Hiding In Plain Sight: the IIoT Attack vector and Its Specialist Cure
One of the greatest differences in the modern network compared to perhaps 20 or 30 years ago, is the preponderance of IoT or IIoT (industrial internet of things) devices. Although in some settings the subset of technology we’ve come to call IIoT has been present for decades, such as in manufacturing plants and other industrial settings, for many organizations, IoT is merely a series of new additions to the TCP/IP network.
Traditional cybersecurity and surrounding methodology have only really focused on TCP/IP-native tech: items like routers, switches, computers, servers and latterly, BYOD devices. Historically, that left network connected IIoT devices largely unprotected and outside of the remit of the traditional cybersecurity professional. While newer devices have moved on from working only on (for instance) Token Ring networks or quietly chattering over half-duplex, the smaller, often embedded yet highly capable IoT family can still get ignored.
Established to specialize in the cybersecurity protection of IoT, Nozomi Networks is one of the few security companies out there capable of protecting this highly sensitive attack vector. We were lucky enough recently to speak to Andrea Carcano, co-founder and CPO at Nozomi Networks about protecting the modern network from attacks to susceptible IoT and SoC (system on chip) devices. We began by discussing the state of cybersecurity with regards to these devices before the present day. “In the beginning, security was not a topic because the security was guaranteed, especially when we talk about old school industrial devices: the security was guaranteed by the fact that there was a physical segregation. So, a power plant in the middle of the desert, a substation, was physically separated from a natural perspective from the rest of the world.”
Part of the issue is that many small devices connected to our networks were designed for a particular use case such as a movement sensor being designed to be (hopefully) a very, very good movement sensor. Networking capability was added almost as an afterthought to increase the attractiveness of the item at the point of sale.
“There are a lot of new devices that are still very vulnerable […] Building these devices with security as a priority is not part of the process, it is a process and requirement that has evolved. If I’m a company building IoT cameras for the last 15 years, now the world is demanding [that they are] Bluetooth connected [and] have an IP address. But I don’t have inside my company a strong cybersecurity culture.”
Because of the plethora of different devices that can be classified as IoT (think about the differences between networked medical devices and fuel pump attenuation systems), there can be little homogeneity in approach to protecting the enterprise’s broader network. We wondered, therefore, if a piecemeal approach to security is one that’s common, with cybersecurity teams doing their best with what resources they have at hand?
That might have been the case in the past, Andrea told us. “The idea was to mitigate the risk by having a solution that was not disruptive for the plant, right? I can still provide visibility and cybersecurity without necessarily updating the firmware: at least I [could] monitor the situation.”
The situation in 2022 may be simpler in terms of network protocols at least, if not in methods of updating that firmware and protecting different types of devices. Plus there are new communication methods coming on-stream: Bluetooth 5, LoRa, and that stalwart of the technology press, 5G.
“The good news is that, usually, when you’re running a brand-new network that we [at Nozomi Networks] are seeing for the first time, we support more than 80% of communicating devices there just because we’ve accumulated a certain knowledge. In some cases, it’s 99%, and in most other cases it’s more like 90%. But, you know, the gap is very small. […] As you say, it’s complicated because of the numbers of variables out there.”
As technology evolves, so too do the attack methods and vectors. We spoke briefly about the Australian government’s reclassification of broad ranges of domestic companies as ‘critical infrastructure’, and this led us to talk about definitions of what might be the next cyber attack – where it might hit, and how that could threaten livelihoods.
“You think about what a threat actor could do even in a food and beverage supply chain, or plant. You can really mess that up, from something that can change the flavor of food, to something that is much more dangerous [to] the health of people.”
The bottom line for any cybersecurity team comes down to zero-trust, Andrea said, and it’s where Nozomi Networks approach is coming from. “Start to consider your network as a zero-trust network. So, a network where you cannot say, ‘Oh, that device is trusted, [it’s] not going to start to do anything bad.’ It’s not an approach that’s working anymore. But [if] I start to think every device potentially can do something that is not right, […] this means that I don’t trust users, I don’t trust devices, and that would be [a] good mindset. But when you run your network in that way, if you don’t have our Nozomi Networks actionable intelligence supporting you, it will become a jungle of devices that now you cannot segregate. Now you have your entire network that potentially can perform an attack.”
At any scale, IIoT and IoT devices are proliferating on companies’ networks, and like Andrea said, the majority are networked as an afterthought, or at least, networked without security front-of-mind during the design process. As an unmitigated attack vector, it’s a source of threats that can only grow. To get your IIoT estate at least on par with the rest of your “traditional” IT cybersecurity, use Nozomi Networks’ expertize. Reach out to discover the intelligent approach.
- Huawei, AWS, Microsoft boosting digital skills in Southeast Asia
- The digital education platforms shaping schools and colleges today
- The Hot Vendor That’s Making Cloud Storage Simple, Affordable and Predictable
- What happens when scammers get scammed?
- Announcements you might have missed from AWS reInvent 2022