Technology Report: The Challenge of Cybersecurity in the Age of … · 2017. 10. 27. · Report: The Challenge of Cybersecurity in the Age of Connectivity Just as smart machines are

www.Smart Industry.com-1-

Technology Report: The Challenge of Cybersecurity in the Age of ConnectivityJust as smart machines are better able to communicate with one another and with those operating them, the increased

connectivity in this era of digital transformation is a boon to hackers, who have myriad new ways to peek into systems and

extract information that can cripple businesses. In short, industrial cybersecurity is simultaneously much more important

and much more difficult to maintain. Enterprises that balance an intelligent approach to manufacturing with a hardy

defense strategy—brains and brawn—will capitalize on opportunities while thwarting nefarious characters.

TECHNOLOGY REPORT


TECHNOLOGY REPORT

CONTENTS

A new model for sustainable, end-to-end security

Next-gen tools won’t keep our industries safe

Vigilante cyber-justice in the wild, wild IoT

As industries and the cyber-threat landscape change, so must your defenses

5 ways to get IT & operations to champion IIoT

https://www.owlcyberdefense.com/network-security-solutions/


TECHNOLOGY REPORT: THE CHALLENGE OF CYBERSECURITY IN THE AGE OF CONNECTIVITY

A new model for sustainable, end-to-end securityBy Chris McNamara, Smart Industry content director

“The IIoT story can’t be told without cybersecu-rity, but how can it be implemented properly without interfering with industrial processes already in place?” asks Sven Schrecker, chief architect, IoT Security Solutions, Intel.

“Intel has a global security strategy, which it tests with help from the IIC’s 250 members, who build test-beds, check performance, and report back to Intel with recommendations. We’re now in the fourth industrial revolution, which consists of cyber-physical systems and IIoT. On the positive side, this means potentially huge productivity, efficiency, optimization and performance gains. However, on the negative side, there are natural security concerns because IIoT also means increased risk due to more attack vectors, larger attack surfaces and potentially grave consequences.”

To develop a set of common cybersecurity solu-tions, Schrecker reports that developers first need to look at how potential solutions will be deployed because user and consumer buy-in will be crucial for them to succeed. “Industrial revolutions like IIoT aren’t driven by researchers, inventors and technology designers,” he says. “The reality is they’re driven by investors, con-sumers, regulators and citizens, who adopt and employ these new technologies in daily life. So how can we en-able the safe, reliable and secure operation of the IIoT?”

TRUST MUST SOAK THROUGH

Schrecker explains that another essential IIoT principle is that cybersecurity doesn’t exist in isolation.

“Security is one of five characteristics that support IIoT trustworthiness,” he explains. “The others are safety, privacy, resilience and reliability. Together, they cre-ate the trustworthiness that the IIoT needs to protect against system faults, environmental disruptions, hu-man errors and cyber-attacks.”

Schrecker adds that IIoT trustworthiness also relies on information technology (IT) and operations technology (OT) coming together. “We need a new, comprehensive adoption model for trustworthiness as the basis for industrial adoption of IIoT. Then we need to look at all environments from a security perspec-tive, and leverage trustworthiness to manage risk and increase the likelihood of correct business decisions,” says Schrecker. “Security can’t be something we do just for compliance.

“We need permeation of trust in all system elements, in how they’re integrated, and how they interact with each other by assuring it across the entire industrial system of component builders, system builders and operational users from top to bottom and from end to end. Trust flows down from the owner/operator to all parts of the IIoT system, but trust must also be enabled from the bottom up.”

STANDARDS BEAT PERCEPTIONS

Once all IIoT participants reach a common under-standing and work together for security, Schrecker re-ports they must design and integrate security into their components and systems before building them because



it’s much harder to bolt on security after the fact. “We need chips, boards and software with security built in from the beginning, and we need them attested to the right level of security from the top down,” he says.

Schrecker adds that successful cybersecurity for the IIoT requires standards, some of which haven’t arrived yet but are getting closer. “Several organiza-tions including IIC are working on this,” he says. “IIC has met with several Industrie 4.0 groups to list goals and convergence plans, and begin to adopt security models and standards that can kick in.”

