Most likely because the Internet of Things (IoT) products exist and more are being rapidly developed and deployed, greater emphasis is being placed on security for these products riding on the Internet. What was the fodder of high-tech crime dramas, i.e., the hacking of Internet-enabled home appliances to cause fires, gaining control of cars over the web to wreak mayhem, etc., is becoming a real concern for manufacturers of IoT devices. Well, cars are not crashing into walls and planes are not falling out of the sky due to a wave of hackers, yet.
In this fourth and final chapter of our look at embedded IoT security, we speak to Barak Perelman, CEO of industrial cyber security company Indegy. Mr. Perelman has led several multi-million dollar cyber security projects at the Israel Defense Forces (IDF). He is also a graduate of the elite Talpiot military academy and has over 15 years of hands-on experience in cyber security and protection of critical infrastructures.
MD: Cyber threats have gone way beyond the antics of mischievous hackers and identity thieves. Although financial institutions are always fair game for cyber thieves, government and military institutions are becoming prime targets for both cyber invasion and terrorism. Currently, what do hackers have in their sites beyond the typical targets such as banks, individual citizens, and commercial outlets?
Barak Perelman: Industrial control systems (ICS) in the manufacturing sector are emerging as a new target for cyber attacks since they are the backbone of these businesses. The motivations for targeting ICS networks range from theft of intellectual property and operational disruptions that can lead to financial loss, to manipulation of industrial processes that can lead to physical damage (pipeline explosion, exposure of hazardous materials, contamination, etc.).
MD: Internet security concerns are ever escalating. It seems that the moment a solution against digital invasion is in place, someone or some group finds a way to circumvent it. Is it possible to create an impenetrable system that exists on the Internet or would the system have to be hardwired, standalone and inaccessible to anyone other than authorized personnel?
Barak Perelman: Until recently, industrial networks were separated from the rest of the world by 'Air Gaps'. In theory, this technique sounds great - disconnecting the industrial network from the business network, and the Internet, makes it very difficult for attackers to access it.
However, an 'Air Gap' is no longer a functional or operationally feasible solution in today's connected world. With trends like IIOT (Industrial Internet of Things) and Industry 4.0, industrial networks can't remain stand-alone systems. We have to introduce security measures to protect increasingly exposed industrial networks.
Will we ever succeed in creating an impenetrable system? Probably not. But with the right controls in place we can stop most attacks and minimize the damage.
MD: There have been some reports recently of intruders being able to gain access to systems on a component level. For example, one report indicated that some hackers are able to access a system and gain control of individual devices such as microcontrollers (MCUs), and programmable logic devices and alter the way each operates. They can also change or replace firmware. To do this seems to require advanced engineering skills and knowledge. Is this possible and, if so, where is the inherent system weakness: software, hardware, overall design, or all and any combination?
Barak Perelman: Yes, we are seeing attacks that target programmable logic devices in manufacturing, energy and utility facilities. Recent analysis of the cyber attack on the Ukraine's electrical grid that resulted in a major power outage in December 2015, shows that the attackers installed custom firmware on serial-to-Ethernet devices at substations in order to knock them offline.
Industrial Control Networks were designed years ago, before the cyber threat existed. Therefore they not only vulnerable to attacks, but also lack visibility and security controls common in corporate IT networks. We find a range of weaknesses and vulnerabilities in software, hardware and the design of these networks. For example, most of these networks do not have any authentication or encryption mechanisms to ensure authorized access.
Contrary to popular belief, attacking these vulnerable networks is not extremely difficult. Any second year engineering student with basic understanding of industrial control systems has the needed knowledge.
MD: Recently, there has been a good deal of concern surrounding the use of open-source software. More aptly put, the concern revolves around the plagiarism of open-source code by designers facing very tight time-to-market schedules for their products. Rather than invest the time and money to create proprietary code, some designers lift some open-source code, change a few headers, and sign off on it. For devices of little import (toys and standalone novelties) that do not interface with other devices via the web or otherwise, this may not be a big deal beyond the ethical issue of plagiarism. However, in light of more devices on every level becoming part of the Internet of Things (IoT), open-source software opens a veritable playground free of restrictions for hackers. What is your view on this practice? What can be done to limit this practice and to encourage manufacturers to invest in safer code?
