run embedded OS and Ethernet stacks that have known vulnerabilities.
* LOGIIC SIS Project (ICSJWG): SIS-ICS integration imposes risks, default configurations are not secure.
Steps towards protection
Kirill Slavin believes that in order to successfully defend against attacks in the process-centric, high availability industrial control environment, security systems need to meet specific requirements.
“While air-gaps and perimeter based approaches are important first lines of defence, protection must also take place inside the perimeter, on the vulnerable systems and devices that are being targeted,” he said.
“As cyber-criminal activity, including targeted attacks and Advanced Persistent Threats (APTs), continue to grow in frequency and sophistication, security systems should be continually reviewed and reappraised and any beliefs about ICS that you might once have clung to should be subject to the same treatment,” concluded Slavin.