A key element of developing IIoT security standards is revising the traditional perception of IIoT as start-ing at edge devices and communicating to the cloud, according to Schrecker. “We can’t just be secure at the edge and in the cloud, and think we’re secure over-all,” he says. “We need end-to-end security based on comprehensive models and policies. Each part of an application needs to protect itself, whether it’s at the edge, on the network or in the cloud. We need commu-nications, so we can’t just lock things down. Further, protections can degrade, so we need to monitor and manage security as environments change.”

APPLY SECURITY TO IIOT

Once a useful IIoT security model and policy is settled on, Schrecker explains that a security layer can be overlaid on existing industrial processes, spanning them end to end without interfering with those pro-cesses. These techniques include:

• Embedded cyber and physical security and em-bedded identities on boards and components

• Secure communications, especially for machine-tomachine applications

• Overall security monitoring and management, including secure policy management and event monitoring

Consequently, embedded security deployment mod-els should include:

• Process isolation with security in the same

operating system (OS) as other components, but separate security processes

• Containerization isolation of software and soft-ware containers

• Virtualization isolation with security in separate OSs

• Physical isolation using gateway or bump-in-the-wire functions

“Some infrastructures allow individual devices to protect themselves and some models allow post-attack, rootcause analysis. If you do these functions in software, then they can all do their own thing,” says Schrecker. “There are also a lot of brownfield appli-cations, but they can also start on the IIoT security roadmap by using network gateways to secure OT data flows and protect their devices.

“Next, users can harden devices and implement edge security control by taking software from those devices, virtualizing it, and putting it on their gate-ways or servers. This puts the soul of a device like a PLC in its gateway. The traditional way of protecting end devices is putting a software agent in the operat-ing system, but we say it’s better to put a second chip in the end device, so you can have operations on one chip and security on another.”

A security chip can monitor and manage all security tasks, enforce firewall functions, store iden-tity information, mutually authenticate devices and users, and authorize network traffic. A security chip can also be defined as the only device that’s allowed to talk to the outside, so all operations chip communications go through the security chip, and follow its security models and policies, much like a network whitelist.

“All of this gives security a place to run,” con-cludes Schrecker. “Then you can carry out more sophisticated security management, reactively and proactively update devices as needed, and pull security data including metrics and KPIs for better security monitoring and analytics.”



Next-gen tools won’t keep our industries safeBy Omri Dotan, chief business officer with Morphisec

The cybersecurity industry seems flooded these days with solutions touting their use of “deep learning,” “ML” (machine learning), or “AI,” all in the name of building a better mousetrap. And it’s true; these next-generation tools work more effectively than legacy products, which typically rely on static signature or simple heuristic detection. The problem is that next generation solutions are, by definition, close relatives of their predecessors, based on the same underlying premises. As such, they face the same limitations as the tools they claim to replace, even if those limits are somewhat expanded.

Old and new gen are always one step behind the attacker, relying on prior knowledge to stop yesterday’s attacks. They compete on who is more incrementally effective against malware, which is the wrong ques-tion to ask when unknown unknowns–zero-days and millions of malware variants–can always outsmart the defenses. The questions we really need answered are how to change the asymmetry in cybersecurity in favor of the defender, how to prevent attacks from ever starting, and how to reduce today’s ever-mounting security costs.

THE DATA CATCH-22

Threat actors constantly develop new techniques and avenues of attack that easily evade older prevention solutions. To compensate, manufacturers seeking to protect their businesses add more layers of monitor-ing, detection and response, which generate masses of reports and false alarms to be investigated by their

under-resourced and overwhelmed analysts. Indeed, the latest big data, business intelligence and AI security products sift more effectively through all the information in an attempt to predict the unknown and learn from the past, yet these tools generate even more data, eating up even more time and resources.

