IoT Supply Chain Vulnerability Poses Threat to IIoT Security
Most companies that construct products with the aid of IIoT-based operations are likely to keep close tabs on the supply chain that provides a predictable stream of raw materials and services that allows them to crank out products and keep the business humming.
But a second, underlying supply chain receives less scrutiny. And if the security of that supply chain is somehow compromised, business could grind to a halt.
That overlooked supply chain delivers the components that build out an IIoT infrastructure. The purchaser of those devices is at the end of the supply chain that — from a security perspective — lacks sufficient transparency into the chain. In fact, it would be a challenge to track the origins of the internal elements that comprise the delivered IIoT devices.
As a result, it’s not uncommon for IIoT-bound components to ship with exploitable security vulnerabilities. The complexity and global reach of the IIoT supply chain only compounds the problem — a single device may be made from parts supplied by dozens of component manufacturers.
“Dozens of components made from companies around the world bounce through multiple layers of suppliers and integrators until they are placed on a board, tested and packaged by the OEM,” as noted in “Finite State Supply Chain Assessment,” a 2019 report from Finite State, an IoT cybersecurity company.
The Risks to IIoT Infrastructures Are Real and Many
Most network operators recognize IIoT supply chain risks, but specific vulnerabilities are difficult to isolate. These deployments are often far reaching, extending beyond a manufacturer’s walls to shippers, merchants and other commerce partners. And as the network extends and includes additional integration points, the risk that a piece of dicey bit of malicious code will replicate only increases. Indeed the code itself may not be malicious but can present an open port that can compromise systems.
“Just seeing firsthand how many vulnerabilities tend to be in embedded systems—that’s where the asset owners don’t realize that those vulnerabilities exist in their systems,” noted Matt Wyckhouse, CEO of Finite State.
Once an IIoT environment is breached, malicious actors may use it as an entrée to burrow further into corporate systems. Industrial control systems (ICS) and other production systems may be at risk, but if interlopers can evade security roadblocks and delve even deeper, key corporate applications and related data might also be exposed. This is all attributable to questionable firmware that made its way into the supply chain that produces sensors, actuators and other operational IIoT.
“When a vulnerability is reported, it takes a while for a manufacturer to respond to that vulnerability, get a patch out there and then for asset owners to execute the update to that device and run the latest version of firmware for it,” explained Wyckhouse, describing how even known vulnerabilities can persist.
In “The State of Industrial Cybersecurity”, a July 2019 survey report conducted by the ARC Advisory Group for Kaspersky, a security provider, more than a quarter (26%) of respondents said they considered “threats from third-parties, such as supply chain or partners” to be a major concern, and another 44% said it was a minor concern. Interestingly, all the other major security concerns — such as ransomware (70%) and targeted attacks (68%) — could be launched against a company via a supply chain breach.
[ For more on IoT security, register for our IoT Security Summit this December.]
In the same survey, 28% of respondents noted that it was “very likely” or “quite likely” that their company’s ICS or industrial control network would be targeted.
The “Global Connected Industries Cybersecurity Survey,” another 2019 poll fielded by Irdeto, a Netherlands-based security outfit, emphasized that many companies have already been burned by invasive IoT attacks: “The study alarmingly found that only 17% of IoT devices used or manufactured by large enterprises have not experienced a cyberattack in the past 12 months.”
How IIoT Supply Chains Are Compromised
Typically the biggest concern about the supply chain that feeds a company’s production lines is that production activity may be interrupted, causing a production slowdown or shutdown. For the IIoT supply chain, the threat is far more covert and may take weeks or months before its effects are apparent.
Typically, when an IIoT supply chain corruption occurs, it’s more the result of a domino effect, which masks the source of vulnerability.
“The attackers have some victims in mind, but instead of going directly at the victims they go at tier-2 industrial IoT suppliers, compromise their websites and replace legitimate firmware and software with Trojanized versions,” described Eric Byres, CEO of Adolus, a company that provides a firmware checking service.
Unwitting IIoT network admins who undertake appropriate network maintenance, may unwittingly proliferate the hostile code. “They go and immediately download it and take it into their plant,” said Byres, “and suddenly there’s this malware that is now ruling inside their plant, inside the firewalls, inside everything.”
With a foot in the door, interlopers may make their way from industrial networks and then breach corporate data networks. “Bad guys attack one site and they get like this credible multiplier effect,” Byres continued. “It’s a damn good return on investment for an attacker.”
Most IIoT environments include hundreds or thousands of older devices — sensors and other components that may have been in place for a decade (or longer). Experts agree that the older the gear, the more likely it is to present a security risk because it lags in supports and updates.
For example, the Finite State report described a Huawei-manufactured component that included code using a version of OpenSSL that was released in 2003 — and was well known (and documented) as extremely vulnerable.
Some IIoT supply chain security flaws might have been inserted intentionally — either innocently and with malicious motives. An example is a backdoor. A backdoor in a piece of software allows access to core parts of the firmware and, thus, the component itself without having to pass the usual authentication process.
