Manufacturers are looking for competitive advantages, and many are realizing that timely information is pivotal to accurate business decisions. Implementing technologies needed for Industry 4.0 standards allows real-time production monitoring and quality control to reduce waste and the need to rework. Predictive maintenance prevents costly repairs and reduces unplanned downtime. Increased automation augments workforce talent shortages.
Adjusting business processes to accommodate new efficiencies and growth through new technologies also increases cyber criminals’ threat targeting production networks. While these Internet of Things (IoT) devices, Industrial Internet of Things (IIoT), and Operational Technologies (OT) offer manufacturers the capability to automate many of the once manual processes needed for day to day operations, poorly secured and misconfigured devices can allow for hackers to break into your network and disrupt your business operations. In this article, our goal is to explain IoT, IIoT, and OT, list the commonly exploited vulnerabilities, and highlight how to protect your business operation, systems better, and data from hackers targeting IoT, IIoT, and OT devices.
What are IoT, IIoT, and OT?
When discussing the future of system and process automation, two terms that often come to mind are the Internet of Things and Operational Technologies. Internet of Things, also known as IoT, refers to physical devices that can collect and share data over the Internet.
IoT devices are commonly used to allow interaction anywhere in the world as long as both the owner and the device are connected to the internet while also actively allowing other systems to connect to these devices for data collection purposes.
Manufacturers use another version of IoT known as Industrial Internet of Things (IIoT) devices to help track the efficiency of the machines that are used to build or assemble their products, often as a means to control the performance of a machine or to detect when a machine is experiencing issues before breaking. Depending on the purpose of the IIoT used by manufacturers, data can be collected that can be later used to calculate the efficiency of productions, track the number of goods produced over a period of time, and automate the process of when machines will operate to maximize production.
IIoT devices can vary in size and are also known to be already installed within many manufacturing machines. As manufacturers begin moving towards Industry 4.0, IT security providers and the upper management should be aware of the IIoT devices connected to the network.
Operational Technologies, also referred to as OT, use specialized hardware and software to monitor and automate systems, devices, and processes through direct monitoring and control of devices and processes. OT is the technology that interfaces with the physical world and is often used to control motors, engines, and valves and regulate precise values such as temperature, pressure, and flow rate.
OT technology also includes Human Machine Interfaces (HMIs), Industrial Control Systems (ICS), which are used in Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). Many manufacturers already use OT systems to aid in moving parts, organizing products on conveyor belts, or presses used to shape materials. When used in conjunction with IoT devices, manufacturers and plant managers can automate production processes and make needed changes based on the two technologies’ data.
How are hackers and cyber criminals able to find and attack IoT devices?
As their name implies, IoT devices have the capability to connect to and interact with the Internet. IoT devices often use a web application or a login portal to allow remote access in many cases. If an IoT device is misconfigured and accessible from the open Internet, cyber criminals can search for these devices using Shodan tools. Once an IoT device has been discovered, cyber criminals will attempt to access the IoT devices via the login portal. According to the Open Web Application Security Project (OWASP) Foundation, the number one vulnerability that affects IoT devices is weak, guessable, or hard-coded passwords. IoT devices often have hardcoded administrative accounts used to set up the device, create other user accounts for employees, and configure ports and protocols used for the IoT device to communicate to other machines connected to the network. These administrative accounts are often left on the device, allowing hackers the opportunity to gain external remote access to the network.
What are the common vulnerabilities that can be exploited on IoT and IIoT devices?
As with any device that has the capability to interact with the internet, no system is 100% secure. IoT and OT devices have many security issues that can be remediated when proper configuration and security measures are considered. The OWASP Foundation has provided a list of the top ten vulnerabilities that lead to IoT devices being exploited.
1. Weak, easily guessable, or hard-coded passwords: As we had mentioned earlier, the number one vulnerability that affects IoT devices is having weak, easily guessable, or hard-coded passwords. Many IoT devices that incorporate an IoT device often have a predefined account that allows the user to configure the IoT device’s settings. Unfortunately, after the device is configured, the IoT device will either retain the original admin account or have the account hardcoded into the device, even if it is later removed. Depending on the device’s manufacturer, hackers can find the default account credentials online to access the system remotely. Additionally, if the firmware is available online and is unencrypted, hackers can examine the firmware for hardcoded passwords.
