The rush to connectivity in manufacturing, critical infrastructure, energy, transport, utilities, and aerospace, has exposed significant security vulnerabilities. Implications of security failures in the IIoT are potentially far more serious than in the home and consumer IoT. While pursuing benefits of remote control and management of devices, IIoT manufacturers have lacked the security awareness, skills and experience needed to ensure secure environments. Security has not been the top priority in the scramble to bring connected devices to market.
In an IIoT ecosphere, much happens through a PLC (Programmable Logic Controller), the hardware that allows digital data to interact with the physical world. PLCs are the brains of many machines and devices enabling data monitoring, processing and management. Groups of devices form an ICS (Industrial Control System), which is often distributed over multiple sites in a SCADA (Supervisory Control and Data Acquisition) system.
The IIoT enables connectivity, monitoring and management. While the benefits of ICS/SCADA are apparent, cyber sabotage takes on new dimensions with real world physical effects. Just as a conventional, physical weapon such as a missile can cripple a manufacturing facility or critical infrastructure such as a dam or power plant, so too can cyber attack impact on the IIoT environment.
The most impressive, chronicled cyber attack on an IIoT facility was the Stuxnet malware which targeted centrifuges at Iran’s uranium enrichment facility in Natanz. The attack set the Iranian nuclear programme back by several years, and is well described in Kim Zetter’s excellent book, Countdown to Zero Day. Stuxnet illustrated that air gapping, isolating the facility from the internet, is not an impenetrable defence against digital attack.
In late December last year, the Ukraine power grid was disabled by a cyber attack. After the attacker gained remote access to an operator’s system, he was able to disable about 30 substations and take the power grid down. As is so often the case, initial access into the system was achieved through spear phishing.
In November 2015, Sweden’s Air Traffic Control was put out of action by a suspected cyber attack. It caused the grounding of many flights across the country.
Building management systems and traffic management systems are another two examples of IIoT systems at risk. And cyber security attacks against IIoT ecosystems are on the rise. UK Defence Minister Liam Fox says that the threat to the UK energy sector is “not a theoretical risk but a very real threat”.
Eugene Kaspersky noted that companies often don’t report attacks on their SCADA networks, and often don’t even know they’ve been attacked.
Several characteristics of existing IIoT environments exacerbate security concerns:
- Machinery, equipment and devices in IIoT environments have different operating systems, architectures, protocols, software and software version numbers.
- Many IIoT operating systems are outdated – such as MS DOS, Windows 3.1 or XP.
- There is often a lack of IIoT network monitoring, malicious file detection and alert systems.
- A lack of vulnerability testing and patching of IIoT systems.
- An absence of strong access controls.
- Many IIoT systems are vulnerable to spear phishing attacks on administrators and operators.
No doubt, over the next few years we will see several successful attacks on IIoT environments causing major disruption to manufacturing, critical infrastructure, energy, transport, and utilities.