Moreover, all these layers still leave industries ex-posed to fileless and memory-based attack frameworks, shellcode attacks and other advanced threats that are designed to go undetected. Next-gen solutions, no mat-ter what exciting technology they use to do it better, still rely on detection of executables. They have to find the mouse, or traces of the mouse, before they use probabi-listic inference to decide whether or not to stop it.

And even the most sophisticated detection logic will always be a step behind hackers.

PREVENTION BEATS A CURE

There is a steeply increasing relationship between the time to detect, contain and remediate an attack and the organizational costs. While detection tools have improved (with shorter times between infection and de-tection) it is much more cost-effective for businesses to prevent a breach from ever occurring in the first place.

So how can manufacturers and other industrial com-panies get ahead of the attack-cost curve? They need to reduce their risk by increasing the resilience of their security stack to both known and unknown threats, along with unpredictable attacks. At the same time, they should focus on reducing the operating expenses and complexity of their security approach.



Some truly innovative technologies have emerged that make this feasible. Moving Target Defense, for example, breaks completely away from the post-breach malware-detection model and the reliance on previous knowledge. By denying hackers the ability to access, or even find, exploitable memory resources, it makes it prohibitively expensive for hackers to attack an organization.

The right stack is more critical than individual secu-rity products. Security departments should take a step back to understand exactly what they’re getting out of their security stack: is it affordable, is it effective, is it flexible, can it handle the unknown?

This was the approach taken by Yaskawa Motoman Robotics when they revamped their security stack. (Disclosure—Motoman is a Morphisec customer.) Motoman sought to be one step ahead of cyber-criminals while operating in a highly technical work environment where users have local admin rights, and which has many types of CAD systems and free-

ware downloaded by engineers. Advanced persistent threats (APTs) aimed at theft of intellectual property, performance-degradation from resource-heavy security products, and disruptions that could affect company margins were all serious concerns. They built a lean prevention stack based on Anti-Virus and Morphisec’s Moving Target Defense memory exploit-prevention layer, which gave them effective endpoint protection that demands very little in terms of personnel and system resources.

Bigger and smarter mousetraps may protect better, but better is not good enough when ransomware locks up critical factory resources or when attacks exfiltrate sensitive business data. Rather than amassing agents and bigger solutions that include more work, more implementation, more training, more monitoring, more forensic and more people, manufacturers should combine traditional and innovative prevention tech-nologies with good cyber-hygiene to keep running safely and efficiently.

While detection tools have improved (with shorter times between infection and detection) it is much more cost-effective for businesses to prevent a

breach from ever occurring in the first place.



Stories of vigilante justice during the “wild, wild west” period in US history are legendary. According to legend, outlaws roamed cattle towns and remote settlements overwhelming law enforcement and thriv-ing wherever law enforcement was lax.

Whenever things got too bad, citizens would sometimes band together and try to take matters into their own hands, dishing out retribution in a way that sometimes served justice and, at other times, resulted in new crimes more heinous than the original offense.

Recently, with a lax environment for IoT device cy-bersecurity, a hacker, self-proclaimed as “The Janitor,” launched his or her own vigilante style cyber-attack. The attack targeted devices that failed to meet basic cybersecurity requirements, such as not requiring end users to change default passwords. The attack modi-fied critical code and/or data stored on these devices to “brick” them, rendering them unusable.

The Janitor, in a manifesto released accompany-ing the cyber-attack, said he likes to think of himself as “The Doctor” and described the attack as a sort of “cyber-chemotherapy.” Just as chemotherapy is an extreme action taken to rid the body of harmful cells,

his cyber-attack would rid the internet of IoT devices he felt contributed to the web becoming “seriously ill.”

The recent Mirai attack, in which thousands of insecure IoT devices were used to create a botnet that launched cyber-attacks, was cited as justification. His rationale was that these unprotected devices leave us all vulnerable to cyber-attacks that could inflict serious damage on us as a society. As you may recall, last year’s Mirai DDoS attack shut down the websites of major companies, bringing e-commerce to a halt in some locations. The Doctor wants to prevent these types of attacks from happening again.

This hacker’s actions, while clearly illegal, highlight an important issue. Despite the growing threat of at-tack, companies are not adequately investing in security.

