Lax IIoT Cybersecurity: the Perfect Breeding Environment for Industroyer

Thursday, June 29, 2017

Jalal Bouhdada


The growing threat against industrial environments is increasingly met by sub-par cybersecurity considerations. Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk, explores the threat of poor security for IIoT technology, including why the industry must prioritise cybersecurity to ensure long-term profitability

The second major malware iteration to target Industrial Control System (ICS) technologies directly, Industroyer, is believed to be the source behind the 2016 attack against Kiev, Ukraine, which brought down segments of the electrical grid. The malware was designed to focus on unsecured Industrial Internet of Things (IIoT) ICS devices, propagated through IT systems, and is reportedly able to manipulate existing process commands to flip breakers, potentially resulting in downtime across power plants.

Whilst this is the second technology of its type to target ICS technology directly in the wild, there are a number of Proof of Concept (PoC) attacks demonstrably able to achieve the same result. Industroyer malware is unfortunately neither new nor unexpected to those within the security industry; attacks such as this are a natural conclusion of poor security practices and unsecured IIoT devices. While the risks may seem clear to security professionals, it has been found that suppliers, system integrators and end users often believe their systems to be secure, only to later fall victim to a breach.

Technological convergence - defending against unknown unknowns

Despite 83 per cent of organisations utilising ICS technology claiming they are well prepared to face cyber-attacks, half of global organisations revealed they had suffered between one and five security incidents in the last year. As industrial environments increasingly see convergence between IT and Operational Technology (OT) through IIoT technology, this trend of poor security will only get worse as best practice is neglected or ignored. Notably, among businesses utilising ICS technology, ineffective cybersecurity practices were found to cost each organisation up to £383,000 per year. Despite the increased risk of downtime and an exponentially growing financial incentive to ensure security, organisations often remain unsecured and vulnerable to attack.

As the adoption of new technology increases, so too will the associated risk. The operational benefits that come from IT and OT convergence in industry cannot be overstated. The advent of IIoT means that efficiency gains can be drawn from traditionally ‘dumb’ technology, with IoT in industrial environments set to add $14.2 trillion to the global economy by 2030. With this benefit, however, comes a greater threat level. Networking technology that has been designed with inadequate security considerations creates an ideal environment for hackers attempting to breach a system.

Security by design - the new business essential

The IIoT landscape is, by design, influenced by its consumer IoT counterpart. In the rush to drive products to market, technology is often not shipped or installed with security in mind. Originally, industrial control systems were designed to be used in air-gapped environments where outsider security threats were not a key consideration. With increasing risk to industrial environments through IIoT, business priorities must adapt to ensure both uptime and profitability. It is well known that a skills shortage exists among security professionals. Combined with human error, currently the weakest link in OT security, a skewed ratio is the result – one with too few security professionals to address a growing number of threats targeted at other staff.

With a revitalised focus on staff training, educating all employees with a baseline of cybersecurity know-how, organisations have an opportunity to ensure the security of their business and boost efficiency from the ground up. Within a supply chain, this requires products to be designed and tested to ensure security, contributing to a holistic security environment. Once this has been achieved, as an industry, collaboratively sourcing secure technology will be the next step. By only utilising technologies with strong security credentials, the industry will be pushed towards a supply chain where products are secure by design. This will assist in removing the burden from available security staff, allowing a greater degree of autonomy and proactivity around cybersecurity response.

In meeting the challenge posed by greater levels of threats and fewer cybersecurity specialists to meet them, a shift in focus is essential. Until security is accepted as a business enabler, and not a cost centre, attacks of this nature will continue uncontested.

About the author: Jalal Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro chemical plants and oil refineries.

Possibly Related Articles:
Enterprise Security Policy Security Awareness
Operational Technology IIoT Industroyer Industrial Control System
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.