lolloj - Fotolia

Where the industrial IoT vulnerabilities lurk in your plant

When you connect manufacturing machinery to the internet, you've created a potential gateway for hackers. Here's a look at the risks you might be facing.

Who would have thought a bunch of DVRs could slow down -- and in some cases, bring down -- popular websites such as Netflix, Twitter and Spotify?

But, as has been widely reported, DVRs and cameras were just two types of internet of things (IoT) devices hit by the malware Mirai and turned into botnet-spewing weapons. The result was a massive distributed denial-of-service attack, crippling U.S. internet traffic in October.

While security experts have rightly highlighted that alarming botnet attack to call into focus how exploited consumer IoT products can strike businesses and infrastructures, perhaps not as much attention has been focused on the internet-connected machines and programs used on the plant floor and elsewhere by the manufacturing sector.

According to security experts, IoT technologies in manufacturing are largely more secure than IoT consumer devices, but vulnerabilities still exist. That's because IoT tools are meshing with industrial control systems (ICS) that were designed years ago without any consideration for cyberattacks. Businesses need to tighten those gaps if they want to protect the heart of their operations.

Where old machines meet new IoT vulnerabilities

"Most of the focus of IT security in the last 30 years has been in the enterprise space," said Sean Peasley, a partner with Deloitte LLP's Cyber Risk Services. "Even though the industrial control systems [of manufacturing] have been there for 30 years, they haven't been the focus of cybersecurity."

Manufacturers will need skilled IT pros to keep their IoT processes safe, according to security experts. Just as hackers aimed to disrupt e-commerce with the Mirai attack, cybercriminals relish the thought of bringing companies to their knees by stealing intellectual properties, such as manufacturing designs. And as more companies use vulnerable IoT to make products, hackers have a better chance of shutting down a company's manufacturing line for financial gain or pure sabotage.

I look at it as a software problem; there's the vulnerability to allow hackers to get into a device.
Jeff WilliamsCTO and a cofounder of Contrast Security

"The attack surface [of IIoT] is much broader than [of] consumer IoT," said Omer Schneider, co-founder of the industrial control system security company CyberX. "It could be cyber criminals or hacktivists, but each one will have different goals: whether it's breaking apart the manufacturing floor or someone who wants to steal the intellectual property of a manufacturer. Companies are afraid of that."

Just as consumer devices, such as thermostats, refrigerators and toothbrushes, use sensors and software to collect and exchange data to benefit their owners, manufacturing devices take advantage of the industrial internet of things (IIoT) to harness data and machine-to-machine communication to become "smart" and to improve the efficiency and productivity of manufacturing operations.

Companies such as IBM, PTC, Cisco and others are notably ushering in the IoT era with their connected products, but manufacturers themselves are slowly implementing connected products into their creation processes. In a recent Internet of Things Institute study that detailed the hesitancies enterprises have about IoT implementations, 40% said they were concerned about data privacy and security, while 26% said current workflows are not defined enough for them to consider connected devices in the industrial environment.

But don't think manufacturers aren't using IoT, even if they haven't rushed to current IoT technologies. Manufacturers have been using IIoT for years; they just haven't called it that. "They use tracking tools, telemetry devices," said Cricket Liu, the chief DNS architect at Infoblox, a network intelligence company. "These devices are out there on the manufacturing floor."

The truth about industrial IoT vulnerabilities

Security and monitoring experts are split on how vulnerable IIoT is.

"In the manufacturing industry sector, things are a lot more secure, relative to the cheap, vulnerable consumer IoT devices," said James Piedra, a network platform specialist for Lanner Electronics, which works in the IoT industrial arena. "IoT sensors used in manufacturing connect wirelessly to a gateway, which can run security and monitoring software like a firewall or log -- or, even better, the IoT gateways sit behind dedicated firewall appliances."

But Jeff Williams, the CTO and co-founder of Contrast Security, believes manufacturers have to worry because they're relying on a mix of old ICSs with newer IoT devices that have various origins and, thus, different security features. "Some IoT devices are made on assembly floors, while others are made in little labs," he said. "There are a zillion different processes to make those things, so software is the one piece that's vulnerable. I look at it as a software problem; there's the vulnerability to allow hackers to get into a device."

A Deloitte survey of 225 manufacturing industry cyber risk executives found that 45% of them used sensors and smart products, but, overall, only half of them had isolated or segmented their ICS networks. Until security standards take hold, IoT and ICS will remain vulnerable and will leave hackers plenty of wiggle room, said Deloitte's Peasley.

It's not too late for manufacturers to take IIoT security seriously.

"They'll be knocking on doors and using multiple techniques," Peasley said. That includes scanning the social media profiles of manufacturing employees to look for hints at what products they use at work. Hackers can then cross-reference those IoT and ICS products, find and exploit their vulnerabilities, and enter the manufacturer's environment. "They can then maybe increase administrative privileges and then get into an internal network -- then sabotage or steal information on production processes and the production line," he said.

But it's not too late for manufacturers to take IIoT security seriously. With many companies walking, and not hurrying, into IIoT use on the manufacturing floor, they have time to ensure the newer smart products they implement meet stringent security standards and that older ICS devices can be isolated from network attacks.

"It's a challenge. Like consumers, manufacturers are forced to deal with the inadequate features of the devices," Liu said. "But the manufacturing people dealing with these devices are IT professionals, whereas consumers aren't necessarily steeped in security."

Next Steps

The Industrial Internet Consortium launches how-to on IoT security

Why it's critical to create an industrial IoT roadmap

Why a culture of IoT security is a must

Dig Deeper on IIoT in manufacturing