Securing critical infrastructure all the way to the top

Protecting myriad connected devices will require a holistic approach to security risks

As more and more objects are connected, communicate and interact with each other, in what is labelled the internet of things (IoT), they become building blocks in larger systems. Known and unknown vulnerabilities in this wealth of objects are bound to attract cyber attacks that can bring down entire critical installations in many countries. Protection of IoT components against cyber threats, as well as of the systems that integrate them, is fast becoming a key priority. 

industrial robots
Industrial IoT (IIoT) encompasses many critical sectors such as smart grids, smart cities or smart factories

Of connected toys and appliances

IoT devices are present everywhere in rapidly increasing quantities. US research and advisory firm Gartner forecasts that their number will increase from 8,3 billion units in 2017 to 20,4 billion in 2020, with spending on these to reach nearly USD three trillion.

Firms that produce consumer goods always look for new products to boost sales. The fairly recent introduction of connectivity into a variety of objects, made possible by the falling price of electronic components and of wireless technologies, has been behind the drive by many companies to produce a wide range of connected consumer products, such as web-connected toys and large household appliances like fridges, washing machines, dish washers and smart TV sets.

Very often, little or no attention is paid at the design stage to ensure these connected objects are secure against malicious attacks. 

The shape of more serious things to come

While reports of talking dolls being able to eavesdrop on their users or of connected fridges sending thousands of spam emails may bring a smile to many as they concern mainly privacy issues, the implications could actually be very serious as so-called smart devices are rolled out in homes and industries.

On occasion, large numbers of connected objects, such as fridges, webcams, CCTV cameras and video recorders, have been infected with malware and forcibly networked together to create so-called botnets. These have been used to mount distributed denial of service (DDoS) attacks to take down large websites. This was the case in October 2016 with a DDoS attack that blocked access to many popular websites like Netflix, Twitter and Spotify and to several broadcast and print media outlets, such as CNN, Fox News, the Financial Times and The New York Times.

However, the impact of DDoS attacks could be overrated, according to Professor Isaac Ben-Israel from Tel Aviv University. He told participants in a roundtable event at the 2017 Verizon RSA Conference that “DDoS attacks get media coverage that’s disproportional to the amount of damage they do. There are two million DDoS attacks in Israel a day. You never hear about them because the success rate is so low and they’re relatively simple to defend against.”

However, much more serious attacks can be mounted through connected devices. 

The IoT environment is complex…

The IoT environment consists of two very different worlds: the consumer IoT and the industrial IoT (IIoT).

The consumer IoT includes devices and systems such as “smart” phones, wearables, appliances and multimedia equipment as well as some gear used in smart homes like connected alarms, smart thermostats, lighting and heating, ventilation, air conditioning (HVAC) control systems.

The industrial IoT (IIoT) world covers applications in smart grids, smart cities, smart mobility, smart factories, healthcare services and, increasingly, smart farming. As such it encompasses many critical sectors.

Another difference is that IIoT, unlike consumer IoT, brings together two different technologies: operational technology (OT) and information and communication technology (ICT), each one covering different yet sometimes overlapping domains.

OT covers the use of computers to monitor or alter the physical state of a system, such as the control systems of industrial or power installations. It focuses, to a great extent, on safety (i.e., ensuring that processes and operations are reliable and comply with laws and standards and that the safety of workers and other people is guaranteed).

ICT has much to do with the security of physical assets (protecting equipment against malfunctions, malicious or irresponsible actions, warning of possible failure or of the necessity for preventative maintenance, etc.) and of processes.

OT and ICT intersect in IIoT.

Rather than mentioning IoT in general, one should speak of the internet of everything with connections between people, process, data and things. Connectivity is inseparable from material “things” and from the rest. Connectivity includes transport, network, data link protocols and technologies, wireless (e.g. Bluetooth, ZigBee, radio-frequency identification (RFID), etc.) and physical infrastructure (cables, routers, etc.). 

Targeting critical infrastructure, the next frontier

It is essential to differentiate between critical and non-critical systems and infrastructure. One could argue that consumer IoT systems and devices are critical only at an individual or small-scale level. Cyber attacks against them are serious for those directly concerned, but not vital to a larger population. If malicious actions target home thermostats or automated blinds, this can be annoying for users. In the worst case scenario, these attacks may open hidden gateways (e.g. door locks), but they do not bring down entire systems, which would affect a country’s ability to function normally: the so-called critical infrastructure.

The perception of which areas are considered parts of a country’s critical infrastructure varies from country to country. For the US government, and increasingly for many other governments, "critical infrastructure means systems and assets, whether physical or virtual, so vital (…) that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (Executive Order 13636, 12 Feb 2013) 

The sectors/systems mentioned in this Executive Order seen as most at risk include:

  • Energy supply (generation, transmission and distribution)
  • Financial services
  • Industrial controls systems
  • Healthcare
  • Telecommunications
  • Information technology (IT)
  • Insurance

These sectors/systems are attractive targets for rogue attackers, state and non-state actors and for criminals bent on damaging a country or on making financial gains.

