Manufacturers are looking for competitive advantages and many are realizing that timely information is pivotal to accurate business decisions. Implementing technologies needed for Industry 4.0 standards allows real-time production monitoring and quality control to reduce waste and the need to rework. Predictive maintenance prevents costly repairs and reduces unplanned downtime. Increased automation augments workforce talent shortages.
Adjusting business processes to accommodate new efficiencies and growth through new technologies, also increases the threat of cyber criminals targeting production networks. While these Internet of Things (IoT) devices, Industrial Internet of Things (IIoT), and Operational Technologies (OT) offer manufacturers the capability to automate many of the once manual processes needed for day to day operations, poorly secured and misconfigured devices can allow for hackers to break into your network and disrupt your business operations. In this article, our goal is to explain IoT, IIoT, and OT, list the commonly exploited vulnerabilities, and highlight how to better protect your business operation, systems, and data from hackers that are targeting IoT, IIoT, and OT devices.
What is IoT, IIoT and OT?
When discussing the future of system and process automation, two terms that often come to mind are Internet of Things and Operational Technologies. Internet of Things, also known as IoT, refers to physical devices that can collect and share data over the internet. IoT devices are commonly used to allow interaction anywhere in the world as long as both the owner and the device are connected to the internet, while also allowing other systems to actively connect to these devices for data collection purposes. Manufacturers use another version of IoT known as Industrial Internet of Things (IIoT) devices to help track the efficiency of the machines that are used to build or assemble their products, often as a means to control the performance of a machine or to detect when a machine is experiencing issues prior to breaking. Depending on the purpose of the IIoT used by manufacturers, data can be collected that can be later used to calculate the efficiency of productions, track the number of goods produced over a period of time, and automate the process of when machines will operate to maximize production. IIoT devices can vary in size and are also known to already be installed within many manufacturing machines. As manufacturers begin moving towards Industry 4.0, IT security providers and the upper management should be aware of the IIoT devices that are connected to the network.
Operational Technologies, also referred to as OT, is the use of specialized hardware and software that is used to both monitor and automate systems, devices, and processes through direct monitoring and control of devices and processes. OT is the technology that interfaces with the physical world, and is often used to control motors, engines, and valves and regulate precise values such as temperature, pressure, and flow rate. OT technology also includes Human Machine Interfaces (HMIs), Industrial Control Systems (ICS), which are used in Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). Many manufacturers already use OT systems to aid on moving parts, organizing products on conveyor belts, or presses used to shape materials. When used in conjunction with IoT devices, manufacturers and plant managers can automate production processes, and make needed changes based on the data collected the two technologies.
How are hackers and cyber criminals able to find and attack IoT devices?
As their name implies, IoT devices have the capability to connect to and interact with the Internet. In many cases, IoT devices often use a web application or a login portal to allow remote access. If an IoT device is misconfigured and is accessible from the open Internet, cyber criminals can search for these devices using tools such a Shodan. Once an IoT device has been discovered, cyber criminals will attempt to access the IoT devices via the login portal. According to the Open Web Application Security Project (OWASP) Foundation, the number one vulnerability that affects IoT devices are weak, guessable, or hard-coded passwords. IoT devices often have hardcoded administrative accounts that are used to initially set up the device, create other user accounts for employees, and configure ports and protocols that are used for the IoT device to communicate to other machines connected to the network. These administrative accounts are often left on the device, allowing hackers that opportunity to gain external remote access to the network.
What are the common vulnerabilities that can be exploited on IoT and IIoT devices?
As with any device that has the capability to interact with the internet, no system is 100% secure. IoT and OT devices are known to have many security issues that can be remediated when proper configuration and security measures are taken into consideration. The OWASP Foundation has provided a list of the top ten vulnerabilities that lead to IoT devices being exploited.
1. Weak, easily guessable or hard-coded passwords: As we had mentioned earlier, the number one vulnerability that affects IoT devices is having weak, easily guessable, or hard-coded passwords. Many IoT or devices that incorporate an IoT device often have a predefined account that allows the user to configure the settings of the IoT device. Unfortunately, after the device is configured, the IoT device will either retain the original admin account or have the account hard coded into the device, even if the account is later removed. Depending on the device’s manufacturer, hackers can find the default account credentials online to access the system remotely. Additionally, if the firmware is available online and is unencrypted, hackers can examine the firmware for hardcoded passwords.
