https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


iStock / Getty Images Plus

Engineering

Giving Low-Tech, Industrial-Grade Cyber Defense Its Due

Old-school, cyber-defense strategies based on careful risk analysis can be invaluable.
  • Written by Brian Buntz
  • 23rd May 2018

Is it possible that Stuxnet, an exceptionally sophisticated piece of malware targeting industrial equipment, could have been thwarted — at least partially — by software-free, hardwired vibration sensors?

I recently put that question to Andy Bochman, senior grid strategist, national and homeland security at Idaho National Laboratory (INL). I had just read his recent article, “Internet Insecurity,” which is the current cover story in the Harvard Business Review. The article recommends, among other things, adopting analog and low-tech systems — not as a replacement for digital ones — but to function as a barricade when hackers compromise vital systems.

“Your intuition is right on,” Bochman said, referring to the Stuxnet question. “That’s the crux of the whole paper.”

I breathed a sigh of relief, because, coming to a fundamental understanding of cybersecurity in general and Stuxnet in particular can be elusive. And I have never come across anyone stating that a low-tech cyber-defense strategy could mitigate one of the malware’s central attack vectors.

Why Stuxnet Still Matters

The Stuxnet example continues to serve as a touchstone for advanced IoT-based cyberattacks. In essence, Stuxnet was a piece of malware reportedly developed circa 2005 by the U.S. and Israeli governments to sabotage Iran’s nuclear program and was deployed about five years later. The worm made its way onto a closed network within the Natanz nuclear facility in Iran, likely deployed via a USB stick. From there, it sabotaged code on the programmable logic controllers used to control the spin of the centrifuges. The malware would cause the centrifuges to spin out of control for a short duration and then return to normal behavior for a number of weeks. The process repeated until approximately one-fifth of the centrifuges were destroyed.

Some eight years later after Stuxnet hit, the malware continues to hold several lessons for industrial organizations writ large. One, nation-states continue to ramp up cyberattacks on enterprise, industrial and rival-government-based targets, including organizations that manage critical infrastructure — with increasingly sophisticated cyberattacks. Last year’s WannaCry (reportedly developed by North Korea) and NotPetya (allegedly created by Russia) cyberattacks are examples of that.

The departure is that, in some cases, for very low dollars, and in some cases for no dollars, you can protect yourself in a way you probably haven’t even hadn’t really thought of before.

Recently, a piece of malware known as Triton or Trisis attacked a petrochemical plant in Saudi Arabia. The malware was designed to hijack the company’s operations and cause an explosion. The Washington Post cited the attack as an example of “malware that can kill.” According to The New York Times, the attack only failed because of an error in the code. Attacks like Triton and Stuxnet remind us that, in the 21st century, malware can cause physical damage to equipment and occasionally safety problems. Such malware also can wreak havoc on organizations that thought they had a strong cyber defense and had “air-gapped” segregated critical networks from the outside world.

And yet, Bochman is different from many cybersecurity experts in that he isn’t primarily focused on what he calls “cyber-hygiene,” which includes everything from cybersecurity staffing and services. Other examples include employee education, maintaining inventories of connected products, as well as the use of firewalls, honeypots and intrusion-detection systems. While all of these items have value, each has shortcomings, leaving organizations with the challenge of “trying to figure out what they should spend money on for biggest bang for the buck,” Bochman said. “Just put yourself in the shoes of the chief financial officer whose job is to understand whether what they see the chief security officer is asking for is this is the best stuff.” Regulators such as public utility commissions who have the job to oversee how electric utilities spend their money are in a similar position. “It’s really tough,” Bochman acknowledged. “That’s all a part of cyber hygiene, which applies broadly across the enterprise.”

Engineering Old-School Cyber Defenses 

Most organizations respond to abstract-seeming cyber threats by doing more of the same — or doing more of the same with a slightly bigger budget each year.

While acknowledging the importance of good cyber hygiene, INL recommends a different approach, which it terms the “consequence-driven, cyber-informed engineering” methodology.

