How AI can keep the industrial lights shining

The Darktrace approach to locking down the IIoT


Sponsored Feature Internet connectivity has changed everything, including old-school industrial environments. As companies modernise their operations, they're connecting more of their machinery to the web. It's a situation that's creating clear and present security concerns, and the industry needs new approaches to dealing with them.

Industrial Internet of Things (IIoT) adoption is speeding ahead. Research from Inmarsat found that 77 per cent of organisations surveyed have fully deployed at least one IIoT project, with 41 per cent of them having done so between the second quarters of 2020 and 2021.

The same research also warned that security was a primary concern for companies embarking on IIoT deployments, with 54 per cent of respondents complaining that it stopped them using their data effectively. Half also cited the risk of external cyber attacks as an issue.

IIoT solutions are pivotal to the convergence of IT and OT (operational technology). OT platforms, often industrial control systems (ICS), help companies manage their physical devices like presses and conveyor belts that power manufacturing production or the valves and pumps that keep municipal water flowing.

In doing so they generate huge amounts of data that is useful for analytics purposes. But getting that information into the appropriate enterprise tools means bridging the gap between IT and OT.

Operators also want those OT systems to be accessible remotely. Giving conventional IT applications the ability to control those devices means they can be linked with the same back-end processes defined in IT systems. And enabling remote access for technicians unable or unwilling to make a multi-kilometre round trip just to make an operational change can also save time and money.

This need for remote access sharpened during the COVID-19 crisis when social distancing and travel restrictions stopped technicians from making any on-site visits at all. Inmarsat found that the pandemic was a root cause of accelerated IIoT adoption for example, with 84 per cent reporting that they have or will accelerate their projects as a direct response to the pandemic.

So for many, the convergence of IT and OT is more than just convenient; it's essential. But it has also created a perfect storm for security teams. An externally accessible ICS system accessible increases the attack surface for hackers.

ICS attacks in action 

Sometimes that IT/OT convergence can be as simple as someone installing remote access software on a PC at a facility. That's the set up which allowed hackers to access control systems via an installation of a remote access tool at the municipal water plant in Oldsmar, Florida in 2021 before trying to poison local residents with sodium hydroxide. The PC that the attacker compromised had access to the OT equipment at the plant. The town's sheriff reported that the invisible intruder had dragged the mouse cursor around in front of one of its workers.

It isn't clear what caused hackers to try and poison innocent Floridians, but some attacks have financial motives. One example is the EKANS ransomware attack that hit Honda in June 2020, shutting down manufacturing operations across the UK, the US, and Turkey.

Attackers used the EKANS ransomware to target internal servers at the company, causing major disruption at its plants. In an analysis of the attack, cybersecurity company Darktrace explained that EKANS was a new type of ransomware. Ransomware systems that target OT networks normally do so by hitting IT equipment first and then pivoting. EKANS is relatively rare in that it targets ICS infrastructure directly. It can target up to 64 specific ICS systems in its kill chain.

Experts believe other ICS attacks to be state-sponsored. The Triton malware, first directed at petrochemical plants in 2017, is still a threat according to the FBI, which attributes attacks to state-backed Russian groups. This malware is especially nasty, according to the Bureau, because it allowed physical damage, environmental impact, and loss of life.

Standard security solutions won't work here

Traditional cyber security approaches aren't effective in solving these OT vulnerabilities. Companies could use endpoint security tools including anti-malware to protect their PCs. But what if the endpoint was a programmable logic controller, an AI-enabled video camera, or a light bulb? These devices don't often have the capacity to run software agents that can check over their internal processes. Some might not have CPUs or data storage facilities.

Even if an IIoT device did have the processing bandwidth and power capabilities to support an on-board security agent, the custom operating systems that they use would be unlikely to support generic solutions. IIoT environments often use multiple types of device from different vendors, creating a diverse portfolio of non-standard systems.

