When Daniel Dogan, our Head of Cyber Security in Germany, presented at the Industrieforum Digitaler Mittelstand 2022 this June, he addressed an audience of more than 1,000 factory operators, industrial specialists, and machine and plant manufacturers. For all these small-to-medium-sized organisations, the big question on everyone’s lips was: how do I digitise my business securely?
Following a year of global disruption caused by ransomware – with the manufacturing industry taking the hardest hit (it was the most attacked industry (23%) in 2021) – it's encouraging to see security embedding itself more deeply in the consciousness of manufacturing and industrial business leaders. Industry 4.0 (the 4th industrial revolution; 4IR) is an opportunity for businesses of all sizes, especially those who recognise that their cyber resilience is their competitive advantage.
This article, based on Daniel’s June seminar, looks at the topic of IIoT (industrial internet of things) retrofitting and how manufacturing organisations can secure these projects.
Traditional vs IIoT retrofitting: a quick overview
In manufacturing and industry, the term retrofitting describes the measures taken to fit new or updated parts to existing machinery and systems that either require maintenance or revision for improvement. In an IIoT context, machines are retrofitted with a device that connects them to IIoT infrastructure – a network of smart devices that individually harvest, analyse, and share data on themselves, each other, connected applications, and the human users interacting with the machine or system.
An example of IIoT retrofitting would be adding IIoT-connected sensors and monitors to wind turbines to measure and analyse their performance. Processed via supervisory control and data acquisition (SCADA) systems, this data can be used to inform performance optimisation, cost-saving and safety measures, servicing scheduling, and preventative maintenance.
Security advice for Industrial Control Systems (ICS)
In many cases, retrofitting manufacturing equipment involves modifying ICS. When air-gapped ICS are retrofitted with IIoT, they become integrated into an IIoT network. This includes all or some system management being given to a software application, introducing cyber risk; if the system is accessible via the IIoT network, it becomes accessible by any threat targeting said system, i.e., the air gap is removed.
With ICS vulnerabilities rising by 50% year on year, we can assume that the IIoT retrofitting opportunity will become of greater interest to attackers. The most successful organisations will be the ones who step forward to ambitiously innovate with these risks centre of mind.
Managing cyber risk to ICS from IIoT: where to start
Before all else, manufacturing organisations have a responsibility to ensure that retrofitting projects are planned and risk assessed prior to any work taking place. ICS are usually designed to be fault-tolerant with significant redundancy built in. However, redundancy may not be a sufficient countermeasure against a successful attack, and any introduction of IIoT without appropriate controls increases the risk of exposure.
Building a cyber risk management framework into the overall governance framework for IIoT retrofitting projects should be the focus of security and/or IT decision makers working within relevant industries and organisations. The recommended process below is provided at a high level. You may wish to initially refer to NIST’s Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security to understand the threats facing, and differences between, traditional IT and ICS systems.
How to build a cyber risk framework for IIoT retrofitting projects
1. Build your team
Develop the team responsible for building the framework, consisting of IT, Operational Technology (OT), security subject matter experts, and business leaders.
2. Identify process at risk
As a team, identify the most high-risk processes – those which, if impacted, could cause the greatest damage to the organisation, environment, economy, personnel, customers, and partners.
3. Identify assets at risk
Identify at-risk assets, leaning on IT and OT teams to collaborate in this identification. The information security team should define and create inventory and categorise all applications and computer systems within the ICS concerned, as well as the networks within and interfacing to it.
4. Identify threats
Establish a risk matrix to identify and grade potential threats (attackers and their tactics, techniques, and procedures (TTPs)) by correlating the impact of potential attacks with their likelihood. The most high-risk threats should form the basis of any consequent security activities.
5. Identify existing security controls
Use input from the OT and IT specialists to identify any existing defensive controls in place. A security audit or penetration test can measure the effectiveness of these with findings then fed back into the risk register to inform further mitigation decisions.
The time and resources needed to develop the framework will vary from organisation to organisation and from system to system. Whatever your approach, the point is to begin any IIoT retrofitting process with security and cyber-risk-management in mind so that machines and systems are secure by design and resilient into the future.
Security activity checklist
There are many cybersecurity measures which can be undertaken following the creation of your risk assessment. The following list provides references for further reading.
- Vulnerability scanning
Vulnerability scanning helps you identify IT assets across your enterprise and IIoT network which could lead to compromise. It also locates asset-based vulnerabilities caused by zero days and misconfiguration.
- Pragmatic, risk-based patching and updates
Any scanning activity can only be effective if there is a suitable update, patching, and remediation strategy in place to close the opportunity for attack before it’s exploited.
- Network segmentation
Most compromises begin in the corporate network environment before attackers pivot to IIoT infrastructure. To prevent this, you can segment your network so there is no direct connection between the two.
- Principle of least privilege (PoLP)
To prevent illegitimate users accessing IIoT devices, follow the PoLP, which dictates that any user be provided only with the privileges they need to perform task they are responsible for, i.e., if they can do their job without access, access is withheld.
- IOT gateways
Secure IIoT gateways enable the possibility to separate your networks and control all connections.
- Security awareness
Your security strategy is only as good as the competence and enthusiasm of your workforce to exercise security in their own behaviours. This begins with awareness, delivered through an empathetic and engaging programme of training that includes hands-on learning.
- Continuous offensive security
Whilst penetration testing is suitable to assist with building your cyber risk framework, a continuous program of offensive security testing provides the opportunity to test your corporate infrastructure on an ongoing basis. This can lead to the prevention of attackers entering the corporate network with a view to pivot to the OT environment. By highlighting new high-risk vulnerabilities requiring remediation it’s able to feed fresh data into your risk framework – and any detection systems – as at-risk assets and threats emerge.
Where to begin
The IIoT retrofitting opportunity offers a chance for your organisation to innovate and lead in the market. When it’s your role to secure that opportunity – building additional processes and frameworks and rallying people together to collaborate – bringing the company on board can be the greatest challenge. Whether it’s advising you on how to land concepts like secure-by-design systems and cyber resilience, or training your developers to build secure applications for your corporate network, we can help.