Industrial Cybersecurity Crisis

What differentiates the industrial world (OT) from the IT world and why is the feeling of insecurity increasingly high in industrial companies? The answer lies in the inability of industrial companies to update software and firmware.

Cybersecurity

A few weeks ago, the Israeli company Armis discovered a new critical cybersecurity vulnerability affecting several families of Schneider industrial controllers.

According to the published information, an attacker who was able to break into an OT network with automatons from this family could not only control them remotely, but also use them to distribute malware or steal data.

Industrial Cybersecurity Crisis

This vulnerability is yet another symptom of what some analysts are calling a "crisis" in industrial cyber security, with products increasingly weakened by the capabilities and tools of cyber criminals and researchers.

Security vulnerabilities are not exclusive to the industrial world. Any enterprise software, composed of complex and large code structures created by humans, contains vulnerabilities that could be discovered and exploited.

It is practically impossible to think of an invulnerable company. So what is the difference between the industrial world (OT) and the IT world (IT) and why is the feeling of insecurity increasingly high in industrial companies? The key lies in the inability of industrial companies to update software and firmware.

Recommended Reading: The Importance of OTA Updates for IoT Devices

Why don't industrial companies upgrade their systems? The most common answer is that they need to prioritise business continuity.

Schneider Electric has indicated that it is developing a security patch to prevent this vulnerability that will be available in Q4 2021. However, it is highly likely that very few companies will end up installing this update, leaving their systems vulnerable or having to invest heavily in perimeter security and surveillance to shield their networks.

In an IT infrastructure, a downtime for maintenance is much more manageable than in an infrastructure such as an electricity infrastructure, which provides critical services to its users. This is not unreasonable. However, at Barbara IoT we believe that there is plenty of room for improvement that can help industrial companies to update their systems much more frequently, making them much more secure and competitive.

The keys to this lie in a combination of tools and processes.

Edge Computing Nodes Cybersecurity

Tools

Automating updates through Edge Computing, as opposed to being performed manually by operators, means reducing maintenance windows to a minimum. We can reduce intervention from several minutes or hours to seconds and avoid human error.

Edge computing is a key enabler for this. Through cyber-secure edge computing nodes, located at the intersection of the IT and OT network, we can remotely schedule these update routines, start them at off-peak times, or even schedule them in batches to minimise any risk.

System updates via Edge Computing nodes - Image by Barbara

This is especially relevant for companies with highly distributed assets and segmented networks, such as utilities, mobility or telecommunications companies.

The proposed architecture allows:

  • Distribute updates through secure channels prepared for this purpose.
  • Deploy security patches faster through scheduled routines
  • Scale by launching update routines to hundreds or thousands of computers, remotely and simultaneously
  • Developers can test on very localised equipment or individual plants before embarking on a global rollout.
  • Have backup or failover routines

Implement DevSecOps development strategies

Processes

A reinforced door is of no use if it is usually open. This simple analogy serves to understand that cyber security is not only about tools, but also about processes .

To this end, a number of philosophies, practices, organisations and processes have recently been defined that allow companies to incorporate cybersecurity into their product development or operations cycles. These are known as "DevSecOps"practices.

The DevOps philosophy promotes that development and systems teams, processes and tools should not be separated. The entire lifecycle of an application, from design to production deployment and maintenance, should be conceived as integrated. In this way, it is the same engineers who code both the application and the tools to test and install it in an automated way in different environments.

As a further step towards technological maturity, the "DevSecOps" philosophy adds security as a third building block in these development and continuous integration processes.

To implement DevSecOps in an organisation, developers must include security in all decisions throughout the lifecycle of a product or service. They should perform risk analysis during design, include automated security testing as part of the workflow, and have resources - preferably internal to the development team - dedicated to early identification of threats or vulnerabilities.

With this combination of modernised tools and processes, industrial companies will be able to respond much more effectively to today's cyber security challenges, such as the Modipwn vulnerability discovered weeks ago.

If you were interested in this article and want to know how to implement IoT projects in a cybersecure way, contact us!