Securing supply chains for the Industrial Internet of Things.
In October 2019, security researchers discovered unauthorized cryptocurrency mining software in a range of industrial and commercial equipment, from multifunction printers in offices to unmanned forklifts operating in warehouses. The rapidly-spreading malware may have been the work of cryptojackers, who commandeer connected devices for financial gain.
Irrespective of their motivation, these attackers could have compromised sensitive information or caused physical damage, injury, or even death by disrupting the movement of the driverless vehicles they targeted.
What is more concerning, however, is the method in which the malicious code made its way into these devices. The company analyzing the incident strongly suspected that the original infection occurred upstream in the supply chain and that the enterprises operating the equipment were second-order victims of the unknown attackers.
This incident is just one of the recent examples of a growing threat to the Industrial Internet of Things (IIoT): supply chain attacks.
The IIoT represents a vast array of connected devices that transmit data useful for driving analysis, predictive maintenance, and other business processes. From the quotidian - like coffee makers - to the vitally important - such as military aircraft, medical devices, and even nuclear power plants - IIoT systems are irrevocably and increasingly intertwined with businesses and governments across the world.
Connecting this array of machines has facilitated measurable improvements to productivity and organizational performance through improved efficiency and reduced downtime. In the face of COVID-19, IIoT systems allowed employees to conduct manufacturing and service operations remotely while facilitating improved safety for those workers who must remain on-site.
These improvements, however, come at a cost. Whole generations of devices - many of which are older than the software engineers dutifully connecting them to the Internet - are operating in safety-critical situations but lack basic security measures or even the ability to implement them.
Most modern deployments represent a jumble of technologies, protocols, and vendors. As the worlds of Information Technology (IT) and Operational Technology (OT) collide and enterprises sprint towards digital transformation, massive gaps in maintenance, interoperability, and security become glaringly apparent.
Rather unsurprisingly, a variety of actors have attempted to exploit these vulnerabilities towards various ends. Even the most benign ones, such as the aforementioned cryptojackers, can waste electricity and disable critical equipment.
Most alarming, however, is the fact that state-operated Advanced Persistent Threats (APTs) have targeted critical infrastructure for physical destruction through electronic infiltrations of IIoT systems. The Iranian Islamic Revolutionary Guard Corps (IRGC), for example, compromised the control systems of a dam in upstate New York in 2013. A Russian government-owned laboratory was likely the source of an attempted physically destructive cyber attack against a Saudi petrochemical plant in late 2017. And a leak of documents from Russia’s premier intelligence agency, the Federal Security Service (FSB), further highlights that government’s concerted efforts to target connected devices.
Enterprises have already begun investing massive amounts of resources to implement layered defenses against such threats to their convoluted deployment architectures. Given the tangled web in which we find ourselves, there is no option except to bear the financial costs of securing these networks through a patchwork of security measures such as using anomaly detection software, retrofitting older devices, “bolting-on” security features, and attempting to air-gap entire networks.
What to do going forward, however, is a different story. Concerted action now, especially in terms of IIoT supply chain security, can save huge amounts of money and protect against potentially catastrophic future breaches. Predictions vary, but most watchers agree that there will be tens of billions more Internet-connected devices in operation by the middle of this decade. This explosion in the number of new devices represents an opportunity for changing the IIoT security paradigm.
In order to avoid an indefinite continuation of the chaotic present state, all stakeholders - from device manufacturers to operators to software vendors - should embrace a cradle-to-grave IIoT security model. Hackers almost always target the seams of IIoT connectivity, probing for weaknesses at critical junctures rather than attacking strengths. For example, they generally prefer attempting to guess default passwords - set by the device manufacturer but left unchanged by the end user - to pursuing (currently) near-impossible vectors such as cracking Transport Layer Security or other encryption protocols. Securing the entire lifecycle of connected devices can mitigate and even eliminate such easily exploitable gaps.
As organizations become aware of the vulnerabilities posed by their unprotected networks and take steps to close off the most obvious entry points, attackers are likely to increase their efforts to penetrate the IIoT supply chain. Many of the aforementioned APTs are well-resourced, disciplined, and ruthless. Their backers have a long history of patiently infiltrating target ecosystems and waiting for the right moment to strike. More recently, a probable China-based APT conducted a string of software supply chain attacks in an effort to spy on a discrete set of targets, rather than pursue financial gain. Such behavior is the hallmark of a government-sponsored actor and suggests that attempted exploitation of software supply chains by sophisticated actors will increase.
In addition to the best practices that enterprises are already implementing, device manufacturers and operators need to work closely with IIoT software providers to take four key steps:
Firstly, builders of connected devices - and any device that might conceivably connect to the Internet - need to ramp up their supply chain due diligence measures. Inserting a firmware backdoor or malicious software during device assembly represents a relatively unguarded point of entry for attackers. Preventative measures would include insisting on third-party audits and certifications of microchip makers and similar hardware vendors. These inspections should focus closely on suppliers’ physical security measures, employee vetting practices, and friendliness - or subservience to - governments known to sponsor APTs.
Secondly, manufacturers should cease the practice of selling devices with non-unique default passwords. This is already illegal in California, will likely be banned for consumer devices in the United Kingdom, and contravenes proposed European Union standards. Most disturbingly, exploiting easily-guessed or -researched device passwords is a known tactic of multiple Russian intelligence agencies.
Thirdly, designers of IIoT devices should strive to harden them against exploitation via both zero-day attacks and known vulnerabilities. Private sector companies must weigh the risks of cyber infiltration against the rewards to be had from developing and selling flexible connected devices. By building extraneous functionality into their products, however, they unnecessarily expand the attack surface for hackers. Conversely, for functionality that is absolutely necessary for the device, manufacturers should ensure that the bare minimum is hard-coded (and thus immutable). This step, combined with ensuring that remote assets connected to an IIoT management platform have the ability to receive regular and rapid firmware updates, is critical to preventing the exploitation of known vulnerabilities.
Finally, device makers must build secure authentication measures into their devices during assembly. Manufacturers should partner with firms that are beginning to roll out widely available solutions, such as Microsoft’s Azure Device Provisioning Service. Such programs can help develop chains of trust for IIoT deployments, similar to what certificate authorities do for web sites and applications. For organizations that are managing hundreds of thousands of devices, the risk of a skilled attacker introducing a single malicious one into a deployment architecture is high. By having the ability to verify the provenance of an IIoT device through a trusted third-party, device operators can connect new assets to their networks more securely and efficiently.
Although today’s IIoT landscape is chaotic, it did not have to be this way. Nor does it have to remain so. A common refrain is that one of the Internet’s “original sins” was its lack of consideration for security. The fact that a large portion of OT in use today pre-dated the growth of the Internet further contributes to the security nightmare that myriad webs of connected devices represent. As the COVID-19 pandemic subsides, enterprises will likely accelerate their IIoT deployment efforts to protect workers against future outbreaks while at the same time improving their financial viability. This coming explosion in device deployments provides a unique opportunity to improve safety and security in the face of a host of aggressive and skilled cyber aggressors. Now is the time to capitalize on it.
Thanks for reading Deploying Securely! Subscribe to receive new posts.