The Industrial Internet of Things (IIoT) has introduced both opportunities and challenges for organizations. Equipping machines with sensors and embedding hardware and software into devices can certainly transform processes. It can also introduce efficiencies and cost savings that wouldn’t have been imaginable only a few years ago. In a best-case scenario, connected systems lead to radical innovation and even industry disruption.
But there’s a dark side to the IIoT. It greatly increases the exposure surface for organizations—and the risks ripple out to business partners and the supply chain. Unfortunately, many companies implementing IIoT rely on off-the-shelf products—from lighting systems and HVACs to industrial controls and mobile devices—that do not adhere to fundamental security requirements. As a result, these systems are vulnerable to the same types of attacks that conventional enterprise networks face.
Newsweek magazine recently reported that the Russian government might have sponsored hackers to penetrate systems at several U.S. nuclear power plants. Their goal: disrupt the nation’s power supply by compromising at least a dozen nuclear power facilities, including Wolf Creek, in Kansas. These hackers targeted industrial contract engineers by sending fake resumes via email.
If successful, these hackers could have caused an explosion, fire, or discharge of lethal materials. Or they could have simply shut down systems and put customers in the dark. Opening an infected resume would have created the ideal lily-pad for unfettered access into the Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) of the operating network.
It’s far from an implausible scenario. A 2015 attack on the power grid in western Ukraine left a reported 70,000 customers without power for a few hours. Attackers used spear phishing and social engineering techniques to deliver a Microsoft Word document with malicious Visual Basic for Applications (VBA) macros. The macro downloaded a piece of malicious code, called BlackEnergy, which is infamous for targeting industrial control system (ICS) networks; downloaded a Trojan, called Kasidet, which attackers use to establishes backdoor access; and downloaded another Trojan, called Dridex, which attackers designed to steal banking credentials.
More recently, AW North Carolina, a transmission manufacturing plant in Durham, North Carolina, found itself in the crosshairs for an e-mail phishing campaign that was designed to install ransomware. The company stood to lose $270,000 for every hour the factory was not shipping critical auto parts to nine Toyota car and truck plants across North America per the plant’s CIO. Because the company had robust security protections in place—including segmentation and sophisticated firewalls—it avoided long-term damage and the payment of a ransom.
With virtually every device and system now connected to the Internet, cybersecurity teams must take a different approach. Boundaries and borders for data no longer exist. It’s critical to protect computers, networks, and industrial systems and controls, including ICS/SCADA platforms that might be susceptible to malware, firmware exploits, and even sabotage at the chip level.
As such, here are four key areas executives must be sure their security leaders are focusing on:
Segmenting systems and data. Segmenting a network allows an organization to isolate sensitive and critical data from the general network through appropriate air-gapping techniques. It supports the concept of Zero Trust and allows access to content based on a limited and identifiable set of users. This approach prevents unfiltered ingress or data exfiltration.
Multifactor authentication and encryption. Passwords are no longer adequate for authentication. In many cases, they can be hacked in minutes—or even seconds—using specialized software. It’s important to deploy multifactor authentication across the enterprise; administrative accounts are especially critical.
Next-generation firewalls. Security leaders must focus on a platform approach. As IT resources expand into the cloud, IoT and IIoT, real-time visibility, and endpoint protection is essential.
Artificial Intelligence tools. Vendors are introducing tools that scan firewall logs, load balancer logs, operating system logs, application logs, and other data. These AI/analytics systems look for unusual patterns or network behavior rather than taking a blunt-force approach to security. In addition, organizations are turning to Blockchain to secure sensitive records, replace PKI with keyless signature infrastructure (KSI), and use KSI to reduce reliance on passwords. These tools also boost cybersecurity automation, which is vital.
To be sure, a next-generation security platform provides several advantages: It reduces the overall attack footprint, which decreases demands for patching and remediation. It also provides segmentation capabilities while allowing the organization to establish security zones. This allows a security team to use resources more efficiently—and more strategically. It’s possible to know who is using the network; when they are using it; and what files, content or resources they are accessing. This insight is especially important for managing suppliers and partners.
We’re witnessing an unpreceded assault on systems and data. Nation states, cyber-gangs, and others use increasingly sophisticated—and difficult to detect—methods. Manufacturing systems and industrial controls are often the target. IoT and IIoT ratchet up the stakes by an order of magnitude. These devices and systems allow hackers to gain control over functions, spy, steal data, and disrupt production or processes—sometimes catastrophically. Unfortunately, many of these systems cannot be fully restored through backups.
The Ukraine disaster and the assault on AW North Carolina are just two examples of what’s at stake. Ponemon Institute’s 2017 Cost of Data Breach Study found that the average cost of a breach is now $3.62 million. The mean time to identify and contain a breach is 191 days. The takeaway? The C-suite must focus on a holistic, automated approach that relies on advanced tools and solutions. There must be an honest assessment of deficiencies—which might involve outside security expertise.
In the end, it’s important to adopt focus that moves away from ad hoc tools and point solutions—and instead adopt a highly integrated framework that revolves around smart systems and automation. It’s also critical to invest in resources that reach across the entire organization—and beyond. Only then can executives sleep at night knowing that they’ve done everything possible to protect enterprise assets in today’s highly connected world.