Security

Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once

If the networked kit needs to work for 10 years, you need to think policy


Comment Cybersecurity has become an increasing priority in operations technology thanks to the growing appetite for the industrial internet of things.

Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated from the outside world and, thus, protected from intruders.

Brexit or no Brexit, the UK is implementing an EU policy on the security of such systems via the Networks and Information Systems Directive, so securing OT is a necessity.

With that in mind, a technology and services pact has been signed between two UK outfits seeking to stop the "worst" from happening to elements considered part of the national critical infrastructure systems.

Privileged access management provider Osirium has partnered with aviation, rail and car cyber-security specialist Razor Secure to build and deliver a range of systems targeting industrial IoT applications including unattended operations, power and water plants, weather stations, manned and unmanned vehicles and other systems that could themselves be used as a gateway for "bad stuff" to hop onto a network.

The target market for this partnership is systems “designed well before deployment” and “required to operate for 10 years or more.”

The pair said Razor Secure’s machine learning algorithm would be used to hunt for process anomalies in endpoint security together with Osirium’s system administrator Privileged Access Management (PAM) for secure passwords, workflow and robotic process task automation.

What’s the password?

When it comes to people and processes, much is made of the vulnerabilities in IoT, but one issue that has to be addressed is password management. There is no need to operate complex attacks based on protocol weaknesses when a simple password will open the door.

This a people problem - many people need access to many things and changing passwords is inconvenient.

According to Osirium chief technology officer Andy Harris, things have been going wrong from the outset when architects have designed systems where all critical plants are on their own network. The failures come where it is assumed that a firewall is good enough. This is a problem because firewall rules are source- and destination-based and if the attacker or meddler is coming from an allowed source and bouncing off destination systems, then the firewall is useless.

The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks...

Harris likes the idea of a proxy-based technology that accepts an identity and connects to the IoT devices with a defined role. If that proxy also checks with the change ticket, so much the better, as you’re basically creating a digital equivalent of the physical locks.

Osirium’s approach is to separate people from passwords, cycle the passwords so they are highly complex and regularly changed, and control the tools that can be used for access.

“In the real world we have a ‘my lock’ ‘your lock’ situation. If I go to work on a pump I put my lock on the breaker, if you work on the motor you put your lock on the breaker. If I finish before you I can’t accidentally run a test because your lock is on the system,” Harris said.

“Testing gets more complex, but there are still locks. I have to issue a ‘sanction for test’ and then get a ‘permit to test’ then go to the pump (where I might find your lock). System design is crucial.

“Each system should be designed on the principle of local control/safety and global intelligence/control. If a control system tells an airbridge to move, but there is a local lockout – the local lockout takes precedence. “

The closest thing to “my lock your lock” in the software world is change tickets. These are procedures. They don’t stop mistakes but they could. If an engineer is only allowed access to a system when there is a change ticket there would be a degree of control. However, people then need the discipline to ensure the change ticket is accurate.

The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks.

“What really worries me is when I hear phrases like: ‘That will add cost to the system', or: ‘We haven’t got time to do that many checks’ and: 'No one ever writes up a ticket properly’.”

His advice when it comes to building industrial IoT? “In software, design for worst intent.” ®

Send us news
13 Comments

The S in IoT stands for security. You'll never secure all the Things

All too many 'smart' devices are security stupid

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Securing open source software: Whose job is it, anyway?

CISA announces more help, and calls on app makers to step up

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Microsoft confirms Russian spies stole source code, accessed internal systems

Still 'no evidence' of any compromised customer-facing systems, we're told

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva

Who knew that unzipping a font archive could unleash a malicious file

Ahead of Super Tuesday, US elections face existential and homegrown threats

Misinformation is rife, AI makes it easier to create, and 42 percent of the planet’s inhabitants get to vote this year

Biden's budget proposal boosts CISA funding to $3B

Plus almost $1.5b for health-care cybersecurity

Cloudflare wants to put a firewall in front of your LLM

Claims to protect against DDoS, sensitive data leakage

Uncle Sam intervenes as Change Healthcare ransomware fiasco creates mayhem

As the crooks behind the attack - probably ALPHV/BlackCat - fake their own demise