Actively Checking Device Integrity Can Detect Changes that Evade IP-based Monitoring
The SANS Institute recently published a research study of Industrial IoT (IIoT) security. The survey polled more than 200 security professionals from energy, utility, oil and gas, and manufacturing organizations. Among the key findings, the majority of respondents reported they are more concerned about endpoint device security, than network security. Another interesting takeaway, less than 5% of those in operational technology (OT) roles said they were confident in their company’s ability to secure these new infrastructures. Both OT and IT respondents cited they lack appropriate IIoT monitoring capabilities.
According the report’s authors: “The closer someone is to the IIoT systems, the greater the recognition of a challenging reality. The individuals probably the most knowledgeable about IIoT implementation, the OT team, appear the least confident in their organization’s ability to secure these devices, while company leadership and management, including department managers, appear the most assured.”
Let’s’ unpack these findings.
Concerns about endpoint security in industrial environments, especially among OT personnel, are being driven by the demise of the traditional air gapping of OT infrastructures. A full 32% of organizations surveyed said they have IIoT devices connected directly to Internet, bypassing traditional ICS security layers. The threat of external attacks reaching OT networks is no longer science fiction; it is happening now.
Case in point, the Department of Homeland Security recently revealed that hackers working for Russia have breached the control rooms of U.S. electric utilities where they could have caused blackouts.
With industrial threats now a reality, OT personnel are becoming keenly aware of the shortcomings they face in securing ICS devices. Among those surveyed, less than 30% have OT-specific monitoring capabilities, while 72% rely on IP suites to control, configure and collect device data. Without visibility into changes made to device configurations, software and patch levels, it’s virtually impossible to detect an attack until it’s too late. IP suites can monitor network traffic, but not the integrity of controllers.
To complicate matters, many industrial organizations are not proactively addressing known vulnerabilities in IIoT devices. Only 40% of respondents, or two out of five, indicated they apply and maintain current patches and updates on devices. While 60%, or three out of five, are not using device-level patching to protect IIoT devices and systems.
These results are concerning, but are consistent with what we are seeing in customer engagements. Namely, that it is extremely difficult to monitor and secure OT environments without domain specific tools. The fact that OT personnel are more concerned about IIoT security than their IT counterparts is telling. They are understand the risks, and consequences, of industrial security incidents and the urgency to address vulnerabilities in their systems.
The reality is, specialized monitoring and control technologies needed to prevent unauthorized process changes and protect ICS networks from external attacks are generally not provided by device manufacturers and when they are, it is vendor and sometimes even model specific. And, as mentioned earlier, IP-based tools lack the level of visibility required to detect device level threats.
Fortunately, a new category of products can provide deep real-time visibility, security and control into the control-plane activities of industrial networks using an active approach for monitoring the integrity of a device’s state as well as network anomalies. By monitoring engineering changes made to industrial controllers either over the network or directly on the devices, these technologies provide a 360 degree view to detect unauthorized activities and threats early in the kill chain, before damage occurs.
The complete 2018 SANS Industrial IIoT Security Survey is available here (PDF).