Critical installations such as power networks are often insufficiently protected in many countries. Details emerged in 2014 of a series of attacks on the industrial control systems of hundreds of US and European energy companies, which started in early 2013. Power cuts that affected parts of Ukraine’s power grid in December 2015 and December 2016 were identified as having resulted from cyber attacks using malware that exploited communications protocols. Smart cities, which rely on connected “things” and systems, will likely be also targets of choice for cyber attacks. 

International Standards are key to the protection of critical infrastructure

International Standards prepared by a number of IEC technical committees (TCs) and subcommittees (SCs), and by ISO/IEC JTC 1/SC 27: IT security techniques, a SC of the joint technical committee formed by the IEC and the International Organization for Standardization (ISO) (the ISO/IEC 27000 series), are central to the protection of critical infrastructure assets against cyber attacks.

In addition, ISO/IEC JTC 1/SC 27 set a working group, WG 4: Security controls and service, which works on domains such as cyber security, IoT, cloud computing, public key infrastructure, application security, incident management and virtualisation.  

The following IEC TCs and SCs prepare International Standards that protect specific domains and keep industry and critical infrastructure assets safe:

IEC TC 57: Power systems management and associated information exchange, develops, among many others, the IEC 61850 series of publications for communication networks and systems for power utility automation, and the IEC 60870 series for telecontrol equipment and systems.

IEC TC 65: Industrial-process measurement, control and automation, prepares publications that specify security requirements for industrial automation and control systems (IACS) in the IEC 62443 series.

IEC SC 45A: Instrumentation, control, and electrical systems of nuclear facilities, has issued two publications on requirements for security programmes for computer-based systems and on requirements for coordinating safety and cybersecurity. It is developing more publications connected to cyber security for nuclear facilities.

IEC TC 62: Electrical equipment in medical practice, and its SCs, develops Standards that are intended to protect medical data security, integrity and privacy.

IEC TC 80: Maritime navigation and radiocommunication equipment and systems, has developed IEC 61162-450:2016, which states that “a shipboard security architecture should comply with information security industry’s best practices”. It has also published an add-on to this Standard, IEC 61162-460:2015, to expand requirements “when higher safety and security standards are needed, e.g. due to higher exposure to external threats or to improve network integrity”.

Finally, the newly created ISO/IEC JTC 1/SC 41: Internet of things and related technologies, has initiated a study period on IoT trustworthiness.  Trustworthiness is a user-oriented systems engineering concept that encompasses all the attributes that would make a system trustable.  These include security, availability, sustainability, safety, resilience and privacy. 

Using IoT to target the critical top layers

The multiplication of IoT systems and devices (like sensors, connectivity modules, etc.) in parts of critical infrastructure sectors opens the way to cyber attacks and to potentially significant disasters.

A 2014 study by the HP Inc. technology company claimed that 70% of IoT devices were vulnerable to attack. The report listed the most common and easily addressable security issues found in these IoT devices. They included lack of transport encryption, insecure web interface and inadequate software protection.

IoT devices are often not the target of cyber attacks as such; they are the vector for targeting the network(s)/installation(s) to which they are connected. Since many IoT devices are vulnerable, they often represent the weakest link in an installation and present major security risks for critical infrastructure systems.

According to Kudelski Security's IoT Security Center of Excellence, other issues that may prevent the introduction of secure IoT devices across the board are:

  • the priority given to the urge for bringing devices to the market quickly, rather than ensuring they are fully secure
  • an absence of proper regulations, directives or even guidance from authorities or regulators
  • a lack of upgradeability of IoT devices, in spite of their long lifecycle
  • the entire low power wide area network (LPWAN) value chain – from module and device manufacturers to connectivity and platform providers, integrators and customers – that throws open the way to a wide range of threat scenarios. 

Security is important to the overall success of IoT. This is reflected in the expected robust compound annual growth rate (CAGR) of 34,4% of the IoT security market size between 2017 and 2022. This market is forecast to grow from USD 6,62 billion to USD 29,02 billion over this period, according to a recent report by the MarketsandMarkets™ research company.

Network security (wireless communication and remote access security, and gateway) will have the largest market size in this market, the report shows.

IoT security should be designed into systems (including wireless equipment) from the beginning, rather than being added as an afterthought or as an optional add-on.

Some vendors provide a variety of answers that start with secure chips, such as those made by Germany’s Infineon semiconductor manufacturer, with embedded authentication, brand protection and other security applications, and extend all the way up to end-to-end secure solutions for connecting devices to the Cloud, such as Microsoft’s Intel® IoT Platform.

In addition to secure IoT devices, the overall security of connected critical installations and assets will rest, to a growing extent, on International Standards, such as those prepared by various IEC TCs and SCs and by ISO/IEC JTC 1/SC 27.