2. Insecure network services: Many IoT devices use other services such as FTP or Bluetooth to communicate and share data with other devices located across the network. If a device uses insecure versions of these network services and if these services are accessible from the internet, attackers can exploit these vulnerable services to gain system access.
3. Insecure ecosystem interfaces: Internet of Things devices that use an insecure interface that allows the device to communicate outside of itself can compromise further. Some of the common issues resulting from an insecure ecosystem interface are caused by lack of authentication and authorization controls, weak encryption being used for data at rest or in transit, or missing input and output filtering to or from the device.
4. Lack of secure update mechanisms: IoT and IIoT devices that do not offer firmware validation, do not use a secure method for update delivery, or do not send notifications when updates or changes are being made are affected by this vulnerability.
5. Use of outdated or insecure components: This applies to both the software and hardware portions of IoT, but devices that use vulnerable libraries or software can allow attackers the opportunity to use known privilege escalation methods to allow unauthorized system modification to the device.
6. Insufficient privacy protection: Sensitive user information is stored in a not properly protected location and is accessible by all users.
7. Insecure data transfer and storage: Data is not encrypted while being transferred, during rest, or processed.
8. Lack of device management: Lack of support for security standards on production devices, including update and asset management, secure decommissioning of the device, active system monitoring, and response capabilities.
9. Insecure default settings: Default settings enabled without the user’s knowledge can allow the device to be attacked multiple times until the setting is found and changed by the administrator.
10. Lack of physical hardening: No function or capabilities allow the administrator to control the number of functions or services that the device can run.
Just as IIoT and IoT devices can suffer from exploitable vulnerabilities, OT devices and services also have exploitable vulnerabilities. Check Point Software Technologies LTD also has a list of the top 5 vulnerabilities that affect OT systems:
1. Legacy software: OT systems that use or run on legacy software may lack the security checks for system and user authentication and data authenticity and verification checking.
2. Default configuration: OT systems that use common or publicly available passwords and allow services to run with basic configurations are vulnerable to enumeration techniques.
3. Lack of encryption: Legacy SCADA controllers and industrial protocols used by OT systems may not properly encrypt communication or stored data. Attackers may be able to sniff the network and extract usernames, passwords, or data from these OT systems.
4. Remote access policies: SCADA systems connected to non-secure dial-up lines or remote-access servers allow attackers to access the OT system and corporate local area networks.
5. Policies and procedures: These are security gaps created when IT and OT personnel take different approaches to secure industrial control resources and OT services.
What measures can I take to secure my IIoT, IoT, and OT devices and services?
While securing the IIoT and OT devices on your network may sound like a daunting task, there are a few proactive steps that you can take to ensure that your network and industrial devices are secure. The first security measure that you can take is to address the need for the device to be accessible from the internet. While many IoT and OT devices have the capability to connect to the internet, this does not always justify that they should have access to the internet. When configuring your device, check to see if the device can transmit data through the local network without being connected to the internet.
Another security precaution that should be taken when implementing IoT and OT devices on your network is to remove default accounts after configuration. In many cases, information about the username and passwords of the default accounts on many IoT and OT devices is publicly available, mainly from the device manufacturer’s documentation. Hackers that can access your IoT or OT devices can use this information to gain unauthorized administrative access to your device. Removing these default accounts greatly increases the security of your device.
Next, apply all needed updates and firmware updates and regularly check if updates are available. When you or your IT team are preparing the device, check to see if there are any automatic update options. If the option is not available to receive automatic updates, regularly check the devices for new updates.
Finally, when securing the IoT and OT devices that exist on your network, make sure to turn off any services you do not intend to use. IoT and OT devices will use different services to communicate and share data with other devices across the network. If any services or ports you do not intend to use, disabling these services and ports can help prevent attackers from connecting to the devices.
If you are unsure how to determine if your IoT, IIoT, and OT devices are secure, vulnerability assessment can clarify what security issues can affect your business the most. Certitude Security™ has the experience needed to identify the security issues that can result in data loss and downtime and provide service-backed recommendations that can lead to faster system recovery and fewer data breaches. If you would like to talk to us about our vulnerability management services, please visit our website and speak to one of our representatives today.