And until companies appreciate the risk involved in distributing unsecured devices, cyber-attacks will continue to occur. Regardless of the motivation behind the attack, ultimately, it is those OEMs that produce products lacking security that are mostly to blame. Just as societies without strong law enforce-ment result in higher crime rates and vigilante justice, lax security results in increased cyber-crime.

Vigilante cyber-justice in the wild, wild IoTBy Alan Grau, president and co-founder of Icon Labs

Despite the growing threat of attack, companies are not adequately investing in security.



As industries and the cyber-threat landscape change, so must your defensesBy Omri Dotan, chief business officer with Morphisec

While the rise of smart, connected products and processes in manufacturing is driving unprecedented operational efficiencies, creating exponential growth in data flows and access points, and birthing op-portunities for economic growth, it’s also exposing manufacturers to unprecedented risks.

For the first time, cyber-risk ranks among manu-facturers’ top 10 risk factors. According to BDO last year, more than nine in 10 manufacturers cite cyber-security concerns in their SEC disclosures.

These concerns are well-founded. The Industrial Internet of Things may be transforming manufactur-ing, but each new connected device, sensor, or con-troller on the network means another entry point of attack. Every endpoint, every communicating sensor, every transaction could transmit a potential threat. The risks range from operations interruptions to theft of valuable IP to even more devastating consequences like unsafe food from tampering with a pasteuriza-tion unit. Furthermore, the use of containers in production—at the center of cloud services—raises additional concerns as the security measures are not yet well-developed. The known firewalls, encryption

and antivirus systems are no longer enough for that environment.

IoT systems are, by definition, sensitive to perfor-mance and energy consumption. In addition, they are not available for patching and vulnerability correc-tions; they are static and predictable. At a dramatic level, one can imagine a hacker taking control of mission-critical systems.

IoT and IIoT have just opened millions of doors, distributed across the globe. The attack techniques are not yet scripted, so how can existing security products, which are based on prior knowledge, ad-dress these unknown attacks and attack vectors? And how will they update their signatures and behaviors, or patch their vulnerabilities for devices, sensors and industrial controllers that are not even reachable?

How can manufacturers protect their business as they grow increasingly interconnected?

It’s simple: Manufacturers need to focus on pre-emptive attack prevention, so a breach is prevented, a-priori, from ever occurring. This approach beats reacting to a breach once it has happened. Unfortu-nately, this simple concept is unattainable with the

For the first time, cyber-risk ranks among manufacturers’ top 10 risk factors.



standard set of security tools, no matter how complex their configuration.

Today’s breach “prevention” is a reactive, multi-tier, targeted strategy: network security, firewalls, antivirus, patching system and application vulnerabilities, etc. And it’s not working. The security solutions are by-passed, and patching practices must be balanced against operational needs and sometimes are not even possible in manufacturing. Enterprises must choose between accepting the risk, or inefficient security practices that jeopardize thin profit margins and hinder growth.

But there’s an alternative. Enterprises need to build a security stack for endpoints and servers that covers

patching gaps and blocks advanced and targeted at-tacks, without any prior knowledge or configuration.

All detection-based security products are neces-sarily limited by their detection logic—whether signature-based like traditional antivirus or more sophisticated solutions based on heuristics, reputation lists or machine learning. They also do not prevent file-less intrusions. Antivirus should be augmented with new memory protection and exploit prevention technologies that are attack independent and applica-tion agnostic. This approach can help manufactur-ers mitigate risk in developing their Industrial IoT strategy without impeding its adoption.

Manufacturers need to focus on pre-emptive attack prevention, so a breach is prevented, a-priori,

from ever occurring.



5 ways to get IT & operations to champion IIoTBy Jeff Bates, product manager at Kepware

This much we know...more and more companies are working to capitalize on the promise of the Industrial IoT: better business intelligence, process improve-ment, and intelligent asset management.

To realize this, IT and operations departments increasingly need to work together, which is challeng-ing, as these departments have fundamentally differ-ent goals and ways of working.

