For manufacturing companies using advanced manufacturing technologies, cybersecurity is more complicated than it is for companies that can rely on conventional IT management practices. The following two articles from cybersecurity experts at the National Institute of Standards and Technology point out some of the security risks manufacturers face—whether in a smart factory environment or as a builder or user of IoT devices—and how to mitigate them.
Whether You Build Them or Buy Them, IoT Device Security Concerns Us All
By Barbara Cuthill
The Internet of Things (IoT) offers many attractions for small and medium-sized manufacturers (SMMs) who may want to integrate IoT into their facilities and operations, or who seek to enter the IoT market with innovative products. The spectrum of available IoT products is broad and continually growing.
When venturing into the IoT waters, it’s helpful to be prepared for the potential cybersecurity pitfalls, whether in the form of implications for organizational risk management when introducing IoT to the environment, or considerations for product design and support when entering the marketplace as a product vendor. The National Institute of Standards (NIST) Cybersecurity for the Internet of Things program is working to provide the information that SMMs need to navigate these potentially turbulent waters.
IoT and Risk Management
Before you install smart thermostats to keep your employees comfortable, add smart coffee pots to break rooms to keep them caffeinated, or deploy the latest and greatest Industrial Control System (ICS) technology in your production environment, it’s important to recognize the potential implications. You may have a robust information security program for your traditional IT, but those tools, processes, and procedures will likely require adaptation when IoT is introduced. Some of the ways that IoT is different include:
- Interacting with the physical world. IoT devices are equipped either with sensors that collect information from their environment or actuators that cause “real world” objects to move or change. Sensing can generate a lot of potentially sensitive data, so knowing what is collected and where it’s going is important. A compromised actuator could enable an adversary to cause significant disruption—think what could happen if you don’t know who is commanding your smart locks.
- Challenging conventional IT management practices. IoT devices are often “black boxes” that both obscure their internal goings-on and can’t be equipped with agents or queried in the same manner as servers, desktops or firewalls. As a result, common IT management practices can prove ineffective with IoT. These management challenges can multiply quickly if you’re deploying IoT devices “at scale.”
- Lacking common cybersecurity and privacy features. IoT devices often lack support for logging and monitoring, support for updating devices to address newly identified vulnerabilities, or cryptographic capabilities needed to protect sensitive information they generate or process. It cannot be assumed these devices possess the same cybersecurity capabilities as IT devices on the same network.
SMMs adopting IoT into their environments need to be prepared to address these challenges. If entering the IoT market as a vendor, understanding these challenges can be an opportunity to develop a product that provides a better customer experience.
Managing Your IoT Security Risk
When adopting IoT technology in your organization, SMMs should plan to address these challenges with an eye toward three goals:
- Protecting IoT device security to ensure that the product is fully under the owner’s control, and not being exploited by outside actors to gain access to the SMM’s network or participate in a botnet.
- Protecting data security so that data generated by IoT devices isn’t exposed or altered while stored on the devices, transferred across the network or transmitted to a cloud-based service used to provide aspects of the product’s capabilities.
- Protecting individuals’ privacy, being alert to the possibility of privacy-sensitive information being captured or created by IoT products, and cognizant of where that data might travel.
These goals are articulated in NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, and they can be difficult to achieve with currently available IoT products. For organizations that are applying the NIST Cybersecurity Framework (CSF) or defining their security requirements using NIST SP 800‑53 controls, NISTIR 8228 identifies a range of challenges that IoT devices present to achieving the ends that the CSF and SP 800‑53 intend.
For example, control SI-2, Flaw Remediation, from SP 800‑53 cannot be satisfied by IoT devices that lack an ability for secure software/firmware updates. Similarly, many IoT devices cannot be analyzed in a manner needed to satisfy the CSF subcategory DE.CM-8: Vulnerability scans that are performed.
Consideration for the three goals identified above should factor into the selection of IoT products, as well as how they are managed, as the security capabilities of IoT devices contribute to achieving the overall security requirements of the systems into which the devices are integrated.
Improving Your IoT Products’ Security Posture
If you are venturing into the creation of IoT products, awareness of cybersecurity challenges can help guide your approach to the development and support of your product. The three goals described above also apply when developing an IoT product. A thoughtful approach to development with those goals in mind will result in a more manageable, more secure product. This approach involves both the design and development phase for the product and the support phase once it’s brought to market, as illustrated in this figure from NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.
The core baselines outline device abilities and supporting actions across a spectrum of needs:
The planning activities combined with applying the technical and non-technical baselines will help SMMs develop products that are both more secure-able and better supported, helping your customers to take advantage of your IoT innovations while limiting the impact to their risk management challenges.
Information That Can Help
The NIST Cybersecurity for the Internet of Things program has engaged deeply with the community over the last several years and developed a rich collection of guidance around IoT cybersecurity challenges. Whether you are an SMM looking to improve operations with the integration of IoT or enter the marketplace with new products, there are many resources and publications available to assist your efforts.
