This is not an unfounded concern: as we can read in media, a growing number of cyberattack cases over industrial plants make the infrastructures useless or even alter their operation with the risk that this entails.
It was in 2010 when we became for the first time familiar with industrial cybersecurity. Stuxnet, a malware described as the first cyber weapon, was introduced in an Iranian nuclear power plant to delay Iran’s nuclear program. This malware managed to control the valves and pressure sensors of the enriched uranium centrifuges.
Industrial cyberattacks over critical infrastructures have grown considerably in the past year, attacking thermal power plants, electrical substations, water treatment plants, or oil pipelines. Examples of these are the recent attack against Colonial Pipeline or against a water treatment plant in Florida that supplies water to a large population.
Security Risks Lay In IoT Devices
Internet of Things (IoT) is a set of technologies that enables the physical world to be linked to the digital world. Information is collected from what happens in the physical world through sensors, actuators, and other so-called IoT devices and processed digitally afterward. Making an analogy with the human body, IoT is the sense of the digital world and the first step towards digital transformation for many industrial companies that seek to transform their business model by digitizing processes and exploiting data.
The first step is to collect data. Companies can now connect to their industrial equipment through IoT deployments and gather data to make informed decisions. Many of these IoT devices have advanced computing capabilities and can operate industrial equipment remotely; that is precisely why it is so essential to secure these devices properly.
IoT devices are. However, the most vulnerable element in the whole cyber security chain and the reason behind it is the lack of firmware updates.
In mature sectors such as personal computers and mobile phones, it is ubiquitous for devices to receive notifications of new versions and security patches that protect smartphones and laptops against the latest vulnerabilities once downloaded and installed.
However, in the industrial world, this is far from the norm. It is pretty usual that, once IoT devices are deployed in their physical environment, they are never updated, which significantly increases the risk of falling into a cyberattack.
There are mainly two reasons why IoT devices are not being updated in the same way that our phones or computers are:
- The immaturity of the Industrial IoT market means that cybersecurity is not perceived as a primary need. If we were to put all the needs that motivate a company to undertake an IoT project into a sort of Maslow’s pyramid, there are other concerns that come before cybersecurity, and that is precisely the big mistake. Worrying about IoT security after the project has been developed, instead of doing it from the start, from the design stage.
- The complexity of managing a distributed, remote and tremendously heterogeneous environment. The very concept of IoT is based on the existence of a multitude of distributed «things». Being able to ensure that all these devices can be updated in an efficient and scalable fashion, makes it essential to have a secure remote management system. Otherwise, the cost of having to periodically update IoT devices locally would make any project of a certain size unfeasible.
In addition, the lack of standards in the development of IoT devices complicates this management and leaves it up to each supplier to respond (or not) to this need.
Industrial IoT Security: Recommendations For Protecting IoT Edge Devices
The most common vulnerabilities in IoT revolve around the following aspects:
- The use of weak or embedded passwords
- Insecure network services
- Use of insecure interfaces
- Lack of update mechanisms
- Lack of data storage and transfer security
- Inadequate device management
In the face of this list of typical vulnerabilities, organizations such as OWASP publish guidelines on their website indicating which aspects should be considered when developing IoT solutions and which protection measures should be taken.
IoT devices are the weakest link in the security chain. Ensuring that they are adequately protected is the best way to proceed when deploying any IoT project.