Analyzing the Growing Number of IIoT Device Hacks
Breaking down these vulnerabilities will be key to prioritizing and optimizing security.
Manufacturers continue ramping up their procurement and deployment of Industrial Internet of Things (IIoT) equipment, sensors, and devices—and with good reason. Successful modernization depends on optimized supply chains, predictive maintenance, streamlined operating expenses, and other IIoT-device-enabling changes that directly affect manufacturers’ bottom lines.
Yet for many, the rush into an IIoT future has left security on the back burner. Even with ongoing projects for IT/OT integration, gaps, and unmanaged devices remain, causing a need to understand today’s risk and what to do about it. Understanding the most current IIoT cyberattack pathways—and best practices for reducing risk—is critical for manufacturers to withstand increasing attacks without sacrificing the operational and business gains they’re now achieving.
The Many Faces of IIoT Attacks
Cybersecurity threats are constantly evolving and increasing in sophistication and effectiveness, but the shape of these approaches is nothing new. The bad guys tend to stick with what works, with some new wrinkles.
- Ransomware. Ransomware offers cyberattackers a 2-for-1 special: they can encrypt data to lock down a manufacturer’s systems until they receive a ransom, and they can threaten to release exfiltrated data on the dark web unless they receive that payoff. Even if a manufacturer’s data backups and recovery strategies are up to the challenge, that second threat still stands.
- Malware. Malware (call it a cousin of ransomware) enables IIoT infrastructure attackers to run particularly nasty software that collects login credentials or controls IIoT device behavior. Botnet malware can make IIoT devices part of large-scale Denial-of-Service (DoS) attacks. Info-stealer malware enables attackers to collect network authorizations, test for weak passwords to potentially elevate their unauthorized access, and impersonate users to ultimately steal data or damage systems.
- Eavesdropping. Critically, many IIoT devices deployed by manufacturers don’t include many of the relatively basic security protections found in other enterprise IT devices. These devices do, nevertheless, connect to the internet—allowing for device- and network-level risks of eavesdropping attacks. For example, replay attacks allow attackers to capture legitimate messages from wireless networks and then resend those messages whenever they want. If a factory floor worker sees a legitimate message directing them to re-perform an action, they likely will, which can create havoc. Man-in-the-middle eavesdropping attacks are even more dangerous: in this case, the attacker captures messages between devices before sending them on, and can alter those messages (or send others) as well.
- SQL Injection. Manufacturers utilize IIoT devices to send valuable data to web applications. Attackers leveraging SQL injection attacks will send a query request to a vulnerable application on an IIoT device, which in turn sends it to the database. The database will then send potentially sensitive data back to the application where it’s received by the attacker.
- Supply Chain Attacks. IIoT devices lack official security standards, and some even include hardcoded default credentials that attackers can easily exploit. They often don’t receive traditional software and firmware support to patch vulnerabilities, inviting attackers to exploit those avenues of attack or to hijack firmware updates to introduce malware. Attackers can then use that malware to disrupt supply chains, putting manufacturers in a perilous position.
Taming the Untamed
Manufacturers are currently the most targeted industry for IoT attacks, as our recent report uncovered. The industry tends to tick a lot of boxes for attackers:
- Valuable intellectual property.
- Proprietary designs.
- Slow-to-catch-up IIoT security practices.
A holistic IIoT security strategy must address the unique challenges of safeguarding IIoT devices and equipment, as these deployments present an expansive attack that will only continue to grow. A better approach to IIoT security begins with identifying all devices, inspecting traffic packets with a passive scanner (since that won’t disrupt IIoT devices), and assessing device vulnerability risks. Running passive packet inspection will profile each unique IIoT device. Security teams can then integrate device profiles with vulnerability scanners, network access control (NAC) tools, and the manufacturer’s configuration management database to arrive at a comprehensive risk score for each device.
This visibility sets the stage for successfully identifying devices with vulnerabilities and prioritizing risk. It’s a crucial but misunderstood point: vulnerabilities are not synonymous with risk.
Manufacturer security teams using IIoT devices will inevitably have finite resources with which to address IIoT device vulnerabilities. Recognizing which vulnerabilities attackers are actually likely to exploit—and that actually represent dangers to operations and safety—helps prioritize and optimize the effectiveness of security efforts. Analyzing device security data, open source software components, the criticality of vulnerabilities, and the most current and popular attack methods will inform this prioritization.
Where devices are vulnerable and don’t have available patches, manufacturers should put controls in place that nevertheless mitigate risk. This can mean deactivating unneeded services, blocking high-risk services, updating configurations to harden the device, or leveraging micro segmentation (useful when configuration changes would impact device operations).
As an essential practice, manufacturers should introduce continuous monitoring of IIoT devices and networks to recognize anomalous behavior that could signal attack activity—and then integrate that monitoring with detection and response system alerts. Teams should monitor and conduct security analysis on technical forensic data such as server RAM, network device traffic, and FTP server data transfers. Additionally, network packet data capture capabilities make pinpointing the root of an attack that much quicker.
Attackers are increasingly eager to exploit vulnerable IIoT deployments that make it far too easy to cause harm. But by prioritizing IIoT security as much as IIoT adoption—and by understanding and mitigating the most immediate, real, and dangerous risks—manufacturers can assuage security fears while still benefiting from all of its modernization advantages.
Written by: Shankar Somasundaram, CEO Asimily, for IMPO Magazine.