Protecting the Industrial Internet of Things with a New Approach to Cyber Defense

Measure, monitor and monetize has long been a mantra for any industry or corporation that wants to be successful with its products or services. This capability is finally ubiquitous thanks to technology being powerful enough and cost effective enough to measure and track everything, from a smart football to complex Industrial systems. The Internet of Things (IoT) has arrived for consumers and it is geared to measure and monitor everything in our daily lives.

The equivalent capability for business has been coined the Industrial Internet of Things (IIoT), originally named by General Electric as the Industrial Internet in 2012 and quickly adopted by large corporations across the globe, including notables like Siemens, Honeywell, Rockwell, and Intel. The IIoT is transformational - industrial production utilizing IIoT is driving the fully connected enterprise. Today, both worlds, known as Operations Technology (OT) and Information Technology (IT) respectively, have yet to fully come together. The notable organization in the IIoT space is the Industrial Internet Consortium.

What We Don’t Know about IIoT

Can we avoid some obvious and yet well-known issues we’ve all been through with new technology? IIoT embedded devices of varying capabilities are vulnerable to security exploits and hardware and software failures. They need maintenance, care and feeding of different sorts, and can be major problems if we are not careful. These endpoints are susceptible to becoming bricks, not just due to security vulnerabilities, but also due to a lack of long term planning for the IIoT device lifecycle.

The risks of the IIoT should be considered far greater when looking at critical infrastructure and Industrial Control Systems (ICS) of manufacturers, power grids, water systems, city infrastructures and nuclear plants. No one wants to see us fail to protect these critical systems and fail to take the necessary precautions to eliminate any level of risk where possible. We now have constant cyber-attacks probing and clear attempts at weaponizing software to attack the core infrastructure of countries and companies, along with attempts to destabilize geopolitical arenas. We have seen malware like WannaCry, Mirai and multiple aberrations of them that found their way into baby cameras and video systems and turned them into attack vehicles to shut down or flood the Internet.

At the root of these recent problems has been our global desire to create an open Internet of interconnected devices connecting everything and everyone. This acceleration and adoption of technology has been prolific, but there are also negative consequences, such as hackers that find weakness in these systems and proceed to expose those for nefarious reasons. There is also the simple fact that the “S” in IoT was not part of many vendor’s alphabet. Pushing out devices with clear security issues could be considered unlawful.

What we need to consider for IIoT

The critical IIoT systems in play are subject to the same potential compromises as we have seen already with IoT. Every IIoT device should be rigorously tested to new industry standards. In particular, these critical devices should be strictly controlled on the data and control planes. The networks they are connected to cannot be open and indeed government recommendations from NIST IoT and well known security pundits like Bruce Schneier validate this. There is also the Internet of Things Cybersecurity Improvement Act of 2017 and new Securing IoT legislation coming to bear that is trying to use the FCC as a vehicle of control.

Further, IIoT devices should not be clone-able and should contain unique Identities. Using IP or MAC addresses for identity with our existing network security infrastructure is not sufficient for securing the IIoT. The emerging Physically Unclonable Functions (PUF) in hardware are needed. With this comes the ability to use PUF identity to enable devices to be strictly controlled from a network connectivity perspective, determining what ingress or egress traffic can be initiated to or from these network endpoints. This eliminates the need to use network addresses for security policy.

Deterministic and controlled network connectivity is critical to protecting IIoT devices and systems. The keying and crypto methods should be fluid enough to allow rapid change when known compromises are found or detected. We have seen enough emergency fixes in this area, so updating software in place on these embedded platforms must be handled seamlessly without loss of service. Picture all the traffic lights in London going out or rolling power blackouts due to an IIoT software upgrade!

Solution for Enabling IIoT Security

BlackRidge addresses these core network security requirements, leveraging identity for software-based micro-segmentation. With the BlackRidge in place, ingress, egress and network access is fully controlled and the attack surface is greatly reduced. Network devices are cloaked and there is no ability for zero day or DDoS attacks because the IIoT devices are simply not reachable.

The typical reconnaissance phase in the cyber kill chain, as depicted by Lockheed Martin, is prevented.

BlackRidge micro-segmentation with adjustable trust levels can create an overlay virtual network based on identity that works with heterogeneous environments. This enables different policy access controls, analytics and traffic engineering on a per identity basis across multiple spans of control and different vendor equipment. The control plane of the networks themselves is also a key area that can be isolated and protected.

What’s Next for IIoT Security

There is ongoing collaborative work around securing IIoT and the utility grid. One such effort is led by the Cyber-Physical Systems Security and Resilience R&D Center at the DoE National Renewable Energy Lab to provide cybersecurity and resilience. This work proposes A Layered Solution to Cybersecurity, a well thought out cybersecurity architecture that takes into consideration many of these IIoT security concerns, and leverages technologies like BlackRidge for in-line blocking as part of the solution to protect critical infrastructure.

BlackRidge software-based micro-segmentation and isolation approach provides many advantages for the IIoT including infrastructure independence that is multi-vendor and heterogeneous, supports legacy environments and new cloud/container architectures, and provides an identity abstraction that separates security policy from network topology.

Contact us to learn more about how we can help you protect and defend critical infrastructure, ICS and SCADA systems, and your converging OT and IT infrastructure.