Securing the IIoT Ecosystem operating in the ICS Arena
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Introduction
Securing the IIoT Ecosystem - The Industrial Internet Things (IIoT) end-point devices and ecosystems are penetrating a broad range of industrial applications at an unprecedented rate. The IIoT sounds like a derivative of the IoT, however it is important to emphasize the huge difference between these terms.
While the IoT is primarily serving consumer and commercial applications supported by Artificial Intelligence (AI) processes, and unique algorithms, the IIoT is in principle “expanding” the Industrial Control Systems (ICS) capabilities by adding additions inputs to the process.
The main purpose for this innovation is to deploy optimizing processes, reducing operating and maintenance cost, preventing and minimizing unplanned shutdown and allowing reliable prediction of malfunctions.
While the IIoT sounds like an exciting and all-positive trend, it is important to remember that the operation of these devices is based on data flow between IIoT end point devices (sensors & actuators) and cloud-based services, and the output is delivered to the ICS process.
These communication conduits and cloud-based processes and the unprotected location of the IIoT end-point devices are increasing the cyber-attack surface and by that offering more opportunities and easier routes for an attacker to interrupt the normal ICS operation for which these systems were built.
Typical IIoT Architectures
The IIoT Ecosystem architecture typically employs three to four entities which can be interconnected using logical, physical and wireless media for communicating the essential data for the IIoT process.
- The IIoT end-point device performing sensing and control of processes at remote locations
- The cloud-based server/service provider and data centers which conduct the IIoT process
- The ICS operation, which can be physically or logically but securely linked to that process
- The entity (people, organizations, etc.) which retrieves the results of the IIoT process
Once you realize this architecture and properly understand it, you will instantly see how all these entities are exposed to cyber attackers, because they are part of a large attack surface. The immediate conclusion is that the more IIoT end-point devices are connected to the network and more people or computers are involved, the larger the attack surface will be. Furthermore, if the utilized conduits are not properly protected, the cyber-attack surface will grow further. See illustration in Fig 1 below:
Fig 1 above clearly illustrates the exposure of the connected entities via internet service to the cloud-based service provider. This is obviously an unacceptable and risky condition because attackers might confuse the entire IIoT ecosystem operation by manipulating the process data uploaded to the cloud-based service provider as well as manipulating the output information intended to the operator. Furthermore, the operator might initiate a panic action and cause severe damage to the monitored equipment.
Mitigating Cyber Security Risks on IIoT Ecosystem
The following outlines the most obvious cyber defense measures specifically created for protecting the operation of IIoT ecosystems. To do that, the IIoT end point devices must not require special installation in the device nor perform any software changes related to the original system configuration. Use of an installed agent in the data collector is allowed and may serve for managing the IIoT end-point device. These 12 cyber methods will make the system more robust and harder for an attacker.
- All IIoT end-point devices connecting to the ecosystem shall be strongly authenticated
- IIoT devices must have a modifiable password, identical for devices in the same zone
- Software updates or patching of the IIoT end-point device must require a strong password
- Remotely installed IIoT end-point devices must use encrypted channels such as IPsec.
- Each IIoT end-point device must have a verified and documented typical operation profile
- The channel from the data collector to the cloud must use a single direction diode
- The output of the service provider must be securely delivered to the ICS via the IT network
- The IIoT service provider and the ICS computer must detect anomaly out-of-range values
- The system must be capable of detecting momentary disconnection of IIoT end-point devices
- The operator must have accurate documentation for all the installed IIoT end-point devices
- The ICS shall be capable of testing the condition through validating IIoT end-point devices
- All software updates and deployed patches must be accurately and timely documented
IIoT Ecosystem Communication with the ICS
In order to assure operation safety and reliability, the IIoT must be securely segregated from the ICS, to prevent active transfer or lateral movement of manipulated or malvertized data from the IIoT ecosystem to the ICS. This is critical because an operating outage and a huge damage to machinery and risk to lives of people might occur by attacking the ICS and more specifically the safety instrument system (SIS).
Some of the IIoT ecosystem configurations may use a different architecture, in which the IIoT end-point devices are linked to the ICS and the data is exported to the cloud-based service provider via the IT system. In that case, part of the IIoT ecosystem process will be done by the ICS computer and additional processes can be done by the cloud-based service provider. Obviously, the data from the ICS computer (not from the IIoT end-point devices) will be exported through the IT section of the organization.
Summary
It is important to point out that IIoT ecosystem-architectures must be correctly designed and deployed with cyber security in mind. The design process should be based on the principles outlined in the ISA/IEC 62443 international standard, and risk assessment should be carried out according to section 3-2 in that standard.
The achievable benefits delivered by IIoT ecosystems always depend on the installed sensors and the performance of the private or cloud-based expert computer. Selecting the correct IIoT ecosystem for your operation should be done in collaboration with the business experts and the IT and OT cyber security experts.
Daniel Ehrenreich, BSc., is a consultant and lecturer acting at Secure Communications and Control Experts, periodically teaches in colleges and present at industry conferences topics on integration of cyber defense with ICS; Daniel has over 29 years of engineering experience with ICS/OT for: Electricity, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
Follow Us
Securing the IIoT Ecosystem operating in the ICS Arena
