Are vendors on the wrong path where smart plant security is concerned?

Cyber criminals can't wait for enterprises to mainly apply access controls and encryption as their toughest solution for securing smart plants

Are vendors on the wrong path where smart plant security is concerned?
m01229 (CC BY 2.0)

As the number of smart plants that use M2M, sensors, and other ICT continue to rise, so too does the lure for attackers.

Manufacturing, energy, and utilities sectors are reportedly spending a combined 206.51 billion Euros globally on ICT in 2019, says Shuba Ramkumar, senior research analyst, Frost & Sullivan.

Organizations are connecting systems to the Internet that they once kept purposely siloed for safety. "Smart plants face new challenges due to the ever-expanding connectivity of their control systems as they link into and rely on business operations and remote monitoring and management," says Graham Speake, lead trainer at the SANS Institute and a 30-year cyber security industry veteran.

You would think that most vendors are planning tighter, more effective security measures for smart plants now and into the future. One expert says it just isn't so.

"Based on my interactions with vendors at the Industrial Internet Consortium, I see a big problem looming. Many vendors have this naïve vision of a product ecosystem so robust that any fool can connect a bunch of pieces together any way they want and have a secure system. Concepts like strong encryption and fine-grained, role-based access controls are bandied about. These are not solutions though; they ignore important attack modes," insists Andrew Gitman, Co-Chair of the ISA SP-99 Working Group 1 revising the SP-99 report on cyber security technologies.

Smart plant vulnerabilities

Smart plant vulnerabilities are many. Threats to smart manufacturing plants alone include cloud computing environments, connected devices/Internet of Things, wireless communications, and mobile devices. Cloud computing concerns include uncertainty about the actual location of hosted data and whether, how, and how well cloud services or cloud providers are securing that data.

"Without proper security, network access to the cloud, even via private connections is susceptible to cyber attack," says Ramkumar.

Connected devices/IoT are still a young technological arena. Any new technology is less secure than one with a long history of discovering and repairing vulnerabilities. With the already tremendous and rapidly-growing number of connected devices on the plant floor, the risks of that newness will catch up to us. But those are not the only threats from IoT as connected devices can become the tools of an attack. "There is a persistent data security threat in each of these devices as there is a risk of misuse," says Ramkumar.

Andrew Gitman, Co-Chair of the ISA SP-99 Working Group 1 revising the SP-99 report on cyber security technologies

Wireless attacks including man-in-the-middle attacks affect transmissions and data in transit. Wireless mobile devices that plant operations staff use often lack the security to protect data and manufacturing processes. "This can lead to data and production losses for the manufacturers," says Ramkumar.

Attackers know how to subvert smart plant security measures. Encryption is no match for an attacker when the encryption software has a gaping hole he can exploit. "These platform-level attacks target the software itself. Who cares whether we have a gazillion-bit encryption if the encryption software stack has a buffer overflow vulnerability?" asks Gitman. The Heartbleed bug was a catastrophic example of a hole in encryption software.

Once an attacker has compromised a group of like endpoints, he can launch attacks through those devices despite the assumed protections of encryption and two-factor, fine-grained account credentials, according to Gitman.

Further, attackers can enter smart plant technologies through compromised cloud service providers even when the enterprise has secured the provider's access by using strong two-factor VPN connections and by permitting just read-only privileges. When that provider connects to the smart plant technology, perhaps to a database platform, the attacker can send fuzzing or buffer overflow attacks through that secure, read-only account instead of the intended query data, explains Gitman.

"If those attacks through the cloud work, the attacker has used the provider's "read only" connection to compromise the database server. Now the attacker has control of a server in an industrial control system and can look around and work to pivot deeper into the system to carry out their sabotage agenda," explains Gitman.

Smart plant security: Which way to turn

Enterprises need to first use standards to protect smart plants hardware and applications. Standards work from the IETF in its CoRE, ROLL, and 6LoWPAN working groups should help to address smart plant security. IETF ROLL (Routing Over Low power and Lossy networks) standards should aid M2M communications and security, according to "Project Deliverable D3.1 - Initial M2M API Analysis", the IOT-A project, while the IETF CoRE (Constrained RESTful Environments) work should support the security of resource-oriented applications intended to run on constrained IP networks, according to data from IETF.org. The IETF work concluded in its 6LoWPAN (IPv6 over Low power Wireless Personal Area Networks) working group should help to ensure that low-power devices with limited processing capabilities can participate in the Internet of Things, according to data from IETF.org.

"IoT is in evolving space where standards issues still need resolution. The industry needs to take steps to spell out cyber security measures as industry standards roll out," says Ramkumar. 

The biggest challenge to the future of smart plant security is the idea some vendors have that they can connect networks without fear rather than keep them segregated. "Smart plant advocates believe they can just cryptographically authenticate all communications and all will be well. If we do what these advocates are saying and connect our latest, ultra-secure, device networks straight out to the Internet, those systems won't last a month," says Gitman. Attackers would simply seek out undiscovered exploits, zero-days and compromise smart plant hardware.

To mitigate this challenge, it is important to shake things up with perimeter security. Firewalls by their nature permit some data through, and what they do allow can become a carrier for attack packets in and out of the smart plant. "Use unidirectional gateways, which are hardware-based solutions instead of firewalls for IT/OT perimeters," says Gitman. These devices let information out and prevent attacks from joining or piggybacking return traffic.

"The latest French ANSSI cyber security standards for critical infrastructure require unidirectional gateways for the most important classes of control networks. And the standards are enforced only for the most modern control networks, implying the smartest and most advanced networks," says Gitman.

Unlike unidirectional devices of the past, modern technologies can permit security updates, batch processing instructions, and select data to return to the smart plant in a disciplined way, without the vulnerabilities that are incumbent on firewalls, says Gitman.

Gateways are only one component of a secure front for the smart plant. Enterprises must still invest in a comprehensive security program that includes education, awareness, training, incident response planning, business continuity/disaster recovery planning, supply chain security, systems design, security assessments, and patch management programs, according to Speake.

"It is important to institute, continue in all key aspects of building a comprehensive program that helps protect your people, property, and information," says Speake. 

This story, "Are vendors on the wrong path where smart plant security is concerned?" was originally published by CSO.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform