IoT Threats: Of Good Intentions and Bad Experiences
How legacy control systems and good intentions could lead to network intrusion, explains Eli Jenkins.
Stop! Have you read How the Internet of Things Impacts Process Manufacturing Environments1?
Something just feels right when it comes to implementing new advanced technology into our workplace. The coming together of more information with hope for increased productivity and a hearty slap on the back from your boss. It feels as though nothing could go wrong because technology today is way too smart to hurt you. We all have had something go wrong with our iPhone or Fitbit and a quick reset usually fixes the problem. So implementing smart devices into our process or other manufacturing areas would be just as simple...right?
Wrong! It doesn’t work that way and the areas we feel are insignificant relative to IoT threats could damage our business. For example, the SCADA (Supervisory Control and Data Acquisition) system was very helpful to operators and control engineers by displaying the data they need at the operator and/or engineering stations. Now, SCADA is not often the smaller stand-alone system we knew but a large umbrella of data gathering fingers that span across multiple facilities with the ability to remotely control major processes. SCADA has become one of the primary targets of IoT attackers. Why do we continue to implement technology like there are no threats in the world? Any new installation of connected technology creates a new potential entryway for network intrusion.
The Normalcy Bias
The idea of implementing smart devices for more information is everywhere, and most of the media along with smart device manufacturers have rarely brought up the downside when convincing you to buy. As a result, when the knowledge of threats presents itself your mind undergoes a bit of stress. This stress sometimes causes the brain to default to previous ideas and can deceive us. (If you just thought to yourself, “I don’t do that!”, then read ‘Leadership and Self-Deception’ by the Arbinger Institute2.)
While working in functional machine safety, I saw this type of thinking on a weekly basis. It usually sounds like this, “I understand safety can help our process and keep us safe, but nothing has ever happened at our facility and nothing ever will.” We use this logic all the time whether it is about buying renter’s insurance or investing in an emergency fund. The idea that nothing will happen is a devastating one for process manufacturing. We must continue to educate ourselves about the types of threats and how they target our facilities.
Is My SCADA Really a Threat?
As with any technology, legacy versions that have been changed and added to company networks over the years have the biggest risk because they cause a sense of false security (normalcy bias). However, no matter what software your company uses, there should be resources set aside to analyse the security threats and mitigate the risk. Just because you are using one particular software doesn’t make you immune (regardless of marketing hype) because it must be customized to your process and those implementing the software must understand how to counteract those future attacks.
Two researchers, GlebGritsai and Sergey Gordeychik, set out to prove just how vulnerable SCADA, DCS, and PLC systems are in mostly the process industry. Most of the vulnerabilities were as simple as the way passwords were encrypted and stored in the software’s project database. The scary part of this is that with those passwords, a hacker can gain FULL control and the method of obtaining the password is “easy to launch,” according to ITnews. These researchers also published a cheat sheet identifying 600 ICS, PLC, and SCADA systems which are particularly vulnerable. After looking over the list, it seems to me that everyone is vulnerable; however, it is important to note that one of the only vendors to implement immediate patches was Siemens with their SCALANCE X-200 switches.
According to CISCO, 91% of all breaches in manufacturing facilities took a few hours or less to perpetrate, yet more than 60% of all attacks took years to detect. How is this possible?
“Ultimately, the lack of protection is a direct result of a legacy, one-dimensional security system. Many of today’s manufacturers have no mechanisms to check authorizations or ensure data integrity and confidentiality. Some lack disciplined processes for consistent security policy implementation across all servers, software patching and antivirus protection.” – blogs.cisco.com
Working with IT
The battle between the IT department and the Control Systems Engineer(s) have been raging for decades now, and anyone that has fought for network privilege or system support knows of the struggle. However, in this ever increasing data hurricane that we find ourselves in, it is better to put aside our differences and work together. Everyone in your facility plays a part in the security of not only company information but also of themselves.
When you implement new technology, make sure the contractors/system integrators are aware of your security concerns and whether you have any company policy on network design. They tend to have seen multiple variations of network security and could even give some insight to the effectiveness. It is critical that everyone touching your software or network understand the risks of implementation ignorance against these “easy to launch” threats.
“Self-deception is like this. It blinds us to the true causes of problems, and once we’re blind, all the “solutions” we can think of will actually make matters worse. Whether at work or at home, self-deception obscures the truth about ourselves, corrupts our view of others and our circumstances, and inhibits our ability to make wise and helpful decisions.” – The Arbinger Institute.
Eli Jenkins is the Business Development Manager for Cross Company, a technology and solutions provider to industrial manufacturing markets. He graduated from Berea College with a degree in Applied Science and Mathematics and has an extensive background in the process industry including pharmaceutical, biotech, and chemical. Eli has a passion for solving problems and helpings clients reach their process goals.