5 Industrial IoT Security Issues Businesses Need To Know About
'I think for me the first insight is that every single industry has this problem, not just what you naturally would identify as industrial companies,' Forescout executive Pedro Abreu says of security issues surrounding the industrial Internet of Things.
Protecting The Industrial Internet Of Things
As more and more companies invest in the industrial Internet of Things, staying up to date on security issues surrounding the field is becoming an integral part of doing business.
This fact was highlighted in a report by research firm IDC earlier this year stating that 88 percent of mining companies across the world are increasing investments to secure their systems, which are becoming increasingly connected through wired or wireless networks.
[Related: 5 Biggest IoT Security Issues For Businesses In 2019]
As part of IoT Week 2019, CRN spoke with Pedro Abreu, chief product and strategy officer at San Jose, Calif.-based cybersecurity vendor Forescout Technologies, about five industrial IoT security issues businesses need to know about, ranging from the profile of industrial IoT attacks to the solutions and methods businesses can use to protect their systems.
Abreu said these issues are important for every business to understand as they don't just apply to companies working in manufacturing, oil and gas, utilities and other heavy industries.
"I think for me the first insight is that every single industry has this problem, not just what you naturally would identify as industrial companies," Abreu said.
It's Not Just About Industrial Companies
Pedro Abreu, chief product and strategy officer at Forescout Technologies, said when it comes to security matters for the industrial Internet of Things, people can mistakenly though perhaps understandably believe that such issues only matter to industrial companies, such as those working in manufacturing, oil and gas and utilities. The reality is that industrial IoT security matters to any company with operational technology, such as power and cooling systems for data centers.
Abreu cited banks as one example of companies in a non-industrial sector that have their own needs to protect industrial IoT and OT networks.
"We're seeing a tremendous amount of demand and interest among many banks to secure their power and cooling of data centers, which is a very industrial part of their networks and the very critical part of their data center," Abreu said. "It's not about somebody who's going to get into their servers but somebody who can attack the cooling and the power of the physical access to those data centers and, by doing that, disrupting their operations."
OT Systems Are Older And More Vulnerable
One of the biggest security challenges in operational technology is that such systems are typically much older than IT systems, according to Abreu. The Forescout executive said people used to think those systems were secure because they were separate from the company's IT networks, but that was never true. Now that companies are looking to connect their industrial systems online, whether to the cloud or at the edge, those security holes are becoming much more apparent.
"As a result, now a lot of those risks that existed in there before that weren't as high [a priority] are being explored" by attackers, Abreu said.
Many devices running in OT environments cannot run modern software, according to Abrey because they may require older versions of Windows, for instance, to support legacy software, making it more difficult to patch the devices. Contributing to the issue is the fact that it can be difficult to find an appropriate time to shut down systems and push updates.
"Even if they wanted to patch it, they can only touch it once or twice a year when the factory is in maintenance mode," Abreu said.
Ransomware Attackers Consider OT Systems Valuable Targets
Ransomware attackers consider OT systems more valuable targets than IT systems, according to Abreu, because the malware variant can lock down data and cause entire production lines to halt.
"The economical payout is a lot different on the OT side, because it's not just about 'can I recover this Windows machine and get the data from it?' As long as [the system is] down for that period, that means my entire factory is down, and I'm not producing something," Abreu said. "The [attackers] realize that the payout and the ROI of the ransomware on the OT side is much higher than it was on the IT side."
Compounding the issue is the fact that a lot of OT environments cannot be patched at all or patched fast enough, making them "very attractive and vulnerable to ransomware attacks," according to Abreu.
"We're seeing a lot of those in terms of volume because of those conditions," he said.
Attackers Are Also Stealing Data And Taking Over Systems
In some cases, Abreu said, attackers are taking advantage of security holes in OT environments to steal data, such as inventory and production information, to use as leverage in pricing negotiations.
"They want to know that information in order to be able to negotiate the pricing, because if you know that the [factories are] producing a lot, they can actually impact the pricing that they want to negotiate with that company in terms of in the commodity spaces," Abreu said.
The Forescout executive said his company is also seeing an increased prevalence in attacks that result in the attacker taking control of OT systems, such as the 2015 Urkaine power grid attack, where attackers gained control of the power grid's SCADA controls and shut down its substations.
Segmentation Is Critical To Protecting OT Environments
With the inability to reliably patch OT systems, network segmentation and access control become critical to protecting such environments, according to Abreu. His company, Forescout, offers this capability, which was boosted by its acquisition of OT security provider SecurityMatters last year.
But to properly segment access on OT networks, companies need to have full visibility of the connected devices on those networks, which is another major capability offered by Forescout.
This strategy is called "zero trust," where the endpoints cannot be trusted so methods are devised to monitor and control the flow of data coming to and from those endpoints.
"if they are vulnerable, you want to move put more restrictive segmentation rules around it versus a system that you know to be up to date," Abreu said.
But Forescout isn't the only vendor tackling OT security. Armis, for example, is tackling the field with its agentless security software that provides visibility and control of connected devices. Other vendors include Claroty and CyberX.