As the industrial IoT looks more like IT, security must change

This story was originally published in my July 07, 2023 newsletter. You can sign up for the newsletter here. 

As tensions rise between the U.S. and China and Russia continues sponsoring cybersecurity attacks around the globe, it’s clear cybersecurity is never going back to being a niche issue CEOs and boards can foist off to a CSO or IT staff.

It’s not only that there are more attackers or a greater desire to attack; there are also more opportunities and places hackers can attack, thanks to more operations getting connected to the internet. This means more companies in manufacturing or operating essential infrastructure need to quickly get a handle on their security.

There are four issues here:

1. Older gear needs more security layered on top of it, because much of it was designed before companies using industrial equipment had to worry about cybersecurity since it operated in isolation.
2. Vendors need to rethink how they handle their quality assurance testing for their gear in the wake of vulnerabilities.
3. With remote access to systems becoming essential, companies operating essential infrastructure need to think about how to allow remote access safely.
4. Vendors need to think about how to manage their supply chains to reduce the risk of vulnerabilities.

This is a lot to manage. But it has become clear: Companies that make industrial equipment — and those who operate it — need to consider OT security in the same manner they consider their IT security.

When it comes to layering security onto older gear, manufacturers have gotten pretty good at buying cybersecurity solutions that monitor their networks (IT and OT) and alert them when devices behave badly. They also are good at thinking about segmenting and keeping older devices off the network.

But going forward, new gear — and even older gear where available — must now be programmed and built with security in mind. Just like smart home devices and other connected devices in the IT and consumer world are now built with security as a design principal, industrial equipment vendors must do the same.

Daniel dos Santos, a security researcher with Forescout, said in most cases, risk assessment programs associated with securing OT gear are focused on physical safety as opposed to preventing access or control, which is common in IT risk assessments. However, when OT looks more like IT, it’s clear that getting access or control of OT equipment could lead to physical safety ramifications.

Dos Santos says efforts like the PLC Security Top 20 list are an example of best practices to help make OT cybersecurity practices and assessments more like IT.

When vulnerabilities strike, vendors have to take a page from software or hardware companies in the IT world that have decades more experience. If a vendor’s programmable logic controller (PLC) has a vulnerability, it’s not enough just to issue a patch based on a cybersecurity researcher’s disclosure.

Dos Santos said in some cases, the patch might work for the specific flaw the researcher found, but there may be other ways to hack the equipment the researcher didn’t try. Or the vendor might patch one product, but not check to see if other products they make are affected by the same vulnerability. He classifies this as building better quality assurance when developing patches and when thinking about cybersecurity programs for vendors in general.

The pandemic resulted in a lack of experienced employees, which in turn is driving many companies or municipalities that operate critical infrastructure to let workers access the OT operations remotely. But in many cases, the organizations providing access may not have great policies around that remote access.

Kevin Kumpf, chief OT/ICS strategist at cybersecurity firm Cyolo, said organizations need to create clear audit trails about who is accessing OT equipment remotely, when they access it, and what they do when they are logged in. In addition to the audit trail, organizations should limit who is allowed to access software (and ensure multi-factor authentication for those who have access), as well as limit what each person is allowed to see and change.

This means an IT staffer who might have the ability to log in and see alerts or vulnerabilities, may not have the ability to change it. For changes, that IT person might have to turn to an operations engineer who understands the repercussions of applying a recently released patch.

Kumpf said organizations need to focus on segmenting not just networks, but the people who can make changes to different levels of equipment operating on the network. This means a random IT employee can’t access a hospital’s firewall and make a tweak that lets a formerly isolated piece of medical equipment access the network. This requires a formalization and documentation of roles and policies around both OT and IT staff.

Finally, when it comes to managing risk, companies making physical devices that run software and may get connected to the Internet should consider their supply chain. On the software side, figuring out what the people who make your software are incorporating into that software using a software bill of materials is already a best practice promoted by the National Institute of Standards and Technology.

On the hardware side, auditing a company’s supply chain and even shrinking it can reduce the risk associated with poor security practices from an outside vendor affecting the end product. We’re also seeing more companies subject outside suppliers to a security audit.

When it comes to security, we’re all realizing we’re only as secure as our weakest link. A ransomware attack at a port can mangle a supply chain for weeks. An insecure vendor could lead to malware getting installed on a medical device. An employee who means well could remotely tunnel into factory operations and stop production with an inexpertly applied patch.

In many ways, the OT is an incredibly weak link, and it’s important we start making it stronger. Many of these steps will help.