Jonathan Newell spoke to experts in information security about the specific problems they face in reducing vulnerabilities in an increasingly connected world.
The Industrial Internet of Things (IIoT) will be gigantic, potentially orders of magnitude larger than connected office and home IT systems. Industry 4.0 depends on the connection of billions of sensors, RFID tags, machine tools and shop floor equipment.
All these things use a vast variety of operating systems, standard and bespoke software and a broth of different communication protocols. Given the security industry’s track record for securing information in the comparatively simple office IT environment, things don’t bode well for industrial system security.
However, there are a number of security companies that have made it their mission to tackle IIoT security and grapple it into submission before the hackers make a complete meal of it. I spoke to three companies that are taking different approaches.
Treating the IIoT the same as IT
To distinguish between the office systems that most are familiar with and the new world of connected devices, the industry has coined the term OT for “Operational Technology” for the latter in contrast to IT. According to some suppliers, including Skybox, the OT presents the same kind of security challenges as IT networks.
Commenting on this notion, Skybox’s Director of Product Marketing, Kevin Flynn told me, “Industrial systems are not that much different from IT. OT and IT form an integrated system in most enterprises and should be modelled accordingly,” he said, asserting that cybercriminals don’t see the two as different things but as one contiguous whole. For this reason, the industry shouldn’t view it differently either.
Due to the vast number of devices attached to such networks, Skybox takes the necessary step of using an “agentless” approach. This means that individual things connected to the network (such as computers, machines, cameras, sensors etc) don’t need to have security software loaded on them in order to be protected. The security comes from the network, not the device.
From a decade’s experience of security analytics for companies with large commercial networks, Skybox has understood from the start that the first challenge is in understanding exactly what the network comprises of. Discovering devices and understanding what they are and what their network traffic expectations are is key to securing the network.
“This allows companies to envisage their networks as an attack surface, which is vulnerable to cyber criminals. Knowing the network topology enables these vulnerabilities to be understood and for policies to be set up to protect them,” explains Flynn.
Complexity is the enemy of security
Using an agentless platform based approach is something which networking giant Palo Alto Networks also agrees with. The company recently bought up-and-coming IoT security swashbuckler, Lightcyber and I spoke to the company’s Senior Technologist Aaron Miller.
Although Palo Alto Networks doesn’t share the Skybox notion that the IT and OT are the same, it nonetheless believes that lessons learnt from securing commercial systems should be applied to industrial networks. However, commercial security systems are often based on a Best-Of-Breed approach whereby individual products are used for specific tasks, such as encryption, anti-virus or data protection.
Palo Alto Systems believes it is better to take a more cohesive approach to industrial systems rather than using best-of-breed software or focusing on individual technologies such as sensors or machine tool software.
“A best of breed or point solution approach demands too much expertise and too many disparate devices need to be maintained and updated. This creates complexity and this is the enemy of security,” Miller explained.
According to Miller, a four stage approach is needed to cut through the complexity and simplify the route to a secure network. The four stages are:
This extends the notion of device discovery and knowing what’s connected to the network to include insight into operating systems, applications and network protocols.
2 Reducing the attack surface
This is the core expertise of the subsumed Lightcyber company, which developed considerable expertise in behavioural analysis. Combining such analysis with role-based access control for machines as well as people and matching protocols such as Modbus or FTP to devices and functions enables deep and accurate analysis of transactions that are abnormal.
In this case, you’d expect a connected sensor to transmit very small packets of information using a specific protocol to a monitoring server. Packet size, protocol, direction of transmission and destination anomalies are easily and accurately spotted.
The third and fourth stages are about the prevention of known attacks through the recognition of malicious code and the detection of unknown malware using dynamic detection technology and the technique of “sandboxing” – code experimentation usually performed in network firewall appliances.
Embedded software devices
Jeff Luszcz, Vice President of Product Management at Flexera explained the problem of vulnerabilities on devices such as surveillance cameras that are connected across networks but rely on open source operating systems and software.
According to Luszcz, such cameras typically have full-time high-speed network connections, run embedded Linux and lack monitoring systems that might alert a user to a hack. Additionally, many of these systems are designed for limited roll-out, or come from a company who has paid limited attention to hardening or security. This combination of powerful networked systems, with easy ability to be breached, allows for botnets to thrive.
“The typical embedded Linux system uses dozens to hundreds of open source packages. While these components are typically high quality, all software contains defects and over time vulnerabilities in these components are discovered and eventually taken advantage of,” explained Luszcz.
Many of these devices are not designed to be auto-updated, and depend on software from commercial and open source organisations that have vulnerabilities discovered every few weeks to every few months.
Software Bill of Materials
It is becoming a best practice to pay attention to a device’s Software Bill of Materials, with special attention to components with known vulnerabilities as seen in places such as the National Vulnerability Database. By keeping track of the list of components used in the operating system as well as the application itself, a company can stay ahead of malware authors – especially if they have a rigorous patching system in place.
“The irony is sometimes that update systems can be used by malware authors to spread their malware. This occurs when secrets, such as hard-coded passwords, are shared across multiple devices or device families,” Luszcz continued. Many current malware systems use this trivial vulnerability to spread themselves, but as this vector gets locked down, many are moving to taking advantage of common vulnerabilitie.
Software Composition Analysis
Today, products and services are available that are designed to help IIoT system designers keep track of their use of open source and commercial dependencies, as well as get alerts when new vulnerabilities are discovered in the components they are using. This allows them to create products that do not contain known vulnerabilities when first shipped, and to stay on top of components as they age out when deployed in the field. This type of scanning and management software is known as Software Composition Analysis (SCA) software.
Such software contains scanning and workflow features designed to help technology companies discover, manage, upgrade and comply with their use of open source components. By scanning and comparing the files used on the devices to a database of billions of known open source files, the system is able to discover usage of third-party components for the purposes of vulnerability management as well as open source licence compliance.