This is the first of a two-part series of blog posts covering the challenges of securing Industrial IT infrastructures. This part covers:
Why is Industrial IoT such a big cybersecurity challenge?
The answer is hidden in what Industrial Internet of Things actually is. IIoT generally refers to interconnected sensors, instruments, devices and industrial applications like manufacturing and energy management. This connectivity enables data collection, exchange and analysis, and aims to improve productivity and efficiency. We need to delve deeper into this definition by clarifying another 2 important concepts: industrial control systems (ICS) and operational technology (OT).
ICS and OT are the realms of Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DCS), Remote Terminal Unit (RTU) and programmable logic controllers (PLC). ICS and OT are not new concepts, and many of their underlying technologies and protocols are as old as the Internet itself. The architectural models that have traditionally governed ICS and OT define a clear separation or “air-gap” between industrial control and general IT infrastructure. In the Purdue Model, the air-gap, or demilitarized zone, is placed between Zone 3 and Zone 4 (Figure). This air-gap is important to ensure the security of Operation Technology.
Over time, industry experts figured out that by-passing the air-gap and connecting OT with IT and the Internet could bring organizations even more benefits, like lower costs, and increased performance, productivity and agility. And so, Industrial IoT, or Industry 4.0, was born.
For all its benefits, though, the convergence of OT and IT creates a huge problem: security. Relying on clear separation of the world, the decade-old OT equipment and control systems were not designed with built-in security mechanisms, let alone Internet-ready. OT networks are much more complex, less standardized and more diverse than IT networks. A myriad of technologies and communication protocols, many of them proprietary, are not designed to support modern cyber security mechanisms.
Today, we have a handful of fundamental security problems with OT:
The gradual IT/OT convergence and the development of industrial IoT have spawned new risk scenarios. Historically speaking, attacks on ICS systems have been occurring since the 1990s. The Stuxnet attack in 2010 was highly publicized, highlighting what could happen when ICS systems are compromised. The last three years have seen a significant escalation of IIoT-related cyber events like: