Protecting the energy sector’s industrial IoT

By Steve Hanna, Co-chair of TCG’s Industrial Work Group and IoT Work Group

Many sectors now utilize Internet of Things (IoT) equipment to drive digital transformation, and ultimately increase automation and efficiency. In particular, the energy sector is seeing wide implementation, from the equipment used in oil and gas extraction, to the tools monitoring an end-user’s consumption.

The use of Industrial IoT (IIoT) in settings like these is on the rise, with the market predicted to reach $110B by 2025. This kind of connected equipment allows energy companies to employ more sophisticated techniques such as data mining and deep learning – functions that the cloud can provide by performing analysis on data. While there are many practical benefits of implementing IIoT, industrial cybersecurity must be taken seriously to avoid significant consequences. Steve Hanna, Co-chair of TCG’s Industrial Work Group and IoT Work Group, joined Oil and Gas IQ’s Cyber Security in Energy and Utilities Day to explain how risks can be minimized.

A catalyst for innovation – but not without risk

IIoT equipment offers the ability to tune operations to the needs of the moment using sensors and cloud intelligence, helping to maximize efficiency, reduce waste, and offer individualized products and services. In addition, companies can use predictive maintenance techniques to ensure equipment is working smoothly, reducing downtime, and negating the need for preventative maintenance – where parts are routinely replaced, even when they may not need to be.

Thanks to these numerous benefits, there is a business imperative to adopt IoT. However, there is some risk that comes associated with that – the risk of hacks and cyber-attacks. The attack on Iran’s nuclear enrichment facility known as the Stuxnet Attack was a well-documented malicious piece of code that infected the software of at least 14 industrial sites in the country. Since then, there has been many ‘copycat’ attacks, in Germany, Ukraine and across the world.

The risk of attack

Attackers can infiltrate at any layer in the architecture. Attacks on individual devices are an obvious concern but attacks at other layers can have even more impact. If attackers can compromise the network, they can monitor and access confidential information or even change data and commands as they’re going through the network. That is, if the data and commands are not properly protected. If an attacker can successfully gain access to a server that has control over a large number of devices, the impact of their attack will be even greater.

Protecting connected equipment

While cybersecurity measures are often driven by government regulations, they provide benefits to operators in the form of reduced costs, increased safety, and protection of private data. But industrial cybersecurity differs from IT security in several important ways.

Industrial cybersecurity inverts the traditional triad of security values for IT security: confidentiality, integrity, and availability. In operational technology, or Industrial Control Systems (ICS) security, availability is most important, integrity is essential, and confidentiality is usually less of a concern. For example, in a conventional IT system, if someone doesn’t know a password they may be locked out. Lock out is not an acceptable option when an authorized operator needs to perform a safety-critical operation, even if they forgot the password.

Another difference is that IT equipment is typically replaced every three to seven years, but in industrial settings it is normal to have equipment installed for 20-30 years. While newer equipment considers the current technology and threat landscape relevant to the intended industry, older equipment can be outdated, posing a higher security risk.

Steps to ensure secure operations

-Authenticate equipment: If counterfeit parts are accidentally installed, operators may face system down time and revenue loss, malfunctioning, or safety problems. A chip called the hardware root of trust can be used, containing a public and private key pair, and a certificate that can be used to authenticate that hardware.

-Authenticate users: This ensures the person operating equipment is authorized to do so. For example, two-factor or multi-factor identification means a member of personnel must use their mobile phone in order to verify identity. A hacker would not be able to gain access without completing the mutual authentication, and they would be denied access to controls.

-Secure communication: If an attacker does gain access to the network, they shouldn’t be able to view or modify commands in transit. Communication protocols must authenticate the sending and receiving components as well as any users, but also encrypt and protect the integrity of data in transit.

-Update software securely: Software must be updated regularly and securely. Operators can be reluctant to update the software on their industrial control system since updates can lead to problems you didn’t anticipate, but software becomes increasingly vulnerable over time as vulnerabilities are discovered. Authenticate updates and check their integrity before installation, since the last thing operators want to do is load malicious software.

There are also several national and international standards which can be implemented by operators, to reduce the likelihood of a successful attack. TCG’s latest technical document offers guidance for securing Industrial Control Systems. This document is shorter and simpler than many other guidance documents and covers the common security use cases: device identity, access control, and securing secrets as well as more unusual use cases like physical attacks, equipment as a service, and handling legacy systems.