Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/26/2018
10:30 AM
Satish Gannu
Satish Gannu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Owning Security in the Industrial Internet of Things

Why IIoT leaders from both information technology and line-of-business operations need to join forces to develop robust cybersecurity techniques that go beyond reflexive patching.

The Industrial Internet of Things (IIoT) — within companies and across the entire global IIoT ecosystem — is an intricately intertwined and negotiated merger of information technology and operational technology, or OT. OT systems are not only business-critical, they can be nation-critical, or life-and-death critical.

Every IIoT customer I speak to wants the strongest possible security. But who inside the customer's organization will execute and own the process? In meeting after meeting with customers building IIoT capabilities, I encounter a natural but sometimes tense uncertainty between IT and OT/line-of-business (LoB) professionals when it comes to IIoT security. That uncertainty is itself a security vulnerability because it delays essential security deployment.

A recent Forrester survey of IT and OT/LoB leaders showed IT and OT managers evenly divided on whether IT or OT is responsible for security. As an alarming result of this standoff, reports Forrester, an unacceptably large number of companies — 59% — are willing to "tolerate medium-to-high risk in relation to IoT security." I believe that's wrong as well as dangerous.

Consider the differences between enterprise IT and OT:

  • Availability: IT considers 99% uptime acceptable, while OT requires 99.999% uptime. The difference translates to between 8.76 hours and 5.25 minutes of annual downtime.
  • System life: IT systems are refreshed, on average, every three to five years. OT systems, by contrast, last 10 to 15 years.
  • Patching: IT patching/updates can be done whenever updates are available, but OT patching/updates risk interrupting strategic, revenue-generating industrial operations.

There are many other differences between IT and OT — such as varying approaches to the cloud — but all differences are subsumed by the universal need for the most resilient IIoT security available.

An approach I favor is helping industrial companies use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security, security that is expertly architected and deployed to meet OT's differentiated requirements. If one thinks of OT systems as another form of data center — the heavily protected core of enterprise IT — there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT.

The Patching Conundrum
However, when it comes to patching — a process that aims to update, fix, or improve a software program — a direct port of everyday IT practice to OT is not always feasible. When it comes to patching, IT and OT speak different languages. For that reason, it is essential that leaders of the IIoT industry (IT and OT) join together, think deeply, and work with greater imagination to develop robust cybersecurity techniques that are more agile and effective than reflexive patching.

The bottom line for OT: Patches can create problems and sometimes make things worse, as we're seeing with patches for the Meltdown and Spectre CPU vulnerabilities. Early patches for Meltdown and Spectre affected system performance.

The hard truth is that the soft underbelly of the modern industrial economy is largely old OT machines. In the world of IT, if something is infected, the first instinct is to shut it down fast, and then patch it (or replace it). But in OT, often the opposite is true: keep it up and running. Some crucial OT systems have been on factory floors for 15 to 25 years or more and can't be easily taken down and patched, even if an appropriate patch were available, because those systems may not have enough memory or CPU bandwidth to accept patches.

Finally, there's the issue of the relative complexity and fragility of OT systems compared with IT systems. IT systems can be taken down, patched, and started up again to deliver identical service. IT can run racks loaded with identical servers, and if one goes down or burns out, the next one in line takes over without a hitch. But OT systems are often highly orchestrated combinations of software and hardware that have "personalities." Even when companies can take down machines for patching, when they come back up, results can be unpredictable as it is not the same system because the patch has introduced wild cards that can proliferate through other elements of the system. In OT, unpredictability is not acceptable. 

First in a series of articles.

Related Content

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.