The well-intentioned backdoors are often left open by component manufacturers to provide an entry point for techs to support and monitor the device. Often called debug ports, these backdoors also allow malicious actors easy access. Similarly, application programming interfaces (or APIs) intended to allow integration with industrial control systems may inadvertently offer another means of compromising a device’s operation. The more nefarious backdoors are often left ajar by countries on their exported products as they hope to use them later to swipe intellectual property (IP) or other data.
Generally, the IIoT supply chain is more Wild West than well controlled.
“The IoT is still a grossly unregulated technology in terms of security standards,” noted “IoT Supply Chain Security: Overview, Challenges, and the Road Ahead,” a research paper published by Muhammad Junaid Farooq and Quanyan Zhu of New York University’s Tandon School of Engineering. “There is no control over upstream supply chain from a device owner’s point of view. Not all suppliers are ready to clearly articulate their cyber security practices and disclose their supply chain information.”
Malicious Actors’ Targets and What They Want
IIoT supply chain incursions can result in any of the compromised situations we’ve seen caused by other types of network breaches. But, given their very nature and function, “leaky” IIoT devices can result in various malicious activities and disruptions.
Ransomware still stands out as a key motivation for an attack. That’s also true of many IIoT supply chain infiltrations as the bad actors can hold up or otherwise negatively affect production until a ransom payment is made.
Production disruptions can wreak even greater havoc in an industrial setting. By altering the data streaming from sensors and other IIoT devices, machine settings can be manipulated which, in turn, can cause unseen problems in the manufacturing process which may result in faulty products or factory-floor machines such as robotic devices to operate in an unsafe manner.
A March 2020 report OT Security Best Practices noted that industrial control system breaches can have profound effects: “Some of these include significant risk to the health and safety of human lives, serious damage to the environment, and financial issues such as production losses, and negative impact to a nation’s economy.”
Certain industry verticals have become key targets as well.
“If you want a target-rich environment with lots of interesting targets, go to energy, go to the power grid, go to oil and gas,” said Adolus’ Byres. “And now another target rich environment we’re seeing is medical because of the pandemic.”
Finite State’s Wyckhouse also points to health care as a prime target. “We’re actually seeing a rise of destructive and life-threatening damaging attacks in the health care industry right now for the last couple weeks, with ransomware attacks taking down hospitals in the middle of the pandemic.”
A big payday isn’t always the goal of the attackers—sometimes information, as in critical intellectual property (IP), is the objective.
Squeezing through the cracks in an IIoT environment to get to the corporate data network is also a common ploy. “The attack surface is growing and becoming more complicated every day,” said Wyckhouse. “There are certain instances where we should be concerned about an actor using the supply chain as the mechanism for initial access.”
How to Cope With IIoT Supply Chain Weaknesses
For most companies, creating a more secure IIoT environment will be a significant undertaking, simply because of the sheer number of devices on networks and their complicated histories. You’ll be a step ahead if you already have a detailed and comprehensive inventory of those devices — and if you don’t, that’s the place to get started.
Once you have established the lay of the land, a supply chain risk assessment is the next step. Identify the “macro” risks, such as ransom situations, data corruption or IP theft. But the risk assessment will need to get to a more granular level as well, where each device is evaluated for potential vulnerability and how that vulnerability may be compounded into a wider network intrusion.
A closer look at the company’s networks and how they integrate is also in order. It may be possible, for example, to isolate an IIoT from the internet by using air-gapping to separate the operations technology environment from the IT networks.
IIoT device suppliers should also be assessed, so that the level of their security efforts are understood. The best time for this is when your company is evaluating products for purchase because “the point in time in a device’s lifecycle where the operator has the most influence over the manufacturer is during the purchase of that device,” according to Wyckhouse.
If IIoT device purchases are many and frequent, it would be a good idea to set up a formal assessment process to ensure that all vendors and products are vetted appropriately.
“Don’t just take a little slip of paper that says, ‘We take security seriously,’” noted Byres. “Get a proper report from them or go to a third party and get a proper analysis, and really figure out whether your supplier is doing their homework about security.”
You can also tap resources such as National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) to check its list of Common Vulnerabilities and Exposures (CVEs).
New classes of services and applications are emerging, specifically to address the IIoT supply chain situation. Adolus and Finite State are examples of companies with services that help users to determine the safety of the equipment they have already installed or are considering.
Adolus started out as a U.S. Department of Homeland Security project before it evolved into a commercially available service. It’s built atop a database that collects published and anecdotal information related to thousands of IoT devices, including a compilation of any known vulnerabilities. End users or device manufacturers can tap the database to trace the lineage of a component and find details about its constituent parts and suppliers.
“Our technology is about building these software bill of materials,” said Adolus CEO Eric Byres. “So we could have a whole provenance about not just the base product that you just bought and installed but all the components that came with it.”
Finite State also takes a novel approach to this problem. The company’s technology can effectively parse firmware to determine whether it presents risks to an IIoT infrastructure. This is particularly important because, as Finite State’s CEO Matt Wyckhouse points out, “when a firmware update is applied, that firmware replaces all of the software on that device. It completely replaces it and, thus, it can completely change the risk profile of the device.”