Security for IoT: What can Industrial IoT learn from the recent DDoS attack? Reply

security_v2

screen-shot-2016-11-02-at-1-48-06-pmThe Mirai DDoS (Distributed Denial of Service) attack last Friday revealed a fundamental weakness of current IoT deployments and showed the absolute necessity of new security models. The DDoS attack was against consumer IoT device, but there are many parallels between Consumer IoT and Industrial. This attack involved 10s of millions of IP addresses[i], a massive and unprecedented number of devices. Unfortunately, it seems like it was fairly easy to carry-out, especially since the source code for the Mirai botnet is easily accessible. The primary tool to hack into an array of consumer IoT devices (internet enable cameras, DVRs, etc) was a set of default, manufacturer-set passwords. [ii] How many have run into default passwords on operational industrial devices? Or perhaps it would be better to ask, how many have ever run across a password that has been changed? The latter would probably be easier to count.

It is easy to think that this particular attack may not take the same form in an industrial network. There are a variety of differences in network design, types of devices used, network management, and access control. However, the strategy used in this attack is very relevant to industrial applications. Exploit one or many compromised devices, which are not the main target, to take down another device or the entire network – we need to plan for a defense against this type of an attack.

There are some key characteristics of this attack, especially with regard to the devices they were launched from:

  1. The devices are deployed to remote and difficult to manage locations. Software updates are sporadic if they happen at all.
  2. The devices run without direct maintenance or operator involvement. ‘Administrators’ if involved at all, just set it and forget it.
  3. Devices have access to a wider network and are sharing data in the network.
  4. The device can be easily compromised.
  5. The data on the network relies on a level of network or transport security, and is not inherently secure.
  6. The compromised devices weren’t the end target, but tools to achieve a different objective. This implies there is little incentive for the device manufacturers to spend money to design secure systems.

Does this sound like an industrial network you have worked with? It does to me.

screen-shot-2016-11-02-at-1-53-21-pm

Although we’d like to think that industrial devices and networks have better security than this, unfortunately this is not the case. We only need to look to the 2015 attack on Ukraine electricity distribution SCADA systems for proof. Industrial networks have relied primarily on anonymity and isolation from public networks for their security. But as more devices are deployed in industrial applications, and more private networks are connected to the web this is no longer nearly adequate. Access to these networks is not always a direct attack but could be from a physical breach (e.g. the Stuxnet attack), which can open up a hole in security firewalls to further compromise devices. Not to mention unintentionally compromised networks due to poorly designed software. IoT system should be designed with the assumption that there will be bad actors within the network that we can’t keep out. Technology and standards used must be designed to mitigate potentially adverse impact of such actors. So what is the solution?

The first requirement is securing the devices themselves; the industry needs to improve and develop systems for signing and securing everything from the hardware chips up through the OS, libraries and applications that have permission to run. This is fundamental. Bottom-up security must be the norm for these networks. Chain of trust, secure boot, and secure operating systems using trusted, signed software must be a requirement to operate in industrial networks.

screen-shot-2016-11-02-at-1-57-28-pm

However, we can’t assume all devices on a network are secure and must plan for operation when devices or applications are compromised. Data is critical to the operation of an industrial network and security should be a fundamental quality of any data.

Is there a standard that makes security part of the infrastructure, and is simple to implement yet highly robust? Yes, the OMG Secure DDS standard and RTI Connext® DDS Secure is just such a solution.  RTI Connext DDS is based on the OMG Secure DDS standard and include features such as:

  • Discovery authentication
  • Data-centric access control
  • Cryptography
  • Tagging & logging
  • Non-repudiation
  • Secure multicast

Not only that, but it is transport agnostic, and is built with a plug-in architecture. This means that security of data and communication is independent of the network transport used and the standard security libraries can be replaced (using standard APIs) to suit the application’s security requirements.

screen-shot-2016-11-03-at-4-27-22-pm

There are key differences between the Secure DDS approach and other network security solution. With DDS:

  1. Security is part of the infrastructure and included in the Quality of Service metrics.
  2. It enables fine-grained access control of the data, what we call data-flow security, at a data topic level.
  3. It allows for a combination of security functions that can include encryption, authentication and access control so security can be fine-tuned to the needs of the data topic.
  4. All of this is done by configuration, so the application programmer does not need to understand or manage the security implementation, it can be handled by the system architect.

