{"id":92110,"date":"2020-10-21T15:00:35","date_gmt":"2020-10-21T22:00:35","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92110"},"modified":"2023-08-07T15:32:18","modified_gmt":"2023-08-07T22:32:18","slug":"addressing-cybersecurity-risk-in-industrial-iot-and-ot","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/10\/21\/addressing-cybersecurity-risk-in-industrial-iot-and-ot\/","title":{"rendered":"Addressing cybersecurity risk in industrial IoT and OT"},"content":{"rendered":"

As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need to ensure safety in manufacturing, oil and gas facilities<\/a>, public utilities, transportation, civic infrastructure, and more.<\/p>\n

Analysts predict that we\u2019ll have roughly 21.5 billion IoT devices<\/a> connected worldwide in 2025, drastically increasing the surface area for attacks. Because embedded devices often go unpatched, CISO\u2019s need new strategies to mitigate IIoT\/OT risks that differ in crucial ways from those found in information technology (IT). The difference needs to be understood by your Board of Directors (BoD) and leadership team. Costly production outages, safety failures with injuries or loss of life, environmental damage leading to liability\u2014all are potentially disastrous scenarios that have moved IIoT and OT to the center of cyber threat management.<\/p>\n

An evolving threat landscape<\/h2>\n

Both IIoT and OT are considered cyber-physical systems (CPS); meaning, they encompass both the digital and physical worlds. This makes any CPS a desirable target for adversaries seeking to cause environmental contamination or operational disruption. As recent history shows, such attacks are already underway. Examples include the TRITON attack<\/a>\u2014intended to cause a serious safety incident\u2014on a Middle East chemical facility and the Ukrainian electrical-grid attacks<\/a>. In 2017, ransomware dubbed NotPetya<\/a> paralyzed the mighty Maersk shipping line and nearly halted close to a fifth of the world\u2019s shipping capacity. It also spread to pharma giant Merck, FedEx, and numerous European firms before boomeranging back to Russia to attack the state oil company, Rosneft.<\/p>\n

In 2019, Microsoft observed a Russian state-sponsored attack using IoT smart devices<\/a>\u2014a VOIP phone, an office printer, and a video decoder\u2014as entry points into corporate networks, from which they attempted to elevate privileges. Attackers have even compromised building access control systems<\/a> to move into corporate networks using distributed denial-of-service (DDoS) attacks; wherein, a computer system is overwhelmed and crashed with an onslaught of traffic.<\/p>\n

The current model<\/h2>\n

Since the 1990\u2019s, the Purdue Enterprise Reference Architecture<\/a> (PERA), aka the Purdue Model, has been the standard model for organizing (and segregating) enterprise and industrial control system (ICS) network functions. PERA divides the enterprise into various \u201cLevels,\u201d with each representing a subset of systems. Security controls between each level are typified by a \u201cdemilitarized zone\u201d (DMZ) and a firewall.<\/p>\n

\"\"<\/p>\n

Conventional approaches restrict downward access to Level 3 from Levels 4, 5 (and the internet). Heading upward, only Layer 2 or 3 can communicate with Layers 4 and 5, and the lowest two Levels (machinery and process) must keep their data and communications within the organization\u2019s OT.<\/p>\n

But in our IIoT era, data no longer flows in a hierarchical fashion as prescribed by the Purdue Model. With the rise of edge computing, smart sensors, and controllers (Levels O, 1) now bypass firewalls and communicate directly with the cloud, creating new risks for system exposure.<\/p>\n

Modernizing this model with Zero Trust<\/a> principles at Levels 4 and 5 can help bring an organization\u2019s IIoT\/OT into full compliance for the cloud era.<\/p>\n

A new strategy<\/h2>\n

Consequence-driven cyber-informed engineering<\/a> (CCE) is a new methodology designed by Idaho National Labs (INL) to address the unique risks posed by IIoT\/OT. Unlike conventual approaches to cybersecurity, CCE views consequence as the first aspect of risk management and proactively engineers for potential impacts. Based on CCE, there are four steps<\/a> that your organization\u2014public or private\u2014should prioritize:<\/p>\n

    \n
  1. Identify your \u201ccrown jewel\u201d processes:<\/strong> Concentrate on protecting critical \u201cmust-not-fail\u201d functions whose failure could cause safety, operational, or environmental damage.<\/li>\n
  2. Map your digital estate:<\/strong> Examine all the digital pathways that could be exploited by adversaries. Identify all of your connected assets\u2014IT, IoT, building management systems (BMS), OT, smart personal devices\u2014and understand who has access to what, including vendors, maintenance people, and remote workers.<\/li>\n
  3. Spotlight likely attack paths:<\/strong> Analyze vulnerabilities to determine attack routes leading to your crown jewel processes, including possible social engineering schemes and physical access to your facilities.<\/li>\n
  4. Mitigate and protect: <\/strong>Prioritize options that allow you to \u201cengineer out\u201d cyber risks that present the highest consequences. Implement Zero Trust segmentation policies to separate IIoT and OT devices from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.<\/li>\n<\/ol>\n

    Making the case in real terms<\/h2>\n

    Your leadership and BoD have a vested interest in seeing a return on investment (ROI) for any new software or hardware. Usually, the type of ROI they want and expect is increased revenue. But returns on security software often can\u2019t be seen in a quarterly statement. That means cybersecurity professionals have to present a solid case<\/a>. Here are some straightforward benefits to investing in IIoT\/OT cybersecurity software that you can take into the boardroom:<\/p>\n