In this video, I’ll explain to one of my colleagues, Nadia, why security is so important in the industrial internet of things (IIoT). As I’m out with our customers on a regular basis, I get several questions about security. Here I’ll go through my main points. Below the video, you’ll get a summary of what we discussed.
Why is security so important in IIoT?
When I get this question from our customers, I say, “Yes, it definitely is”. Typically for us, we're connecting the operational technology (OT) and information technology (IT) space. What you're basically doing is connecting things, for instance a ship. A traditional big bulk carrier ship, out at sea, sailing halfway around the world. You're now connecting that ship to the internet. What you're doing is potentially opening it up to potential threats. For instance, there could be some guy sitting somewhere in the world in his bedroom, hacking around. In theory, what you’re doing is opening up the control system of the ship to this guy. How upset would you be if I told you the car you’re driving to work every day, could be controlled by this guy sitting in a different country, and steer you off the road?
Hence, the worst-case scenario is that you're putting people's lives at risk. Nevermind the potential loss of earnings and credibility. You need to make sure security is handled in a good way in your organization.
What do you have to consider and how do you make sure you actually have a secure solution?
This is something I discuss and advise our customers on. There are lots of different ways to do this. It all depends on the size of your company, are you building or buying your solution etc. However, there are some common things you need to do.
Firstly, you always have to look for transparency. It doesn’t matter if you're a 10 or 20 000 person organization. How do you create transparency across your whole organization? Actually, showing everybody:
- This is where we believe our threats are
- This is what we believe we're doing to mitigate those threats, and
- These are the consequences if one of those threats happen
Let’s imagine you’re managing a credit card debt. If you hide it and put it under the table, it'll just get worse and worse. If you bring it out and talk about it, it’ll be easier to see how you're going to handle it.
There are a lot of resources on how to do this. Normally, searching for security resources you get hundreds of pages long documents and you don’t even know where to start. However, Microsoft recently released an impressive 12-page whitepaper walking you through setting up a threat model and how you can translate that over to technical solutions. I’ll try to demonstrate this for you:
1. What threats do you have?
First, you need to look at what kind of threats you might have. How do you mitigate these? Start by mapping them out. At a high level, that can be anything from:
- A physical attack, for instance someone stealing your device to get access to your data or access to other parts of your organization.
- A natural disaster, for instance a flood in your server farm which can bring down your whole organization.
- An informational leak, for instance someone printing out some important information and leaving it somewhere by mistake.
- Hacking, for instance the guy we talked about taking control of your ship.
There are a lot of resources out there to help you discover where your potential threats are. There’s one in particular I would like to recommend - ENISA. This is a European run initiative helping you discover what actual threats are possible giving you a big list of potential threats.
2. What consequences will these threats have?
Second, you’ll need to look at the consequences these threats might have. These can for instance be:
- Financial loss
- Brand reputation damage
- Lawful problems, for instance in relation to GDPR
- Data loss
3. How do you evaluate these consequences?
Thirdly, you need to evaluate these consequences. Also here, you can use some of the great evaluation techniques that are out there. For instance:
- Network threat detection - scanning your network to make sure there’s no weird things happening on it
- Reviewing your offboarding strategy and password policies
- Penetration testing - have a third-party try to actually hack into your solutions
Mitigating these three steps
So how do you mitigate these three steps? It really depends. I suggest you look into techniques like ENISA, or one of these that I would also like to recommend:
Microsoft's Stride, is a threat modelling technique where you can classify your threats according to the acronym, STRIDE:
- Spoofing identity
- Tampering with data
- Information disclosure
- Denial of service
- Elevation of privilege
OWASP which came out quite a while ago, was initially an open-source technique for evaluating websites. However, now they've developed it into an IoT specification with a bunch of rules on how you can map out threats and evaluate them.
As you can see, there is a lot of work to do. However, once everybody sits down and maps out all threats and consequences, you’ll start noticing the holes in your organization. Mapping these all out, communicating it to the whole organization in a clear and concise way, making sure everyone makes sense of and understands it, is step number one.
How secure is the actual solution?
After our customers have done these steps, I’ll ask them to look at the solutions they actually put out in the field. Let’s imagine you own lots of boats or factories around the world where you have put your devices transferring data. You have a device that’s transferring data to a cloud solution. All these elements will have potential threats in them:
How can you make sure the device is secure? As with everything else with security, there’s no one way to do it all. First of all, at least make sure you place the device in a secure area where you have locks and security badges reducing the risk of the device being physically stolen. However, even then, make sure no intruders can access what’s on the device.
Microsoft built Azure Sphere, a comprehensive IoT security solution to secure hardware. Even if someone steals the device, takes pieces out and try to re-engineer it, it essentially can’t be done. However, this might be a bit too extreme in many cases. You should still however, make sure to add cryptographic keys to your device. Essentially this is a key telling you that this device is actually yours and not someone faking your device and sending fake data to the cloud.
As mentioned, your device is transferring data to some cloud solution. How can you make sure thsís transfer is secure? For instance, you can use encryption techniques like TLS, a protocol for encrypting data. Moreover, back to the transparency aspect. If you’re working with a third-party that’s transferring your data across the internet. Are they able to provide solid documentation of this transfer? How is the device getting its data? How is it handling keys?
The Cloud Solution
Now you need to look at where your data is actually going. Is it going to a database? Is it encrypted?
All in all, making sure your solution is actually secure and how you do that is all related to what your real threats are and the consequences of these. You’ll now know where to focus your efforts. Document the whole process and be transparent with the whole organization.
Create a security focused culture
Security is a big, scary subject. We tend to look at security as something only experts can do.
However, either you’re buying or building your own solutions, security is important. You should create a culture where you can openly discuss security. Make it a safe place to address security issues. For instance, how about hosting weekly meetings where you discuss security breaches that you’ve seen in other companies, that have actually happened to you or you think might happen? What about discussing simple things such as transferring money in your bank? How do you know that’s secure?
The worst thing you can do is having security people finger pointing and shouting at people when they’re doing something wrong. This scares them and can make them insecure in bringing up security breaches.
Building your own IoT solution
If you’re building your own solution there are different areas you need to focus on. Let’s imagine you are building the Super Duper IIoT solution - whatever that is. You want to know you’re doing this in a secure way. You need to look through the whole process, understanding each of the phases from design to development to testing to deployment to operations. Each of these stages are different and have different levels of security to look at.
In the design and development phase you’ll start your threat modelling. Here, you also have to make sure you’re creating a security focused culture lasting into the testing phase. In your testing phase, you can do penetration/pen testing (yourself or third-party) or protocol fuzzing (mimic protocols to get different result). When you get to deployment and operations you should do network analysis. Investigate that nothing weird is happening across your network. You should also be aware of your deployment routines. When you're deploying new patches how do you make sure you're not implementing hidden things, making sure that they're nice and secure?
As mentioned, the way you do this all depends. Are you buying or building your own solution? Do you have an IT organization within your company or are you using a third-party? Do the job, use the different techniques, be transparent and create a security focused culture.