[BreachExchange] Intrusion Detection for the IIoT: How do we detect threats on the factory floor?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 12 18:35:41 EDT 2016


http://www.automation.com/automation-news/article/
intrusion-detection-for-the-iiot-how-do-we-detect-threats-
on-the-factory-floor

The Industrial IoT (IIoT) provides manufacturers in all industries with
greater connectivity which, in turn, generates valuable information and
intelligence regarding operations.  By leveraging this intelligence, they
are able to attain significant efficiencies and manufacturing improvements.

However, this expanded network also opens up these newly connected devices
to significant threats of cyber-attack. As industrial facilities become
more connected, hackers are getting more sophisticated, resulting in
greater vulnerabilities and increased risk of devastating cyber-attacks.
Intrusion detection, the ability to detect when hackers begin probing
devices, is a critical first step to building a secure IIoT.

IIoT vs. IT, a Security POV

Some question the difference between the IIoT and IT from a security POV,
but they are different for several reasons.  First, with IIoT, you have a
much larger attack surface.  There is a proliferation of connected devices
and every new device brought onto the network is a target for hackers.
Second, many of these devices are deployed outside of the current IT
security perimeter.  This creates significant new security challenges.
Finally, many of the IIoT devices are embedded systems operating in the
cyber-physical realm, which makes protection from cyber-attacks critical.
Because they are embedded systems, they require new security solutions –
traditional IT and PC security approaches won’t work on these specialized
devices.

If an IT system is hacked the consequence is usually data loss.  This can
be significant and costly. However, if an IIoT system is hacked, the damage
can be much more serious, even life threatening. The power grid can go
down, flights can be grounded, production lines can be shut down, machines
can go out of control, and real physical damage can occur.   For example, a
blast furnace was damaged in Germany due to a cyber-attack.  This caused
significant financial loss and could have caused injury or loss-of-life.

Intrusion Detection

Intrusion Detection Solutions (IDS) for IIoT need to be customized to the
nature of the devices.  Small devices with limited resources need a
solution tailored to the types of attacks they are likely to experience
without overwhelming the limited memory and computing resources of the
device.  At the same time, the sophistication of the Intrusion Detection
Solution must scale up to support more powerful gateway and control
systems.  As a result, it is necessary to build a scalable framework that
can support a wide range of devices and can be easily customized based on
the needs of the individual device or network. In all cases, the key is to
monitor for, detect, and quickly report anomalous traffic.  This requires
integration with a security management system where IDS events can be sent
and viewed by a human (or potentially an AI engine) to determine if the
anomalous events indicate a cyber-attack.

Changing Attacks

To keep up with the current attacks and all aspects of cyber-security
countermeasures requires a team of experts.  Today, many OEMs are
designating an internal cyber-security champion to work with outside
experts and cybersecurity firms to coordinate their solutions and ensure
they are staying current and building appropriate solutions.  One of the
key elements to a robust solution includes using a hardware platform with
hardware security elements as a foundation and implementing secure firmware
updates so devices can be updated as security patches become available.

Conclusion

Attackers are becoming more sophisticated over time.  They are learning
about new vulnerabilities and developing automated attack tools to exploit
those vulnerabilities.  There are cybercriminals who build and sell these
attack tools, making them available to anyone willing to pay for them.
Unfortunately, there are a large number of bad actors with the motivation
and means to launch sophisticated cyber-attacks.  They have made millions
stealing data from IT networks and they are beginning to turn their efforts
towards IoT devices and networks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160912/e68973d2/attachment.html>


More information about the BreachExchange mailing list