Hackers, attackers, and intruders. These are the people wreaking havoc on every industry and sector from data centers and energy plants to federal and military establishments to commercial building automation and manufacturing facilities.
Their goal? To intentionally cause harm to organizations and their customers by exploiting computer, Cloud, and software weaknesses so they steal data and maybe even extort money.
As shocking as it is to think about such malicious organizational devastation, it’s also a good reminder of just how important it is to be vigilant about cybersecurity. And since October is National Cybersecurity Awareness Month, we thought it was also a good time to help system integrators and facility managers like you brush up on what you should know about IIoT security.
1. Devasting IIoT cyberattacks can and do happen.
At a predicted worldwide cost of $10.5 trillion by 2025, cybercrime is big business.1 And it’s getting bigger every year. Remember 10 years ago when the Target Corporation’s IT breach put 40 million cardholders at risk and cost a reported $300 million? Now, a decade after the fact, the Target breach remains one of the largest security breaches on record.
The potential to similarly disable organizations and facilities that adopt Industrial Internet of Things (IIoT) technologies is real, too. While the Target breach is considered an IT breach, there have been plenty of IIoT breaches that have been just as, if not more, destructive.
Take, for example, the 2022 Optus telecommunications breach in Australia that reportedly cost $1 million, and all because of unauthenticated APIs.2 Then there’s the 2021 Colonial Pipeline ransomware attack that caused the pipeline to stop production, and all because of a single compromised password.3
Hacking a data center or connected industrial environment not only has financial implications at the magnitude of the Target breach, but it can also lead to other, further-reaching consequences, such as shutdowns, shortages, destruction of high-value assets, and compromised health and safety for employees.
2. Unsecure IIoT is a problem that has led to new and increasing levels of disruption.
The advantages of IIoT software, hardware, and Cloud solutions includes their ability to streamline workflows, increase safety, and boost productivity, efficiency, and compliance. The drawback, however, is their potential susceptibility to cyberattacks.
Unlike IT systems that have evolved to become more secure over time, not all IIoT devices in 2022 are designed with security in mind. Worse, according to IBM, industrial control systems have seen a 50% increase in vulnerabilities related to IIoT devices, and manufacturing has now become the world’s most attacked industry.4
The reason? Attackers are looking to disrupt the global supply chain and can do so by attacking one of its most critical players: manufacturing.
The point is that hackers are looking for vulnerabilities. Which is why manufacturers, the energy sector, data centers, and others like them must strengthen security, and they must do it ASAP.
3. You don’t have to sacrifice the benefits of IIoT solutions to maintain security.
If you do any research or reading about IIoT hacks, you know that communication protocols are among the most vulnerable. Which is why we at MSA FieldServer® take cybersecurity precautions very seriously.
We’re about to go through our annual penetration testing with our provider, Breachlock. This in-depth manual penetration testing is in addition to monthly automated scans. Together, these tests have helped us identify our own product vulnerabilities so we can go back and fix them. We prioritize medium and above vulnerabilities over minor ones, but rest assured, we’re maintaining all MSA FieldServer gateways and Cloud-based solutions to the absolute latest standards.
In fact, since we last talked about how MSA FieldServer strengthened security, we’ve evolved our policies and adopted even more cybersecurity strategies—strategies that we hope will serve as a reminder for you, too.
Security Standards: Keep up with ever-changing security standards, and make sure that your device manufacturers are keeping up, as well. Here at FieldServer, we’re committed to the newest standards, including ISA/IEC 62443-4-1 and other cybersecurity benchmarks for building automation, power generation, oil & gas, and other similar industries. We’re also ISO/IEC 27001 accredited, which means we’ve demonstrated that our organization, including our people, processes, and products adhere to these best practice standards.
If you’re not sure if your provider has adopted the last standards, here’s an easy thing you can do: Ask. Ask every provider, because even something as seemingly innocuous as plugging a USB drive into a laptop can lead to the infusion of a bot. Remember, cybersecurity doesn’t start with IT; it starts at the design and engineering level. You have a right to know what security measures were taken with every product or device you connect to your system so ask your provider for proof.
Zero Trust: As an extension of the aforementioned security standards, it’s a good idea to implement a Zero Trust policy. That’s a policy that essentially means “trust nothing, verify everything.” The truth is, if you’re using third-party tools, there can be vulnerabilities and it’s up to you to be proactive in working to protect your organization against cyberattacks. (Side note: We do this at MSA FieldServer, too.)
Smart Devices: Inventory your IIoT devices so you know which are secure and which are not. Then work towards bringing all your devices into alignment with current security standards. That’s one of the many reasons we developed one of our more recently released products, the MSA FieldServer Dual Ethernet Port. As part of our ongoing work to help our customers achieve secure automation, we developed our two-ethernet port solution to provide updated protection that includes physical separation between the LAN and WAN, allowing routing connections only from specific subsets, and features updated security between the gateway and the browser.
Device Security: Because connected devices need to be secure, you’ll want to make sure you understand what kind of built-in security your devices have. What you’re looking for is a device that leverages the latest security measures, including robust user/password management, self-signed certificates, and compliance with current IIoT safety standards. Take, for example, our FieldServer solutions, featuring FieldSafe. FieldSafe is a security feature set that we add to every one of our gateways. FieldSafe takes a multilayered approach to security. That means FieldSafe secures your device, as well as your connections and data, yet still allows data to move securely across disparate subnets.
Security: Ensure that your Cloud-based solution provides secure, remote connectivity. Cloud-based solutions are incredibly efficient for automation. But not every Cloud-enabled gateway is as secure as ours. Our Cloud solution undergoes rigorous annual manual penetration testing by an independent third-party. Plus, we continually monitor compliance with the latest standards, such as ISO/ISE 27001.
Cybersecurity Strategy: Maintain a proactive cybersecurity strategy. Remember the Target breach we mentioned earlier? Those hackers gained access through the HVAC system. Keep in mind that this breach was 10 years ago, and hackers have become even more sophisticated. It’s more important than ever to have an up-to-date strategy and action plan to help minimize your exposure. It should include everything from ensuring multi-factor authentication to training employees on how to prevent phishing email attacks to when and how you’ll conduct your own penetration testing.
Conclusion
IIoT technology is changing fast, but so is the accompanying cybercrime. In addition to the helpful information and tips offered here, one of the best things you can do to protect yourself is to partner with a solutions provider that prioritizes cybersecurity and implements cybersecurity best practices.
So, reach out to us if you’d like some additional cybersecurity resources or if you have questions about the security of any of our gateway products or Cloud solution.
In the meantime, here’s to a safe and secure National Cybersecurity Awareness Month!
References
[1] CybersecurityVentures.com. “Cybercrime to cost the world $10.5 trillion annually by 2025.” https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/. Accessed 6 October 2022.
[2] SecurityBoulevard.com. “How a Common API Vulnerability Might Have Cost Telco Optus $1 Million.” https://securityboulevard.com/2022/09/how-a-common-api-vulnerability-might-have-cost-telco-optus-1-million/. Accessed 6 October 2022.
[3] Reuters.com. “One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators.” https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/. Accessed 6 October 2022.
[4] IBM.com. “X-Force Threat Intelligence Index 2022.” https://www.ibm.com/reports/threat-intelligence/. Accessed 7 October 2022.