Network-enabled sensors and devices, part of the Internet of Things (IoT), can be a boon to industrial operations. They help Supervisory Control and Data Acquisition (SCADA) systems automate processes and collect data such as humidity, temperature, and air pollution.
Today, IoT products are cheap and plentiful, making them fairly easy to procure and deploy. Some IoT solutions offer risks that can't be ignored, however. Network security experts have significant concerns about IoT devices, especially when they’re implemented in an infrastructure setting such as a power grid.
The Security Challenges of IoT-Enabled Infrastructure
There are two distinct network security challenges regarding IoT-enabled infrastructure. The first has less to do with IoT solutions and more to do with the systems that control vital operations, such as utilities.
SCADA systems were built to do things like keep the lights on, maintain the flow of natural gas, and ensure that crops receive water. They were not designed to withstand network security threats. Moreover, it’s quite difficult to add security solutions after the deployment of SCADA systems. The most common SCADA system protocols (MODBUS and DNP3) are inherently insecure, and to make the situation worse, one breach at any point in the network within a SCADA system allows a hacker free reign. The long equipment life of SCADA systems gives them high ROI, but that doesn’t mean that network security staff regularly monitors vulnerabilities.
Security isn’t built into the design of many IoT products, either. Consumer IoT solutions are a special risk. Take the Nest thermostat, for example. In 2014, an engineering professor from the University of Central Florida led a team of researchers which succeeded in jailbreaking the device by loading software through the thermostat’s USB port. The next year, security researchers at TrapX published a report on how a criminal could hack the thermostat and gain access to other “smart” devices in someone’s home.
>> Download now: Learn how to secure your industrial network
[Free Whitepaper]
The Nest thermostat is only one vulnerable IoT product. Cars, medical devices, rifles, baby monitors, refrigerators, and even the iconic Barbie doll were all targets of hacks in 2015.
There are plenty of hackers and criminals who would dearly love to hack into utility grids. Some of them have succeeded. Just days before Christmas 2015, two of Ukraine’s power generating facilities were hacked. Eighty thousand customers were left without power for approximately six hours. Some experts have attributed the attack to Russian-designed malware.
When IT and OT Converge: Handling Network Security Threats Facing “Smart” Infrastructure
Industrial IoT (IIoT) networks create a convergence between IT and operational technologies (OT). This convergence brings with it serious security risks.
IIoT networks can span many miles and include hundreds, if not thousands, of data points. Each of these data points is vulnerable to threats which could cripple an IT network. And not all of these embedded technologies allow software updates or patches which would protect the rest of the network.
Organizations undertaking smart grid projects are aware of these security challenges. Such projects are regulated by the Federal Energy Regulatory Commission. However, you do need to think beyond security defenses. Simple, common-sense precautions like segmenting networks and implementing firewalls will prevent soft attacks. But really you must go beyond perimeter defenses and, ironically enough, that starts with a passive approach.
Passive Real-time Monitoring is the “Smarter” Solution
Industry and Infrastructure should not be a target. They can take security measures which will protect them and their unique environments. One such measure is implementing network elements that spot any anomalies and deviations from normal behaviors through passive, real-time monitoring. Simple, listen only devices like a passive network TAP copy the data and send it to an analyzer or deep packet inspection (DPI) solution to alert organizations of possible breaches. Of course, first you need to know your baseline traffic in order to determine what traffic is normal and what is not.
Passive, Listen-only Network TAPs Protect Industrial Infrastructure
Passive network TAPs are essential to industrial Ethernet connectivity because they are purpose-built, un-hackable and capable of enabling network monitoring without affecting traffic flow. In the industrial Ethernet sector, the majority of organizations are still utilizing 100M and 10/100/1000M copper networks. In the use case of requiring copper, Garland has specialized copper aggregation TAPs that are listen-only. These TAPs were made specifically for lawful intercept cases and are the standard for FBI Surveillance Protocols.
According to Chris Sistrunk, TAPs are a great way to gain visibility into a network, both to look for evil, but to also detect misconfigurations and devices with firmware problems. Chris writes in detail in his blog, It's a TAP about the 4 Considerations when installing a TAP in ICS.
The use of passive network TAPs combined with innovative monitoring solutions companies can work towards defending themselves from a critical infrastructure attack like the one in Ukraine.
