A consortium of some of the largest multinational corporations in the world has published a guide to help its members and other companies ensure cybersecurity is top of mind as more and more industrial systems are connected to the internet.
“A successful [cyber] attack on an [industrial internet of things] system has the potential to be as serious as the worst industrial accidents,” like Chernobyl or Bhopal, states the Industrial Internet of Things Security Framework, out this week.
It says the results of such an attack would be comparable to “large natural disasters, but stemming from malicious intent.”
“The distinguishing aspect of the industrial internet of things … is that it’s about physical infrastructure” like the power grid, transit systems and chemical plants or oil refineries, Hamed Soroush told Cyberscoop. Soroush is a research security engineer at Real-Time Innovations, Inc., and co-chair of the security working group of the Industrial Internet Consortium, or IIC, which published the framework Monday.
As a result, “If you look at the consequences [of a successful cyber attack] … it’s pretty scary.”
The IIC was founded by AT&T, Cisco, GE, IBM and Intel in March 2014, and now has 250 members, including Bosch, EMC, Hitachi, Microsoft, Siemens, SAP and Toshiba.
The security framework is the third in a series of foundational documents it has published. The first two were the Industrial Internet of Things Reference Architecture and the Industrial Internet Vocabulary Technical Report, both published last year.
The security framework contains “guidance on challenges and suggestions on best practices,” said Soroush.
“I hope that this document will help show where the gaps are” in IIoT cybersecurity standards, he said. “It shows what kind of standards we might need.”
Since the discovery of the Stuxnet worm, which successfully attacked the computerized industrial machinery refining uranium for the Iranian nuclear program, there’s been growing concern about networked industrial equipment — most of which was designed without security being a consideration.
Now, those industrial control systems, or ICS, are increasingly connected to the internet and vulnerable for a number of reasons. ICS systems are much more difficult to patch than conventional IT, because the machinery they control often has to run 24 hours a day.
“You can’t just take the power grid offline for a few hours to patch it,” said Soroush.
There’s a huge cultural divide, he said, between the worlds of ICS or operational technology, OT, on the one hand and IT on the other. “It’s a totally different mindset,” he explained.
For the OT tribe, trustworthiness was about “safety, reliability and availability … Security was about gates and locks.”
“The assumption was that these systems were isolated or air-gapped” from the internet, he said. Now, increasingly, they’re being connected to IT networks and to the cloud, to accomplish things like predictive maintenance — using big data from the factory floor and computer algorithms to work out which components are the most likely to break next.
“There is a huge economic value in that, and a huge economic drive” to make that happen, he said. “But when you do that, you increase the attack surface,” and make it possible for bad actors to exploit systems that were built on the assumption that only authorized users would ever be able to reach them.
While the OT tribe need to think differently about security, the IT tribe needs to take security much more seriously, because, with IIoT, the stakes were so much higher, Soroush said, slamming the “rush to market attitude” of some software developers.
He said change was happening, but questioned whether is was happening fast enough to keep pace with the expanding attack surface.
“We are moving in the right direction,” he said, “The question is, is it fast enough?”