As more operational technology (OT) devices and industrial control systems (ICSs) are connected to information technology (IT) systems over the Internet, the attack surface expands to billions of unsecured devices, many of which cannot be patched. That in turn creates a massive population of new attack vectors against physical infrastructure – from power and water plants to factories, hospitals, office buildings and even cruise ships.
There is growing awareness about the expanded attack surface. But the concomitant increase in attack vectors – which pose significantly greater risk to organizations – attracts much less attention. Perhaps this is because attack surface and attack vector are terms that many people assume mean the same thing. They don’t.
Attack surface represents the total number of vulnerabilities – hardware and software – that are on a network for cyberattackers to exploit. The more software running on a network and the more devices connected to it, the more opportunities for a breach. The traditional OSI stack, due to the security shortcomings of TCP/IP, has multiple layers of attack surfaces [see diagram].
Attack vector refers to the method a cyberattacker uses to exploit the vulnerabilities of an expanded attack surface to gain access. Examples of these vectors – or weapons – include viruses, worms, spyware and Trojan horses. Ransomware, for example, has been rampant in recent months, causing loss of control of IT and OT infrastructure.
But vectors also extend to humans – arguably the greatest security vulnerability – because they fall victim to phishing scams such as clicking on dodgy links, downloading infected attachments or giving up sensitive information about themselves or their employers in a fake email or website popup window. More people, using more software and devices in more ways, creates more danger. This risk even includes skilled security pros interacting with complex security solutions, including firewalls.
Source: SAN 2019 State of OT/ICS Cybersecurity Survey
In air gapped industrial settings, the only way to move data from one system to another (including IT systems) is with a physical device such as a thumb drive. We have seen major high profile breaches caused by an infected portable device corrupting a previously secure environment.
Air gap refers to systems, computers or networks that are not connected directly to the Internet or to any other systems or computers that are connected to the Internet. Air gaps are most commonly implemented in systems or networks that demand the highest security. Examples of air gapped environments include classified military networks, networks for processing payments and funds transfers, and ICSs that operate critical infrastructure.
Once inside the network, the cyberattacker can not only exfiltrate sensitive data, but, as mentioned earlier, can also take control of the physical infrastructure. And that can lead to catastrophic loss of epic proportions as attacks spread from devices on one network to those on another network and across systems globally.
IIoT Cyber Risks Move from Network to Edge
IIoT is driving growth in edge computing. Always-on and performance requirements in sectors such as healthcare, manufacturing, logistics and utilities requires monitoring, processing and decision-making in real time. That means more processing and analytics will take place at or near the source of data.
Edge computing implies smaller data centers, some which may take the form of an enhanced 5G mobile base station, that are deployed closer to the user to expedite application performance. In IIoT the user may well be a machine. This is relevant for IIoT applications such as logistics and large-scale manufacturing, where sensors or data collecting devices are numerous and highly distributed.
With so many mobile devices and sensors now connected to the Internet – and relying on artificial intelligence (AI) – more people and companies need their computing power close to them. One study last year predicted that spending on edge computing will grow by a compound annual growth rate of more than 30 percent through 2022.
Edge devices and edge data centers gaining more processing and decision autonomy translate into reduced downtime risks, allowing users and devices to continue using products and services even when portions of the network go down. However, the resulting air gap exposes these devices to cyberattacks. And once inside the network, attackers can expand laterally to exploit internal systems built with an edge-only security mentality.
Supervisory control and data acquisition (SCADA) systems are particularly vulnerable. They operate on IIoT and edge computing protocols, as they are essential to critical infrastructure and a key component in many manufacturing systems. SCADA systems are difficult to update, often impervious to patching. Yet they are often overlooked in IIoT threat scans.
This blog is adapted from the new TechTonics Advisors report “An Air Gap Firewall Provides Better IIoT Cyber Defense than Internal Firewalls”. The report is freely downloadable here.