Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once
If the networked kit needs to work for 10 years, you need to think policy
Comment Cybersecurity has become an increasing priority in operations technology thanks to the growing appetite for the industrial internet of things.
Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated from the outside world and, thus, protected from intruders.
Brexit or no Brexit, the UK is implementing an EU policy on the security of such systems via the Networks and Information Systems Directive, so securing OT is a necessity.
With that in mind, a technology and services pact has been signed between two UK outfits seeking to stop the "worst" from happening to elements considered part of the national critical infrastructure systems.
Privileged access management provider Osirium has partnered with aviation, rail and car cyber-security specialist Razor Secure to build and deliver a range of systems targeting industrial IoT applications including unattended operations, power and water plants, weather stations, manned and unmanned vehicles and other systems that could themselves be used as a gateway for "bad stuff" to hop onto a network.
The target market for this partnership is systems “designed well before deployment” and “required to operate for 10 years or more.”
The pair said Razor Secure’s machine learning algorithm would be used to hunt for process anomalies in endpoint security together with Osirium’s system administrator Privileged Access Management (PAM) for secure passwords, workflow and robotic process task automation.
What’s the password?
When it comes to people and processes, much is made of the vulnerabilities in IoT, but one issue that has to be addressed is password management. There is no need to operate complex attacks based on protocol weaknesses when a simple password will open the door.
This a people problem - many people need access to many things and changing passwords is inconvenient.
According to Osirium chief technology officer Andy Harris, things have been going wrong from the outset when architects have designed systems where all critical plants are on their own network. The failures come where it is assumed that a firewall is good enough. This is a problem because firewall rules are source- and destination-based and if the attacker or meddler is coming from an allowed source and bouncing off destination systems, then the firewall is useless.
The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks...
Harris likes the idea of a proxy-based technology that accepts an identity and connects to the IoT devices with a defined role. If that proxy also checks with the change ticket, so much the better, as you’re basically creating a digital equivalent of the physical locks.
Osirium’s approach is to separate people from passwords, cycle the passwords so they are highly complex and regularly changed, and control the tools that can be used for access.
“In the real world we have a ‘my lock’ ‘your lock’ situation. If I go to work on a pump I put my lock on the breaker, if you work on the motor you put your lock on the breaker. If I finish before you I can’t accidentally run a test because your lock is on the system,” Harris said.
“Testing gets more complex, but there are still locks. I have to issue a ‘sanction for test’ and then get a ‘permit to test’ then go to the pump (where I might find your lock). System design is crucial.
“Each system should be designed on the principle of local control/safety and global intelligence/control. If a control system tells an airbridge to move, but there is a local lockout – the local lockout takes precedence. “
The closest thing to “my lock your lock” in the software world is change tickets. These are procedures. They don’t stop mistakes but they could. If an engineer is only allowed access to a system when there is a change ticket there would be a degree of control. However, people then need the discipline to ensure the change ticket is accurate.
The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks.
“What really worries me is when I hear phrases like: ‘That will add cost to the system', or: ‘We haven’t got time to do that many checks’ and: 'No one ever writes up a ticket properly’.”
His advice when it comes to building industrial IoT? “In software, design for worst intent.” ®