The first step of CCE is to “identify certain parts of an operation that really cannot be allowed to fail for any reason,” Bochman said. As the article puts it, this task includes “identifying functions or processes whose failure would be so damaging that it would threaten the company’s very survival.” Examples of attacks on such “crown jewel” processes could be the sabotage of an electric utility’s transformers that grinds distribution to a halt. Or an attack on an oil refinery or chemical facility that triggers an explosion whose aftermath could injure or kill hundreds or thousands of people. This step, and indeed the entire process, is performed under the guidance of a CCE master, which could be an individual from INL or, in the future, a trained individual from an engineering service firm.

The next step is to create maps of the organization’s digital terrain, including all the people and processes (and third parties) that touch the critical operation, along with all the hardware, software and communications technologies they use.

The phase that follows is identifying the most likely attack strategies to breach the crown jewel processes, ranking them by difficulty.

The final step, risk and mitigation, differs from other cybersecurity strategies in its embrace of analog technologies and basic engineering principles. “The departure is that, in some cases, for very low dollars, and in some cases for no dollars, you can protect yourself in a way you probably haven’t even hadn’t really thought of before,” Bochman said. Examples include the analog vibration sensor that is configured to trigger a defense mechanism when a piece of sensitive machinery has received instructions to damage or destroy itself — as the nuclear centrifuges did in the Stuxnet example. Another strategy could be to keep a backup system that can take over in the event of a cyberattack on critical systems. Many of such strategies may look, on paper, like technological steps backward, which include curbing or reducing the use of connected technology and enlisting trusted humans to manage essential functions rather than automation.

Ultimately, one of the unique aspects of the INL system is its insistence that the key to enhanced cybersecurity could be the engineers, technicians and other technical staff that keep heavy machinery up and running. “If you told those operators and engineers that they possess the keys to better cyber-defend their most critical systems, that can create a really interesting dynamic,” Bochman said. “Many or maybe almost all of them never thought of that before.” While INL’s methodology also prioritizes the buy-in from upper- and middle-management, it is unique in how it empowers machine operators and engineers. It makes such tech workers “hackers” in the early sense of the world: “‘working on a tech problem in a different, presumably more creative way than what’s outlined in an instruction manual,” as a 2014 New Yorker put it. “In our first pilot, it was the people who are closest to some of the most important and sometimes dangerous processes who came up with the mitigation before the INL people had gotten to that point,” Bochman said.

Tags: Article IIoT/Manufacturing Security Technologies Vertical Industries

Related


  • HPE Edgeline Converged Edge Systems
    Converged OT and enterprise IT in a single rugged system for the edge
  • smart manufacturing
    Smart Factory Technology Upgrades: 5G, Cybersecurity Dominate
    Forrester's An expert says that smart factory technology investments while focusing on solving tangible problems.
  • IoT security
    Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
    IoT security pros can benefit from zero-trust security to authenticate rogue devices that try to connect to a network. Zero trust should be the hallmark of your IoT strategy.
  • At Microsoft Ignite: How IoT and Robotics Are Driving Industry 4.0
    Microsoft ignite laid bare the gathering steam of robotics given the reduced price of hardware and the increasing sophistication of AI.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • How To Become A Software-Driven Car Manufacturer with an Autonomous Digital Platform
  • Persistent Pandemic Heightens Need for Supply Chain Data Transparency
  • Protecting Your Network Against Ripple20 Vulnerabilities
  • IoT Security Trends, 2021: COVID-19 Casts Long Shadow

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021
IoTWorldToday, IoTWorldSeries

Digital Health Infrastructure Benefits From Cloud-to-Edge Architecture dlvr.it/RxBwQ4 https://t.co/AILVdUVWDA

7th April 2021
IoTWorldToday, IoTWorldSeries

Meet the #EIOTWORLD keynote lineup: Google, Facebook, Linux Foundation, STMicroelectronics, Antmicro, OpenHW Group,… twitter.com/i/web/status/1…

6th April 2021
IoTWorldToday, IoTWorldSeries

Network Data Analytics Supports Back-to-Work Health and Safety dlvr.it/Rx5xlL https://t.co/VvxxpdUMJ3

6th April 2021
IoTWorldToday, IoTWorldSeries

IoT Cybersecurity Act Places Security Onus on Device Makers dlvr.it/Rx2jHK https://t.co/fyd3nQ1r1Z

5th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X