hack the factory —

For the industrial Internet of Things, defense in depth is a requirement

The shift in how we make things brings with it a shift in how we secure things.

Sensors, sensors everywhere!
Enlarge / Sensors, sensors everywhere!

Ars yesterday wrote a big feature on the concept of "Industry 4.0," the fancy-sounding name that describes the ongoing shift in how products are created from raw materials and distributed along the supply chain to customers.

What the "4.0" revision adds compared to Industries 1.0 through 3.0 is a complex set of linkages between information and operational technologies. (IT stores, transmits, and manipulates data, while "OT" detects and causes changes in physical processes, such as devices for manufacturing or climate control.)

It's a modular and flexible approach to manufacturing that creates digital links among "smart factories" that are powered by the industrial Internet of Things, big data, and machine learning. And that's almost enough fancy CEO words to make bingo. At least in this case, the buzzwords aren't just important-sounding but ultimately meaningless concepts. Similar to how the rise of devops welded programming with operations, making the manufacturing process smarter by stuffing in all those buzzwords really is causing fundamental changes in how things are made.

Instead of shoving information and goods down a linear supply chain and depending on traditional iterative processes for catching mistakes and adjusting things, "Industry 4.0" broadly means implementing a network of smart, autonomous technologies that let organizations forecast and take quick actions (physical or otherwise) on supply and demand. These actions are all identified in real time and assisted by artificial intelligence (or at least "artificial intelligence" in air quotes—think less like Skynet and more like IBM's Watson). It's a digital supply network, not an old-school supply chain.

There's a catch to all this coolness, however, when it comes to keeping "4.0" secure: the more touch-points between different intelligent platforms in a supply network, the more vectors for bad actors to enter the system. These actors could steal and manipulate data and the physical processes they drive (or, to quote everybody's favorite miracle worker, "The more they overthink the plumbing, the easier it is to stop up the drain"). The bigger the digital supply network, the wider the potential damage.

An explosion of sensors

According to John Spooner, a senior IoT analyst at 451 Research in Boston, the basic security principles underlying "Industry 4.0" are shaped roughly the same as the security principles around any configuration of connected devices. However, the geometric increase of complexity from a supply chain to a digital supply network requires vastly more responsive and complex solutions that can track the addition of new components and monitor their behavior far more quickly than human operators could.

When information technology and operational technology are woven into a complex network, he explained to Ars, "What happens is one hand doesn't know what the other is doing." By way of example, Spooner cited the 2017 hack of a casino fish tank that contained sensors connected to a PC; an interloper hacked the fish tank's sensors (OT) and gained access to proprietary casino data (IT). A breach on the operational side of things led to an immediate bridge into the IT side.

"When we go out and talk to customers in IT and OT, their top concern is security, and it's being thought about all across the industries," Spooner said. He continued: "I think everybody's afraid that IIoT [the Industrial Internet of Things] creates such a ginormous net of devices, the threat is geometrically expanding."

“It’s a digital supply network, not an old-school supply chain.”

Every connected sensor on every connected device represents not just data gathered to help your manufacturing operation: it also represents a potential entry point for black hats into your business' private stuff. Adequately covering and monitoring a threat surface that broadly outstrips what humans can comfortably handle calls for artificial intelligence to provide support to the security team.

"The system must be under constant review," Spooner said. "Potentially, there are tens of thousands of devices on the digital supply networks of a top global manufacturing company, and each tool they have online is an endpoint with multiple sensors."

The first line of defense for smart factories, therefore, is using AI to monitor the behavior of devices from the moment those devices join the network. "The security solution knows why the device is there and what it's supposed to be doing," Spooner said. "If it deviates from that behavior, it's isolated. And devices and their behavior are under constant review."

For a global manufacturing company the size of General Motors, that's tens of thousands of connected devices.

On top of behavior monitoring, better industrial IoT security systems employ network access controls. These constrain classes of sensors to only be able to access the specific parts of a network needed to measure and report the things they're supposed to be measuring and reporting. The best solutions include still another level of verification, Spooner explained: compliant devices include gateways and endpoints that identify and track a particular sensor as it comes onto the network.

How ABB handles things

Satish Gannu is chief information security officer at ABB, a Zurich-based multinational corporation that focuses on robotics, power, heavy electrical equipment, and automation technology. Gannu has been on the front lines of security for smart factories and has operational experience in dealing with protecting the relationship between IT and OT. His role as CISO extends over IT and OT security.

"Historically, OT networks have been ignored," Gannu said. "IT and OT checks and balances have not been in place. The IT world has already been way ahead on security, and it can educate OT teams."

“If you want to understand threats, it’s always about ingress and egress.”

In a recent blog post on the subject, Gannu wrote, "As someone with experience on both sides of the IT/OT equation, I've realized how industrial companies can use the hard-won, long-fought lessons of IT to leapfrog to an advanced state of IIoT security—architected and deployed to meet OT's differentiated requirements. If one thinks of OT systems as another form of data center—the heavily protected core of enterprise IT—there are some promising ideas one can adapt from decades of IT experience to provide new levels of IIoT security while honoring the specific needs of OT."

"The way I look at it," Gannu said, "if you want to understand threats, it's always about ingress and egress, whether that's physical security or cybersecurity." While his purview is not the former, it encompasses all facets of the latter.

And when it comes to cybersecurity ingress and egress at ABB, everything has to pass through a DMZ that shields both IT and OT. For access to the cloud, ABB employs hardened-edge computing. "From an edge perspective, we have built cybersecurity from the ground up," Gannu said. "The edge doesn't receive any incoming information at all—it's not exposed to the DMZ in any manner."

Horses and barn doors

For Gannu, like Spooner, the key shift in "Industry 4.0" cybersecurity lies in creating infrastructures that subject IT and OT to the same rigorous standards. This is a difficult path to walk, though, because the best way to do it is to make sure integrated security is designed into your systems from the outset—and that's often impossible to achieve when you're smart-ifying existing manufacturing lines.

It's tempting to either skimp on implementation or simply ignore some aspects of security. That's because security can have significant costs (both operational and capital) and doesn't yield immediate obvious benefits.

Yet breaches and intrusions happen—and the pace at which they happen is beginning to quicken. Companies face a choice: if they want to reap the benefits of intelligent manufacturing and AI-augmented supply chains, they need to either afford those augmented supply chains appropriate protection, or they need to accept the fact that they will almost certainly, at some point, suffer through the embarrassment of a security incident. (And in the aftermath of a breach, they'll then be forced to implement some security measures, so putting that implementation off really doesn't save anything or help anyone.) It becomes a question of when they want to fix the barn door: now, when there's one cost, or after the horse escapes, when there's a much higher cost.

ADI

Channel Ars Technica