Tackling cyber security in the IoT. By Balajikasiram Sundararajan and Prabhu Venkatramanan
With increasing adoption of industrial IoT, more and more manufacturing plants are becoming connected. Operational technology (OT) systems, such as programmable logic controllers, embedded machine controllers, historians, and SCADA systems are connected to Industrial IoT platforms. In these platforms, data is acquired in real time, stored, and analysed using advanced analytic and machine learning techniques to generate insights for improving manufacturing operations. In certain cases, these insights are fed back to the OT systems to close the loop. This connectivity with OT systems is popularly known as IT-OT integration, or IT-OT convergence.
Due to their critical nature, OT systems were kept as standalone air gapped systems. Now these OT systems are getting connected to the internet. While there are clear benefits of this connectivity, the flip side is the emergence of more attack surfaces and threat vectors that can be exploited by malicious actors. This article discusses the topic of securing connected manufacturing by taking an illustrative example of a brownfield scenario. It provides the business context, gives an overview of the existing industrial IoT architecture, and delves deeper into possible threats and corresponding counter measures. Subsequently, this article provides an overall approach for continuously monitoring and improving cyber security of connected manufacturing.
Connected manufacturing: a brownfield scenario
A leading global pharma manufacturer is in the midst of a connected manufacturing journey to enhance operational efficiencies by improving overall equipment effectiveness (OEE), reducing lead time, improving on time delivery in full (OTDIF), reducing manufacturing defects, improving first pass yield (FPY) and reducing cost of poor quality (CoPQ) . So far, three large manufacturing plants are connected, more details are provided in Table 1.
Overview of existing Industrial IoT solution architecture
Fig.1. shows the existing Industrial IoT solution architecture that caters to the functional requirements with due consideration to the age of the plants, feasibility of connectivity, and availability of sensors and systems for data acquisition.
Plant 1 is the oldest of the plants and most of the machinery and equipment does not have the required sensors and systems to support data acquisition. In this plant, the equipment was retrofitted with required sensors, PLCs and energy meters to enable acquisition of process data, equipment condition data, energy data and other telemetry data. An IoT edge gateway acquires these parameters through wired Modbus TCP and Modbus on RS-485. The edge gateway does basic processing of these parameters and sends the data to the IoT platform in the cloud as JSON messages using MQTT. This data is sent over the internet using wired broadband connection. Plants 2 and 3 are newer and all the required data is available in the plant SCADA system. The IoT edge gateway interfaces with the SCADA system using OPC-UA to acquire the necessary data. Subsequently, the edge gateway does basic processing of these parameters and sends the data to the IoT platform in the cloud as JSON messages using MQTT. This data is sent over the internet using wired broadband connection.
The IoT platform uses relevant platform as a service (PaaS) components in a public cloud. Once the data enters the ingestion layer of the IoT platform, the hot path takes the data to stream processing and the cold path takes the data to the data lake for storage. Stream processing does near real-time processing and provides information and insights directly to the visualisation layer. Advanced analytics, machine learning, simulation and digital twinning are performed on the data available in the data lake. Insights derived from these are stored in a processed data warehouse and the visualisation layer fetches required data from the data warehouse for dashboards and reports. Users can access the visualisation through https URL links.
This architecture is illustrative of commonly used Industrial IoT architecture for connected manufacturing. Now, let us look at the key security threats that can impact this architecture and possible counter measures.
Understanding possible threats and attack scenarios
Threat modelling is a structured process for identifying and prioritising possible threat scenarios. This process can be broadly divided into five steps.
▪ Step 1 entails clear definition of scope and objectives of the threat modelling exercise.
▪ Step 2 is about modelling the environment by detailing out the system architecture, components in the architecture, information flow, trust boundaries, threat actors and their origin.
▪ Step 3 is about performing a detailed threat analysis that elaborates threat actors, threat vectors, threat events, origin of these threat events, probability of occurrence and consequences of these threat events.
▪ Step 4 entails impact analysis, threat rating and prioritisation of threats. Threat rating is a combination of several factors such as discoverability, exploitability, threat category and threat impact.
▪ Step 5 is about linking the threat events to a sequence of attack. This is done using attack modelling (i.e.) modelling the sequence of the attack.
There are several frameworks that help in performing a comprehensive threat modelling. Some of the popular threat modelling frameworks are STRIDE, DREAD, PASTA, Trike, Vast, Attack tree, CVSS, OCTAVE, MITRE ATT&CK, Lockheed Martin cyber kill chain.
