IIoT Growth: All Eyes on OT

Wednesday, May 10, 2017 @ 12:05 PM gHale

By Jalal Bouhdada
Rising Industrial Internet of Things (IIoT) adoption has led to an increasing convergence between IT (Information Technology) and OT (Operational Technology), and thus, a period of unprecedented productivity potential within industry.

Notably, in 2011, the dollar value of this productivity boost in manufacturing hit $6.1 trillion in “advanced” economies — a huge motivation for further adoption of IIoT technology. This increasing productivity dividend, however, has not been met by a comparable rise in security investment. In 2016, IoT technology was reportedly hacked, on average, within 360 seconds of going online.

Security Trends on Growth Curve
IIoT Security: A Holistic Approach
Secrets Under Attack: Report
ICSJWG: New Reality for Safety, Security

As the use of IIoT technology increases in line with growing productivity benefits, the result is a greater level of cyber risk.

Cyber criminals increasingly see critical infrastructure as a high-value target with the potential for a sizeable windfall. Ransomware attacks once exclusively targeted IT systems due to a lack of legacy technology connectivity. As IT and OT converge, hackers can utilize new attack vectors against under-secured technologies using strategies which were not previously available.

In 2016, ransomware attacks increased by almost 17,000 per cent from the year prior, with 15 percent directly targeting the mechanical and industrial sectors.

Attacks against critical infrastructure now require fewer resources and often less technical know-how to be successful.

IIoT Blurring the Line
The barriers to undertaking successful attacks on critical infrastructure are quickly being broken down.

This shift is characterized through a greater variety of technology available to hackers and the increasing number of attack vectors now available. With the advent of IIoT technology blurring the lines between traditionally disparate technologies and systems, threats are becoming far more effective.

Traditionally, attacks against critical infrastructure would require vast amounts of capital and manpower to succeed. In recent times, however, researchers have been able to exfiltrate passwords and other data through varying the speed of computer fans, granting access to mission critical systems.

Cybercrime-as-a-Service (CaaS), for example, further reduces the barriers to conducting a successful and often lucrative attack. With malware available for purchase online through the dark web, low-skilled hackers can access highly-effective technology, often paying a percentage of their ‘earnings’ to the program creator in return.

Mirai, the world’s largest IoT botnet, was recently available to hire for as little as $7,500. At this cost, 100,000 bots were available to use, allowing non-skilled threat-actors to undertake distributed denial of service (DDoS) attacks against their target of choice.

Security will Increase Profitability
The industrial landscape is changing, and for emerging business models based around IIoT to thrive, the mindset of security as a cost-center must change.

When recognized as a business enabler, security can end up integrated as an essential part of seamless operations — integral to business productivity. In order to fully secure industrial environments, individual businesses must prioritize the “Secure by Design” concept during product development lifecycles and at during new projects.

In addition, the education of staff on security best practices must become a key priority, with this training vital as an essential element of day-to-day activities. This enables staff to better understand the threats affecting their particular work environments, actively mitigating the heightened level of risk experienced in critical infrastructure.

The increase to productivity, and therefore profitability achieved through the IIoT cannot be understated. IIoT technology, however, is still very much in its infancy in terms of development and adoption.

For many organizations, though, it still represents a double-edged sword, one that can provide significant competitive advantage, or expose it to exponentially growing risk. As the barriers to attacking critical infrastructure are broken down through unsecure technology, low-skilled hackers with access to advanced technology become a far greater threat.

To mitigate the damage that can be caused by a successful cyberattack, organizations must now solidify the security of their supply chains, ensure their industrial assets are identified, undertake embedded security assessments, and treat security as a continuous process rather than a product.

Jalal Bouhdada, is the founder and principal Industrial Control System (ICS) security consultant at Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security.

Leave a Reply

You must be logged in to post a comment.