Barak Perelman: With more attacks targeting Industrial Control Systems, manufacturers are feeling the pressure to develop safe code. However, considering the slow and lengthy process involved in replacing legacy operational technologies with new technologies, it will take years, if not decades until secure technologies become generally available and implemented across all industrial facilities.
Since the industry is facing imminent threats, we can't wait until this happens. We need to implement appropriate protections for existing industrial network technologies.
MD: Is there a difference in the methods of securing individual components – single-board computers, kiosks, semiconductor devices, firmware, etc. – as opposed to the software that controls the application and/or system? What are the concerns surrounding operating systems, like which ones are more secure as opposed to being user friendly yet vulnerable?
Barak Perelman: Industrial Control Networks are inherently different that IT networks. They include specialized Operational Technologies (OT) that are very different from IT technologies, and provided by specialized vendors like GE, Siamese, Schneider Electric, Rockwell and more. They also use proprietary protocols.
As a result, IT security solutions are not compatible with these environments. Instead, specialized OT security controls are needed. Adversaries attacking ICS networks are taking advantage of the blind spots that exist in these networks. There is a growing need to address these blind spots with appropriate ICS cyber-security solutions.
One of the biggest technical challenges when trying to secure ICS networks is that several different communication protocols are used by components in process automation systems. There are also different protocols for the data-layer and Control-layer.
Standard protocols, like Modbus and DNP3 are used for data-layer activity to communicate measurements on physical conditions (i.e. current temperature, current pressure, etc.) between various types of controllers and SCADA/HMI applications.
Meanwhile, for control-layer operations that are used for managing the entire life-cycle of industrial processes - a different set of protocols are used. OT vendors use proprietary implementations of the IEC-61131 standard for making changes to PLC logic, PLC code updates, firmware downloads and configuration changes. Since these implementations are rarely documented, it is very difficult to monitor these critical activities.
MD: According to a Dept. of Homeland Security report, "Seven Strategies to Defend ICSs," issued in December 2015 by the National Cybersecurity and Communications Integration Center (NCCIC), in Fiscal Year 2015, 295 incidents were reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and many more went unreported or undetected. The department recommends seven strategies that would have addressed all the breaches and would have protected the safety and reliability of the affected industrial operations. Three out of the seven strategies recommend using hardware-enforced unidirectional communications. What are your thoughts on this approach?
Barak Perelman: These recommendations are focused on preventing network infiltration. However, today most security professionals agree that ICS networks have already been infiltrated and therefore there is a need to protect the networks from within. It is not enough to prevent new threats from coming into the network. In addition, malicious insiders pose a real threat. One recent example involved a disgruntled employee at Maroochy Water Services, Australia.
Finally, human error is not intended to be malicious, or related to a cyber attack, but nevertheless, poses a significant threat to ICS networks.
The best way to address external threats, internal threats and human error is maintaining visibility and control in ICS networks. With proper visibility, ICS security staff can identify malicious or unintended activity within ICS networks and quickly respond to mitigate the threat and minimize damages.
The one indisputable conclusion we can draw is that, in all things IoT and all things digital, security should be and is a primary issue that must be addressed in nearly an up-to-the-minute fashion. And as automation technologies advance we may have to change that to up-to-the-µs. Be that as it may. As far as those crashing cars and planes, they've been doing that on their own without the aid of hackers and the Internet since their invention. I don't think we have much to worry about there. But in the age of the IoT, beware of self-absorbed smartphone users crashing into you. ~MD
About Barak Perelman
Barak Perelman is CEO of industrial cyber security company Indegy. He has led several multi-million dollar cyber security projects at the Israel Defense Forces (IDF). Barak is a graduate of the elite Talpiot military academy and has over 15 years of hands-on experience in cyber security and protection of critical infrastructures.
Based in Tel Aviv, Israel, Indegy provides an Industrial Cyber Security Platform that enables operational engineers and cyber security personnel to gain control over industrial-networks, detect malicious activities, identify unauthorized changes, troubleshoot problems caused by control device misconfiguration or firmware updates, and address compliance and change management requirements.
For more details:
Indegy International Headquarters
Tel Aviv, Israel
+972 (3) 530-1783