Table 2 is an illustration of some of the possible attack scenarios and corresponding countermeasures based on threat modelling exercise. Let us begin with the data acquisition layer at the plant level. Considering the Industrial IoT solution architecture, attacks can happen on the energy meters, modbus network, PLCs, SCADA systems. Attacks can originate from internal actors and external actors. Some of the possible attack scenarios at the data acquisition layer and corresponding counter measures are shown in Table 3.
We looked at select attack scenarios at the data acquisition later. Now, let us move on to the edge layer. Edge layer is the IoT edge gateway that connects to PLCs, SCADA systems, Energy meters on the plant side, acquires data, does basic processing, and transfers the data to the IoT platform in the cloud through internet. The table shows two possible attack scenarios and corresponding counter measures.
Let us move on to the IoT platform. The IoT platform uses multiple PaaS components in a public cloud with functionalities spanning data ingestion, device management, stream processing, raw data storage in a data lake, compute (analytics, simulation, twinning, machine learning), processed data storage in data warehouse, and visualisation. Table 4 lists some of the attack scenarios and corresponding counter measures.
The attack scenarios that we saw are outcomes of threat modelling for a specific brownfield scenario and a given Industrial IoT solution architecture. However, the approach and considerations involved in creating the threat model would be similar for any connected factory in general. Conducting a comprehensive and structured threat modelling exercise is a highly recommended method to understand, rate, and prioritise potential threats and vulnerabilities, so that effective counter measures can be developed and deployed.
As we saw, there are several counter measures that can be applied for improving cyber security of connected manufacturing. Data diode is one such counter measure that requires special mention. One of the most alarming threat scenarios in the context of connected manufacturing is the possibility of a malicious actor taking remote control of the factory equipment. Data diode as a counter measure plays a significant role in this case.
As the name suggests, the data diode is a hardware device that permits only unidirectional flow of data. Data diodes are typically deployed at the perimeter of the OT network to block any unwanted traffic flowing into the OT network. Fig. 2 shows an overview of the different components of the Data diode, namely, the transmission module, reception module, and optical Isolation.
Transmission module receives inbound data from OT networks using common OT protocols such as Modbus TCP, OPC-UA. In the Transmission module, routing information is removed and only the payload information is extracted from the inbound data. After this, the payload information is converted to asynchronous transfer mode protocol also known as ATM.
Subsequently, this data is transmitted optically to the reception module through a light emitting diode and a fibre optic cable. Electrical signals in ATM format are converted to optical signals through light emitting diode and is transmitted to the reception module through the fibre optic cable. In the reception module, the photo detector receives the optical data and converts into electrical data in ATM format. This data is then converted back to target protocols for further transmission target devices such as an IoT gateway.
Reception and transmission sides of the data diode are completely isolated, and even the configuration of routing information needs to be done separately for the transmission side and the reception side. At the most, a malicious actor can gain remote access only till the transmission side of the data diode. With these features, the data diode effectively isolates the OT network from any incoming traffic from the internet or an IT network and thereby acts as a credible deterrent to prevent remote access and control OT systems and plant equipment.
Securing connected manufacturing – applying NIST framework for cyber security
National Institute of Standards and Technology (NIST) provides a comprehensive framework for improving cyber security. Fig. 3 shows the application of NIST framework in the context of connected manufacturing.
The NIST framework for continuously monitoring and improving cyber security is divided into five phases, namely Identify, Protect, Detect, Respond, and Recover.
▪ “Identify” phase is about understanding the business environment, technology environment, architecture, and subsequently performing a comprehensive threat modelling to create a threat library comprising threat events, threat rating and possible attack sequences.
▪ “Protect” phase entails development and deployment of appropriate counter measures, creating and maintaining response and recovery plans when a threat event occurs, and creating the right awareness about cyber security.
▪ “Detect” phase is about continuously monitoring and detecting threat patterns & anomalies in real time, facilitating impact analysis, and updating threat libraries. Of late, machine learning is being increasingly used to detect anomalous and suspicious patterns.
▪ “Respond” phase entails effective execution of response plans once an attack has occurred.
▪ “Recover” phase entails ensuring the recovery of a system after the threat event has occurred. Tools that facilitate semi-automatic / fully automatic response and recovery are increasingly used to facilitate effective response and recovery after a cyber-attack
As more manufacturing plants become connected, and with the continuous emergence of sophisticated cyber-attacks, the serious threat of disruption of manufacturing operations is more real now than ever before. It is imperative for organisations to proactively assess their connected manufacturing landscape, perform detailed threat modelling, identify threats, and deploy necessary cyber security counter measures. Industrial cyber threats are rapidly evolving, hence, even after deploying the necessary counter measures, it is vital for organisations to continuously monitor, analyse, and improve the cyber security of their connected manufacturing landscape.