Then there's the question of scale and distribution. Administrators and security professionals used to dealing with thousands of standard PCs on a network will find an IIoT environment, where sensors may number hundreds of thousands, very different. They may also spread over a wide area, especially as edge computing environments gain traction. They might limit their connections to the network in some more remote environments to conserve power.

Evaluating traditional ICS protection frameworks

If conventional IT security configurations can't handle these challenges, then perhaps OT-centric alternatives can? The go-to standard model is the Purdue cybersecurity model. Created at Purdue University and adopted by the International Society of Automation as part of its ISA 99 standard, it defines multiple levels describing the IT and ICS environment.

Level zero deals with the physical machines - the lathes, industrial presses, valves, and pumps that get things done. The next level up involves the intelligent devices that manipulate those machines. These are the sensors that relay information from the physical machines and the actuators that drive them. Then we find the supervisory control and data acquisition (SCADA) systems that oversee those machines, such as programmable logic controllers.

These devices connect to the manufacturing operations management systems at the next level up, which execute industrial workflows. These machines ensure the plant keeps operating optimally and record its operations data.

At the upper levels of the Purdue model are the enterprise systems that rest squarely in the realm of IT. The first level here contains the production-specific applications such as enterprise resource planning that handles production logistics. Then at the uppermost level is the IT network, which harvests data from the ICS systems to drive business reporting and decision making.

In the old days, when nothing spoke to anything outside the network, it was easier to manage ICS environments using this approach because administrators could segment the network along its boundaries.

A demilitarised zone (DMZ) layer was deliberately added to support this type of segmentation, sitting between the two enterprise layers and the ICS layers further down the stack. It acts as an air gap between the enterprise and the ICS domains, using security equipment such as firewalls to control the traffic going between them.

Not every IT/OT environment will have this layer, given that ISA only recently introduced it however. Even those that do face challenges.

Today's operating environments are different to those in the 1990s, when the Purdue model first evolved and the cloud as we know it didn't exist. Engineers want to log directly into on-prem management operations or SCADA systems. Vendors might want to monitor their intelligent devices at customer sites directly from the Internet. Some companies yearn to forklift their entire SCADA layer into the cloud, as Severn Trent Water decided to do in 2020.

The evolution of ICS as a service (ICSaaS), managed by third parties, has further muddied the waters for security teams grappling with IT/OT convergence. All these factors risk opening multiple holes in the environment and circumventing any prior segmentation efforts.

Cutting through the whole tangled mess 

Instead, some companies are adopting new approaches that venture beyond segmentation. Rather than relying on fast-disappearing network boundaries, they examine traffic at the device level in real time. This isn't far off the original de-perimeterization proposals advanced by the Open Group's Jericho Forum in the early noughties, but analysing traffic at so many different points in the network then was difficult. Today, defenders are better able to keep a watchful eye thanks to the advent of AI.

Darktrace is applying some of these concepts within its Industrial Immune System. Instead of watching for known malicious signatures at the borders of network segments, it begins by learning what's normal everywhere in the IT and OT environment, including any parts of that environment hosted in the cloud.

Establishing an evolving baseline of normality, the service then analyzes all traffic for activity that falls outside of it. It can alert administrators and security analysts to these issues, as it did for one European manufacturing client.

The service is also autonomous. When a customer trusts its decisions enough to flip the switch, the Immune System can move from merely alerting to taking proportional action. This might mean blocking certain forms of traffic, enforcing a device's normal behavior, or in severe cases quarantining systems altogether, including equipment in the OT/ICS layers.

Darktrace's executives hope that this move to a more granular model of constant, ubiquitous traffic analysis, combined with real-time assessment against known normal behaviour, will help to thwart the rising tide of ICS cyberattacks. It will hopefully also enable companies to become more agile, supporting remote access and cloud-based ICS initiatives. In the future, you won't have to risk someone turning the lights out in your quest to keep the lights on.

Sponsored by Darktrace

Similar topics


Biting the hand that feeds IT © 1998–2022