Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once

If the networked kit needs to work for 10 years, you need to think policy

Comment Cybersecurity has become an increasing priority in operations technology thanks to the growing appetite for the industrial internet of things.

Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated from the outside world and, thus, protected from intruders.

Brexit or no Brexit, the UK is implementing an EU policy on the security of such systems via the Networks and Information Systems Directive, so securing OT is a necessity.

With that in mind, a technology and services pact has been signed between two UK outfits seeking to stop the "worst" from happening to elements considered part of the national critical infrastructure systems.

Privileged access management provider Osirium has partnered with aviation, rail and car cyber-security specialist Razor Secure to build and deliver a range of systems targeting industrial IoT applications including unattended operations, power and water plants, weather stations, manned and unmanned vehicles and other systems that could themselves be used as a gateway for "bad stuff" to hop onto a network.

The target market for this partnership is systems “designed well before deployment” and “required to operate for 10 years or more.”

The pair said Razor Secure’s machine learning algorithm would be used to hunt for process anomalies in endpoint security together with Osirium’s system administrator Privileged Access Management (PAM) for secure passwords, workflow and robotic process task automation.

What’s the password?

When it comes to people and processes, much is made of the vulnerabilities in IoT, but one issue that has to be addressed is password management. There is no need to operate complex attacks based on protocol weaknesses when a simple password will open the door.

This a people problem - many people need access to many things and changing passwords is inconvenient.

According to Osirium chief technology officer Andy Harris, things have been going wrong from the outset when architects have designed systems where all critical plants are on their own network. The failures come where it is assumed that a firewall is good enough. This is a problem because firewall rules are source- and destination-based and if the attacker or meddler is coming from an allowed source and bouncing off destination systems, then the firewall is useless.

The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks...

Harris likes the idea of a proxy-based technology that accepts an identity and connects to the IoT devices with a defined role. If that proxy also checks with the change ticket, so much the better, as you’re basically creating a digital equivalent of the physical locks.

Osirium’s approach is to separate people from passwords, cycle the passwords so they are highly complex and regularly changed, and control the tools that can be used for access.

“In the real world we have a ‘my lock’ ‘your lock’ situation. If I go to work on a pump I put my lock on the breaker, if you work on the motor you put your lock on the breaker. If I finish before you I can’t accidentally run a test because your lock is on the system,” Harris said.

“Testing gets more complex, but there are still locks. I have to issue a ‘sanction for test’ and then get a ‘permit to test’ then go to the pump (where I might find your lock). System design is crucial.

“Each system should be designed on the principle of local control/safety and global intelligence/control. If a control system tells an airbridge to move, but there is a local lockout – the local lockout takes precedence. “

The closest thing to “my lock your lock” in the software world is change tickets. These are procedures. They don’t stop mistakes but they could. If an engineer is only allowed access to a system when there is a change ticket there would be a degree of control. However, people then need the discipline to ensure the change ticket is accurate.

The trouble comes from managers who make decisions about what to connect to the internet who don't understand or have not bothered to consider the risks.

“What really worries me is when I hear phrases like: ‘That will add cost to the system', or: ‘We haven’t got time to do that many checks’ and: 'No one ever writes up a ticket properly’.”

His advice when it comes to building industrial IoT? “In software, design for worst intent.” ®

Similar topics

TIP US OFF

Send us news


Other stories you might like