The manufacturing and industrial sectors are going through a period of great change. The emergence of Industry 4.0 has led to web-connected devices becoming the focal point of a plant’s operations. Manufacturers are now adopting Internet of Things (IoT) technology in droves with the goal of increasing productivity, reducing plant downtime and optimising profitability.
As factories become more efficient, and technology more intelligent, the same cannot be said about the security measures employed by a number of organisations. While this technology is still at an early adoption stage, almost 140 security advisories were issued in 2016 relating to flaws in industrial control systems.
Of course, a large proportion of industry is still to embrace the trend, with many continuing to deploy legacy technology. Although many may consider themselves safe from the threats presented by the future of manufacturing, this is not the case.
One of the most significant threats on the horizon is the potential for industrial IoT devices, such as sensors and endpoints, to be utilised as botnets to attack other vulnerable businesses.
>See also: Industrial Internet of Things under attack
This is a growing trend as legacy industrial devices are more frequently connected to the internet, exposing them to threats that simply wouldn’t have been considered at the point of their conception.
One of the most high profile incidents to date occurred in Ukraine, where 225,000 people were plunged into darkness after a cyber attack on a power station, prompting warnings from experts of further attacks of this nature.
The hackers were able to access the SCADA network controlling the grid due to its outdated password protection protocols, which lacked two-factor authentication.
Does legacy technology have a place in 2017?
Despite the proven productivity benefits internet-enabled devices offer, many businesses continue to utilise outdated equipment in an attempt to obtain as much value from a device as possible before it becomes obsolete.
This process, also known as ‘sweating an asset’, is perhaps partially due to the perceived risks associated with IoT devices. What should be understood, however, is the threats associated with legacy industrial equipment are also severe if not offset by the necessary controls or barriers.
Outdated technology can rapidly be compromised, especially when connected to the internet. Threat actors continually seek such devices in automated environments as if one is discovered. Not only could it be used to wreak havoc upon that particular environment, it could also be used as part of a botnet or as a proxy to target other vulnerable organisations.
While manufacturers tend to associate Industry 4.0 with new intelligent devices, such as those that evaluate their own performance and even order their own replacement, conventional production equipment is becoming smarter and increasingly flexible.
Legacy industrial equipment can help organisations cut costs and stave off downtime in the short-term, while simultaneously realising increased productivity when connected to the internet and other devices. These benefits are clear to see, with automation technology shown to increase production line productivity by as much as 30%.
Furthermore, in regards to security, legacy systems often represent a series of technical hurdles that may serve to deter potential attackers due to their complexity. The proper isolation of these systems, alongside effective vulnerability monitoring, is considered one of the most successful methods of protecting legacy technology.
However, the risks of not upgrading legacy systems in the long-term are reduced productivity and increased risk of downtime as devices lose support and new technology drives forward-thinking businesses into the future.
Legacy equipment vs security by design
Security is not only the responsibility of plant workers, but also the IoT device developers. Many developers are already creating such equipment that is robust and secure enough for industrial use.
This demonstrates that, in collaboration with a qualified testing team, they can deliver reliable IoT devices focussing on the whole security lifecycle of a product – from design, secure development and security testing. This is the most appropriate method of ensuring device security.
That said, the majority are still lagging behind, concentrating on optimising the productivity benefits of the technology alone and failing to invest in the security of equipment.
Manufacturing firms and plant workers in all industries and locations looking to ensure their legacy equipment is prepared for a cyber attack must be educated that there is no silver bullet.
Those firms utilising legacy devices will benefit from taking the required time to understand and review the vulnerability surface and specific risks associated with legacy and recently connected devices. This should be followed by proposing realistic and effective barriers to mitigate any risks discovered, therefore eliminating any potential security issues.
Utilising security as a business enabler
Security must be taken seriously at all stages. Those developing IoT devices should consider embedding security at the core of this technology from the outset. This will enable an organisation to benefit from all of the advantages that the IoT can offer, while preventing potential exposure to unexpected vulnerabilities.
Collaboration with proven security experts will be crucial to accelerate the process and ensure a safe working environment.
For those already utilising legacy equipment, ensuring its security involves undertaking a detailed review of a device’s potential flaws in order to assure its trustworthiness.
The use of sensors and actuators in industrial settings is not standard IT practice, and therefore connecting this operational technology (OT) to the internet will cause initial issues. Striking a balance between the two to confirm system trustworthiness is critical.
There is no doubt that there will be an increase in the frequency and sophistication of IoT attacks. Organisations should take the required steps to shield themselves from the pitfalls of poor security, such as equipment downtime and profit reduction.
With a clear strategy to support the security of OT, an organisation stands the greatest chance of ensuring industrial devices, both legacy and new, are functioning securely and efficiently. Security must be considered at the outset of product development and system implementation to reduce potential opportunities for threat actors to exploit.
Jalal Bouhdada, founder and principal ICS security consultant, Applied Risk