Secure DDS a fundamentally different approach to security that builds security into the infrastructure from the start. This has many positive benefits to ease of use, performance and robustness of the security architecture. But don’t take our word for it, ask our customers that are using DDS Secure on some of the most critical network applications.

The tools exist, we just need to use them and plot a path to migrate into this new secure paradigm. You can learn more about RTI Connext DDS Secure here and please contact me if you want to learn more about RTI’s solutions for securing the IIoT.

 

[i] http://www.techrepublic.com/article/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters/

[ii] http://www.computerworld.com/article/3134746/security/fridays-iot-based-ddos-attack-has-security-experts-worried.html

Join RTI and Mentor Graphics to Discuss System Security and the Industrial IoT Reply

mentor%2frti-blog

On November 2, 2016, Warren Kurisu, Director of Product Management at Mentor Graphics, and I will be discussing how to implement reliability and security in Industrial IoT (IIoT).  We know these qualities are important for IIoT, but the scale of the problem, and the scale of the networks involved, can present a challenge to anyone trying to implement real-world solutions. Although nothing is easy in this new hyper-connected, innovative, data-driven world, when you understand the right approach, the problem isn’t nearly so daunting.

Warren and I will be discussing some of the issues regarding the scaling of large, heterogeneous systems and how to address security and scale with a layered databus architecture. We will touch on the recent work by the Industrial Internet Consortium (IIC) on the IISF (Industrial Internet Security Framework) and the IIRA (Industrial Internet Reference Architecture).

Mentor Graphics is investing in the operating system, security and the platforms needed for IIoT. RTI is leading the charge with standards-based dataflow security and a connectivity framework — or databus — needed for the IIoT. I am looking forward to the discussion with Mentor Graphics and working with them to deliver real-world solutions.

You can read the webinar abstract and register for the event on Mentor’s website.

Upcoming Events You Don’t Want to Miss! 1

screen-shot-2016-10-19-at-5-49-13-pm

Come meet us at our next industry event! Why? It’s a great opportunity to explore the latest innovations within the Industrial Internet of Things (IIoT) and to engage with RTI experts. If you’re in the Healthcare, Energy, Transportation, Industrial, Communications or Defense industry, we have compiled a list of events for you. Believe me, you don’t want to miss them!

IoT Tech Expo North America – October 20-21 • Santa Clara, CA

screen-shot-2016-10-13-at-3-39-14-pm

Our CEO, Stan Schneider, will be the keynote speaker on How the Industrial Internet of Things (IIoT) is Transforming Industry followed by a panel discussion on Building New Business Opportunities with the Industrial Internet of Things. For two days, leaders from key industries across the US will come together to introduce and explore the latest innovations within the Industrial Internet. Covering Manufacturing, Transportation, Health, Logistics, Government, Energy and Automotive, this conference is not to be missed. For more information, check out the IoT Tech Expo website or register here.

Industrial Internet Forum Barcelona – October 24 • Barcelona, Spain

iic

Join us at the Porta Fira Hotel in Barcelona, Spain for a complementary public forum. That’s right, complementary! RTI’s very own Brett Murphy, Director of Business Development, will be part of a panel discussion on Accelerating the Industrial Internet through Testbeds. Hear from testbed contributors about their progress and the recently released Industrial Internet Security Framework (IISF) – an in-depth, cross-industry security framework for the Industrial Internet. Visit here for more information and to register.

AUVSI Unmanned Systems Defense Show – October 25-27 • Arlington, VA

screen-shot-2016-10-19-at-6-15-15-pm
This three-day event will be filled with information sharing and engagement with government program managers, decision makers and technology experts. Each day is designed to cover a specific domain — Maritime, Air and Ground- to provide focus. Don’t forget to stop by our booth and meet our experts! Register here!

IoT Solutions World Congress – October 25-27 • Barcelona, Spain

iots16-claim_tweet_v01Join our CEO for the Industrial Internet of Things (IIoT) Architecture for Connected Medical Devices session. Stan will examine the potential and challenge of connecting medical devices in the IIoT. The IOTSWC16 is an international forum which gives you the opportunity to meet developers from different markets around the globe. If you have an interest in Manufacturing, Healthcare, Energy and Utilities, Transportation and Logistics, Innovation and Technology, don’t hesitate and register now! For more information, visit the IoT Solutions World Congress website.

If you’re interested in other upcoming events, check out our calendar for the latest developments in tradeshows, webinars, seminars, and more.