Threat Intelligence

9/26/2018
10:30 AM
Satish Gannu
Satish Gannu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Owning Security in the Industrial Internet of Things

Why IIoT leaders from both information technology and line-of-business operations need to join forces to develop robust cybersecurity techniques that go beyond reflexive patching.

The Industrial Internet of Things (IIoT) — within companies and across the entire global IIoT ecosystem — is an intricately intertwined and negotiated merger of information technology and operational technology, or OT. OT systems are not only business-critical, they can be nation-critical, or life-and-death critical.

Every IIoT customer I speak to wants the strongest possible security. But who inside the customer's organization will execute and own the process? In meeting after meeting with customers building IIoT capabilities, I encounter a natural but sometimes tense uncertainty between IT and OT/line-of-business (LoB) professionals when it comes to IIoT security. That uncertainty is itself a security vulnerability because it delays essential security deployment.

A recent Forrester survey of IT and OT/LoB leaders showed IT and OT managers evenly divided on whether IT or OT is responsible for security. As an alarming result of this standoff, reports Forrester, an unacceptably large number of companies — 59% — are willing to "tolerate medium-to-high risk in relation to IoT security." I believe that's wrong as well as dangerous.

Consider the differences between enterprise IT and OT:

  • Availability: IT considers 99% uptime acceptable, while OT requires 99.999% uptime. The difference translates to between 8.76 hours and 5.25 minutes of annual downtime.
  • System life: IT systems are refreshed, on average, every three to five years. OT systems, by contrast, last 10 to 15 years.
  • Patching: IT patching/updates can be done whenever updates are available, but OT patching/updates risk interrupting strategic, revenue-generating industrial operations.

There are many other differences between IT and OT — such as varying approaches to the cloud — but all differences are subsumed by the universal need for the most resilient IIoT security available.

An approach I favor is helping industrial companies use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security, security that is expertly architected and deployed to meet OT's differentiated requirements. If one thinks of OT systems as another form of data center — the heavily protected core of enterprise IT — there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT.

The Patching Conundrum
However, when it comes to patching — a process that aims to update, fix, or improve a software program — a direct port of everyday IT practice to OT is not always feasible. When it comes to patching, IT and OT speak different languages. For that reason, it is essential that leaders of the IIoT industry (IT and OT) join together, think deeply, and work with greater imagination to develop robust cybersecurity techniques that are more agile and effective than reflexive patching.

The bottom line for OT: Patches can create problems and sometimes make things worse, as we're seeing with patches for the Meltdown and Spectre CPU vulnerabilities. Early patches for Meltdown and Spectre affected system performance.

The hard truth is that the soft underbelly of the modern industrial economy is largely old OT machines. In the world of IT, if something is infected, the first instinct is to shut it down fast, and then patch it (or replace it). But in OT, often the opposite is true: keep it up and running. Some crucial OT systems have been on factory floors for 15 to 25 years or more and can't be easily taken down and patched, even if an appropriate patch were available, because those systems may not have enough memory or CPU bandwidth to accept patches.

Finally, there's the issue of the relative complexity and fragility of OT systems compared with IT systems. IT systems can be taken down, patched, and started up again to deliver identical service. IT can run racks loaded with identical servers, and if one goes down or burns out, the next one in line takes over without a hitch. But OT systems are often highly orchestrated combinations of software and hardware that have "personalities." Even when companies can take down machines for patching, when they come back up, results can be unpredictable as it is not the same system because the patch has introduced wild cards that can proliferate through other elements of the system. In OT, unpredictability is not acceptable. 

First in a series of articles.

Related Content

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.