How AI can make industrial lights shine • The Register
Sponsored Feature Internet connectivity has changed everything, including old-school industrial environments. As companies modernize their operations, they connect more of their machines to the web. This is a situation that creates clear and current security issues, and the industry needs new approaches to deal with it.
Industrial Internet of Things (IIoT) adoption is accelerating. A study by Inmarsat found that 77% of organizations surveyed have fully deployed at least one IIoT project, with 41% having done so between the second quarters of 2020 and 2021.
The same study also warned that security was a major concern for companies embarking on IIoT deployments, with 54% of respondents complaining that it prevented them from using their data effectively. Half also cited the risk of external cyberattacks as an issue.
IIoT solutions are essential to the convergence of IT and OT (operational technology). OT platforms, often industrial control systems (ICS), help companies manage their physical devices like the presses and conveyor belts that power manufacturing output or the valves and pumps that keep municipal water flowing.
In doing so, they generate huge amounts of useful data for analysis. But integrating that information into the right business tools means bridging the gap between IT and OT.
Operators also want these OT systems to be accessible remotely. Giving conventional IT applications the ability to control these devices means that they can be tied to the same back-end processes defined in IT systems. And enabling remote access for technicians who can’t or won’t drive a mile round trip just to make an operational change can also save time and money.
This need for remote access was heightened during the COVID-19 crisis when social distancing and travel restrictions prevented technicians from making any site visits. Inmarsat found the pandemic to be a root cause of accelerated IIoT adoption, for example, with 84% saying they have or will accelerate their projects in direct response to the pandemic.
So, for many, the convergence of IT and OT is more than convenience; it is essential. But it also created a perfect storm for security teams. An ICS system accessible from the outside increases the attack surface for hackers.
ICS attacks in action
Sometimes this IT/OT convergence can be as simple as someone installing remote access software on a PC in a facility. This is the configuration that allowed hackers to gain access to control systems through the installation of a remote access tool at the municipal water plant in Oldsmar, Florida in 2021, before trying to poison local residents with sodium hydroxide. The PC that the attacker compromised had access to the factory OT equipment. The town sheriff reported that the invisible intruder had hovered the mouse cursor in front of one of his employees.
It’s unclear what prompted the hackers to try to poison innocent Floridians, but some attacks have financial motives. An example is the EKANS ransomware attack that hit Honda in June 2020, shutting down manufacturing operations in the UK, US and Turkey.
Attackers used EKANS ransomware to target the company’s internal servers, causing major disruptions in its factories. In an analysis of the attack, cybersecurity firm Darktrace explained that EKANS is a new type of ransomware. Ransomware systems that target OT networks normally do so by first hitting computing equipment and then swinging around. EKANS is relatively rare in that it directly targets the ICS infrastructure. It can target up to 64 specific ICS systems in its kill chain.
Experts believe other ICS attacks are state-sponsored. The Triton malware, first targeted at petrochemical plants in 2017, is still a threat according to the FBI, which attributes the attacks to Russian state-backed groups. This malware is particularly dangerous, according to the Bureau, because it has caused physical damage, environmental impact and loss of life.
Standard security solutions will not work here
Traditional cybersecurity approaches are not effective in resolving these OT vulnerabilities. Companies could use endpoint security tools, including anti-malware, to protect their PCs. But what if the endpoint was a programmable logic controller, an AI-enabled video camera, or a light bulb? These devices often lack the ability to run software agents capable of verifying their internal processes. Some may not have processors or data storage facilities.
Even if an IIoT device had the processing bandwidth and power capabilities to support an embedded security agent, the custom operating systems it uses would likely not support generic solutions. IIoT environments often use multiple device types from different vendors, creating a diverse portfolio of non-standard systems.
Then there is the issue of scale and distribution. Administrators and security professionals used to managing thousands of standard PCs on a network will find an IIoT environment, where sensors can number in the hundreds of thousands, very different. They can also spread over a wide area, especially as high-tech computing environments become more popular. They may limit their network connections in some more remote environments to save power.
Assessing traditional ICS protection frameworks
If conventional IT security setups can’t meet these challenges, then perhaps OT-centric alternatives can? The benchmark standard model is the Purdue Cybersecurity Model. Created at Purdue University and adopted by the International Society of Automation as part of its ISA 99 standard, it defines several levels describing the computing and ICS environment.
Level zero deals with the physical machines – the lathes, industrial presses, valves and pumps that make things happen. The top level involves the intelligent devices that manipulate these machines. These are the sensors that relay information from the physical machines and the actuators that control them. Then we find the supervisory control and data acquisition (SCADA) systems that supervise these machines, such as programmable logic controllers.
These devices connect to higher-level manufacturing operations management systems that run industrial workflows. These machines ensure the optimal functioning of the plant and record its operating data.
At the higher levels of the Purdue model are enterprise systems that fall squarely within the realm of IT. The first level here contains production-specific applications such as enterprise resource planning that manages production logistics. Then at the highest level is the computer network, which collects data from ICS systems to drive business reporting and decision making.
Previously, when nothing was communicating with anything outside the network, it was easier to manage ICS environments using this approach because administrators could segment the network along its boundaries.
A Demilitarized Zone (DMZ) layer was deliberately added to support this type of segmentation, located between the two enterprise layers and the ICS layers further down the stack. It acts as an air gap between the enterprise and ICS domains, using security devices such as firewalls to control traffic between them.
Not all IT/OT environments will have this layer, however, as ISA only recently introduced it. Even those who do face challenges.
Today’s operating environments are different from those of the 1990s, when the Purdue model first evolved and the cloud as we know it didn’t exist. Engineers want to connect directly to onsite management operations or SCADA systems. Suppliers may want to monitor their smart devices at customer sites directly from the Internet. Some companies aspire to move their entire SCADA layer to the cloud, as Severn Trent Water decided to do in 2020.
The evolution of third-party managed ICS as a Service (ICSaaS) has further muddled the waters for security teams struggling with IT/OT convergence. All of these factors risk opening up multiple holes in the environment and circumventing any prior segmentation effort.
Cut through all the tangled mess
Instead, some companies are taking new approaches that venture beyond segmentation. Rather than relying on rapidly disappearing network limits, they examine traffic at the device level in real time. This is not far from the original de-perimeterization proposals put forward by the Open Group’s Jericho Forum in the early 2000s, but analyzing traffic at so many different points in the network was difficult then. Today, defenders are better able to keep a watchful eye thanks to the advent of AI.
Darktrace applies some of these concepts within its industrial immune system. Instead of monitoring known malicious signatures at network segment boundaries, it starts by learning what is normal everywhere in the IT and OT environment, including all parts of that environment hosted in the cloud.
Establishing a rolling baseline of normality, the service then scans all traffic to detect any activity that does not belong to it. It can alert administrators and security analysts to these issues, as it did for a European industrial customer.
The service is also self-contained. When a client is confident enough in their decisions to flip the switch, the immune system can shift from a mere alert to proportional action. This can mean blocking certain forms of traffic, enforcing normal device behavior, or in severe cases, completely quarantining systems, including equipment at the OT/ICS layers.
Darktrace executives hope that this shift to a more granular model of constant, pervasive traffic analysis, combined with real-time assessment against known normal behavior, will help thwart the rising tide of ICS cyberattacks. It is hoped that this will also enable businesses to become more agile, supporting remote access and cloud-based ICS initiatives. Going forward, you won’t have to risk someone turning off the lights in your quest to keep the lights on.
Sponsored by Darktrace