Working with industrial companies, I have seen these challenges first-hand.

It has been suggested that the solution is increased cross-training and an exchange of skills between the two groups...perhaps even going as far as creating an IT/operations hybrid. There are benefits associated with organizational changes, but on their own they do not represent a complete solution. It is incumbent on Industrial IoT technology to allow both IT and opera-tions to continue to be successful in their traditional roles while also benefiting from the IoT.

In order to identify the required characteristics of an effective IIoT platform, it’s important to under-stand the responsibilities and motivations of individu-als in each department.

IT

You likely already have an image of the stereotypical “IT guy.” Often computer science graduates, they are typically excited by the latest and greatest technology. Their responsibilities are daunting: ensure the wide variety of systems that keep the enterprise running (ERP, CRM, accounting, etc.) are installed properly and that they don’t go down. On top of that, add in

the need to counter the daily barrage of cyber-attacks that are leveled at the modern enterprise. And now, in many cases, they are responsible for implementing an IoT solution. The job is fast-paced and often hectic.

OPERATIONS

The operations department is wildly different. Pop-ulated by various types of engineers, the almost-sin-gular goal is to produce a product reliably and safely. Their responsibilities are equally intimidating—any mistakes could lead to product losses, injury or death. As a cautionary tale that warns against pursuing the shiny and new, a prominent engineering school distributes stainless steel rings as a reminder of a col-lapsed bridge that was built with the material before it was fully tested. The job is deliberate, methodical and errs on the side of safety.

Both departments have critical roles, and both departments need to continue to execute on their tra-ditional responsibilities. When implemented correctly, the Industrial IoT can provide massive benefits to both. It’s therefore critical to find a solution that can offer these benefits without compromising the depart-ments’ unique objectives.

When evaluating your IIoT solution, look for these five characteristics that will foster buy-in from both groups:

1. Must be compatible with existing systems: The promise of the industrial IoT is that criti-cal plant floor and enterprise system data will be available anywhere, at any time. If an army of developers needs to “open the hood” of a



given production system to enable communica-tions, there is more chance of an interruption to production, and less chance that opera-tions is going to help implement the solution. Industrial IoT technologies need to connect “out of the box” to a wide variety of devices and systems, including legacy machines and systems that could be decades old and are too costly to retrofit.

2. Must be secure: Most operations networks today are maintained separately from enterprise networks, pointing to just how critical these operations are to keep secure from outside threats. If IT and operations are going to be comfortable connecting, the security of the technology has to be rock solid.

3. Must be accessible: An Industrial IoT solu-tion doesn’t offer much benefit if it just ends up providing intelligence to one department. IIoT solutions need to democratize data and allow users across the organization to quickly access the data they need. These platforms need a clear and comprehensive way of organizing and providing access to data, without requiring interruption to production.

4. Must utilize user permissions: If anyone across

the organization has access to data, there needs to be strict controls regarding who can make changes to an IIoT platform, especially edge software that resides on the plant floor. Having the ability to set read-only and configuration permissions will significantly increase the likelihood that operations is comfortable with adopting the new technology.

5. Must show tangible benefit to operations: If an IIoT tool is only providing dashboards to audi-ences outside of the plant, it will be harder to get buy-in. Some benefits specific to operations include asset-monitoring and alerts, predictive maintenance, advanced analytics for process improvement, enhanced work instructions, and innovative new HMI capabilities.

The IIoT has the power to bring these two very different roles together in new ways that benefit the entire enterprise. However, you cannot simply imple-ment an IIoT solution, hold your breath and wait for IT and operations to begin working together. Instead, carefully evaluate and select an IIoT technology with characteristics that will promote collaboration. Not only will your organization reap the benefits of the IIoT, but your IT and operations departments will be the champions of the solution.

Carefully evaluate and select an IIoT technology with characteristics that will promote collaboration.

Documents

Technology Report: The Challenge of Cybersecurity in the Age of … · 2017. 10. 27. · Report: The Challenge of Cybersecurity in the Age of Connectivity Just as smart machines are