2. Insecure network services: Many IoT devices use other services such as FTP or Bluetooth in order to communicate and share data to other devices located across the network. If a device uses insecure versions of these network services and if these services are accessible from the internet, attackers can exploit these vulnerable services to gain system access.
3. Insecure ecosystem interfaces: Internet of Things devices that use an insecure interface that allows the device to communicate outside of itself can lead to further compromise. Some of the common issues that are a result of an insecure ecosystem interface are caused by lack of authentication and authorization controls, weak encryption being used for data at rest or in transit, or missing input and output filtering to or from the device.
4. Lack of secure update mechanisms: IoT and IIoT devices that do not offer firmware validation, do not use a secure method for update delivery, or do not send notifications when updates or changes are being made are affected by this vulnerability.
5. Use of outdated or insecure components: This applies to both the software and hardware portions of IoT, but devices that use vulnerable libraries or software can allow attackers the opportunity to use known privilege escalation methods to allow unauthorized system modification to the device.
6. Insufficient privacy protection: Sensitive user information is stored in a location that is not properly protected and is accessible by all users.
7. Insecure data transfer and storage: Data is not encrypted while being transferred, during rest, or while being processed.
8. Lack of device management: Lack of support for security standards on production devices including update and asset management, secure decommissioning of the device, active system monitoring and response capabilities.
9. Insecure default settings: Default settings that are enabled without the user’s knowledge can allow for the device to be attacked multiple times until the setting is found and changed by the administrator.
10. Lack of physical hardening: No function or capabilities that allow the administrator to control the number of functions or services that the device can run.
Just as IIoT and IoT devices can suffer from exploitable vulnerabilities, OT devices and services also have exploitable vulnerabilities. Check Point Software Technologies LTD also has a list of the top 5 vulnerabilities that affect OT systems:
1. Legacy software: OT systems that use or run on legacy software may lack the security checks for system and user authentication and data authenticity and verification checking.
2. Default configuration: OT systems that use common or publicly available passwords and allow services to run with basic configurations are vulnerable to enumeration techniques.
3. Lack of encryption: Legacy SCADA controllers and industrial protocols used by OT systems may not properly encrypt communication or stored data. Attackers may be able to sniff the network and extract usernames, passwords, or data coming from these OT systems.
4. Remote access policies: SCADA systems that are connected to non-secure dial-up lines or remote-access servers allow attackers potential access to the OT system and corporate local area networks.
5. Policies and procedures: These are security gaps that are created when IT and OT personnel take different approaches to securing industrial control resources and OT services.
What are some measures that I can take to secure my IIoT, IoT, and OT devices and services?
While securing the IIoT and OT devices on your network may sound like a daunting task, there are a few proactive steps that you can take to ensure that your network and industrial devices are secure. The first security measure that you can take is to address the need for the device to be accessible from the internet. While many IoT and OT devices have the capability to connect to the internet, this does not always justify that they should have access to the internet. When configuring your device, check to see if the device is able to transmit data through the local network without being connected to the internet.
Another security precaution that should be taken when implementing IoT and OT devices on your network is to remove default accounts after configuration. In many cases, information about the username and passwords of the default accounts on many IoT and OT devices is publicly available, mainly from documentation produced by the device manufacturer. Hackers that are able to access your IoT or OT devices can use this information to gain unauthorized administrative access to your device. Removing these default accounts greatly increases the security of your device. Next, apply all needed updates and firmware updates, and regularly check if updates are available. When you or your IT team are preparing the device, check to see if there are any options for automatic updates. If the option is not available to receive automatic updates, the device should be regularly checked for new updates. Finally, when securing the IoT and OT devices that exist on your network, make sure to turn off any services that you do not intend to use. IoT and OT devices will use different services to communicate and share data to other devices across the network. If there are any services or ports that you do not intend to use, disabling these services and ports can help prevent attackers from connecting to the devices.
If you are unsure about how to determine if your IoT, IIoT, and OT devices are secure, having a vulnerability assessment can provide clarity of what security issues can affect your business the most. Certitude Security™ has the experience needed to not only identify the security issues that can result in data loss and downtime, but to also provide service backed recommendations that can lead to faster system recovery and fewer data breaches. If you would like to talk to us about our vulnerability management services, feel free to visit our website and speak to one of our representatives today.