Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/26/2018
10:30 AM
Satish Gannu
Satish Gannu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Owning Security in the Industrial Internet of Things

Why IIoT leaders from both information technology and line-of-business operations need to join forces to develop robust cybersecurity techniques that go beyond reflexive patching.

The Industrial Internet of Things (IIoT) — within companies and across the entire global IIoT ecosystem — is an intricately intertwined and negotiated merger of information technology and operational technology, or OT. OT systems are not only business-critical, they can be nation-critical, or life-and-death critical.

Every IIoT customer I speak to wants the strongest possible security. But who inside the customer's organization will execute and own the process? In meeting after meeting with customers building IIoT capabilities, I encounter a natural but sometimes tense uncertainty between IT and OT/line-of-business (LoB) professionals when it comes to IIoT security. That uncertainty is itself a security vulnerability because it delays essential security deployment.

A recent Forrester survey of IT and OT/LoB leaders showed IT and OT managers evenly divided on whether IT or OT is responsible for security. As an alarming result of this standoff, reports Forrester, an unacceptably large number of companies — 59% — are willing to "tolerate medium-to-high risk in relation to IoT security." I believe that's wrong as well as dangerous.

Consider the differences between enterprise IT and OT:

  • Availability: IT considers 99% uptime acceptable, while OT requires 99.999% uptime. The difference translates to between 8.76 hours and 5.25 minutes of annual downtime.
  • System life: IT systems are refreshed, on average, every three to five years. OT systems, by contrast, last 10 to 15 years.
  • Patching: IT patching/updates can be done whenever updates are available, but OT patching/updates risk interrupting strategic, revenue-generating industrial operations.

There are many other differences between IT and OT — such as varying approaches to the cloud — but all differences are subsumed by the universal need for the most resilient IIoT security available.

An approach I favor is helping industrial companies use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security, security that is expertly architected and deployed to meet OT's differentiated requirements. If one thinks of OT systems as another form of data center — the heavily protected core of enterprise IT — there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT.

The Patching Conundrum
However, when it comes to patching — a process that aims to update, fix, or improve a software program — a direct port of everyday IT practice to OT is not always feasible. When it comes to patching, IT and OT speak different languages. For that reason, it is essential that leaders of the IIoT industry (IT and OT) join together, think deeply, and work with greater imagination to develop robust cybersecurity techniques that are more agile and effective than reflexive patching.

The bottom line for OT: Patches can create problems and sometimes make things worse, as we're seeing with patches for the Meltdown and Spectre CPU vulnerabilities. Early patches for Meltdown and Spectre affected system performance.

The hard truth is that the soft underbelly of the modern industrial economy is largely old OT machines. In the world of IT, if something is infected, the first instinct is to shut it down fast, and then patch it (or replace it). But in OT, often the opposite is true: keep it up and running. Some crucial OT systems have been on factory floors for 15 to 25 years or more and can't be easily taken down and patched, even if an appropriate patch were available, because those systems may not have enough memory or CPU bandwidth to accept patches.

Finally, there's the issue of the relative complexity and fragility of OT systems compared with IT systems. IT systems can be taken down, patched, and started up again to deliver identical service. IT can run racks loaded with identical servers, and if one goes down or burns out, the next one in line takes over without a hitch. But OT systems are often highly orchestrated combinations of software and hardware that have "personalities." Even when companies can take down machines for patching, when they come back up, results can be unpredictable as it is not the same system because the patch has introduced wild cards that can proliferate through other elements of the system. In OT, unpredictability is not acceptable. 

First in a series of articles.

Related Content

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Satish joined San Jose-based ABB in February 2017 as chief security officer and Group VP, architecture and analytics, ABB Ability™, responsible for the security of all products, services and cybersecurity services. Satish brings to this position a background in computer ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.