NIST’s Cybersecurity for IoT welcomes manufacturer feedback on our current public drafts.
About the Author
Barbara Cuthill received her PhD in Computer Science from the University of Connecticut. Her career at the National Institute of Standards and Technology has spanned the Advanced Technology Program, the Technology Innovation Program and the National Strategy for Trusted Identities in Cyberspace National Program Office. She is currently the Deputy Program Manager for the NIST Cybersecurity for IoT Program.
Reprinted with permission of NIST.
Detecting Abnormal Cyber Behavior Before a Cyberattack
By Dr. Michael Powell
The promise of advanced manufacturing technologies—also known as smart factories or Industry 4.0—is that by networking our machines, computers, sensors, and systems, we will (among other things) enable automation, improve safety, and ultimately become more productive and efficient. And there is no doubt that manufacturing has already benefited from that transformation.
Connecting all of these sensors and devices to our industrial control systems (ICS), and the increase in remote work and monitoring, results in manufacturing networks with greater vulnerabilities to cyberattack. This is an increasingly challenging dynamic as manufacturers sort out how to adopt commercial information technology (IT) standards that are compatible with their operational technology (OT) standards.
New Standards-Based Capabilities Will Help Manufacturers
NIST’s National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Laboratory, recently released a report that demonstrated a set of behavioral anomaly detection (BAD) capabilities to support cybersecurity in manufacturing organizations. The use of these capabilities enables manufacturers to detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data.
In other words, manufacturers will be able to continuously monitor systems in real-time or near real-time for evidence of compromise. The development of standards-based cyber controls is an important aspect of security requirements of manufacturers.
How BAD Monitoring Translates to Early Detection of Cyber Threats
Behavioral anomaly detection involves the continuous monitoring of systems for unusual events or trends. The monitor looks in real time for evidence of compromise, rather than for the cyberattack itself. Early detection of potential cybersecurity incidents is key to helping reduce the impact of these incidents for manufacturers. Cyber breaches are typically detected after the attack.
BAD tools are implemented in ICS and OT environments and could be monitored by a human control interface, which many manufacturers use to monitor their operations. The operator would be able to see network traffic and be alerted to the addition of any authorized or unauthorized device or connection.
For example, the system would know what communications are authorized with a programmable logic controller (PLC), so any new contact would generate an alert. Likewise, any abnormal talking between connected machines, modifications in human-machine interface (HMI) logic, or other anomalies would be noted.
The BAD solution is a relatively inexpensive modular approach and an efficient way to detect anomalies, however BAD alerts are passive in nature and would not necessarily take remedial actions such as shutting down the production process.
Manufacturers Remain a Target for Cyberattacks
According to the U.S. Department of Homeland Security, manufacturing was the most targeted industry for infrastructure attacks in 2015, and small and medium-sized manufacturers (SMMs) continue to be prime cyber targets.
There is greater demand for cybersecurity because of manufacturers’ growing dependence on technology and data as drivers of productivity and efficiency. SMMs traditionally have been challenged in how to manage cybersecurity concerns for a variety of reasons.
For one, the manufacturing technology mix includes IT (networks and business-side software such as email, finance and ERPs) and OT (operational technology, such as machines and control systems). Cyber competes with many other areas in terms of funding, awareness, and education, and it’s difficult to dedicate specialty resources for in-house staffing. Cybersecurity has not been a priority in the OT build, which means as IT and OT are connected, the vulnerabilities of legacy systems become potential liabilities to the whole network.
What’s next from NIST Labs and NCCoE for Cybersecurity
The work to develop the BAD capability used 16 test cases, or classifications. Some were simple alerts to an event, such as password and authentication failures, and others involved some level of analytics, such as notification of unauthorized software installations and an alert of denial of service.
The next joint project from NIST’s NCCoE and Engineering Laboratory, Protecting Information and System Integrity in Industrial Control System Environments, takes a more comprehensive approach to protection from data integrity hacks. These capabilities include security incident and event monitoring; application allow-listing; malware detection and mitigation; change control management; user authentication and authorization; access control least privilege; and File-integrity checking mechanisms.
Nine manufacturing vendors and integrators have signed cooperative research and development agreements (CRADA) with the NCCoE to help develop the capability.
Contact Your Local MEP Center For Expert Cybersecurity Advice
Cybersecurity experts working in the manufacturing sector see education as a key to SMM adoption. More SMMs are looking at cyber consultations in a manner similar to how they might seek expertise for finance or insurance.
If you are not sure where to start with cybersecurity for your manufacturing firm, check out this assessment tool and NIST’s Cybersecurity Framework. You also can browse the NIST MEP collection of cybersecurity resources for manufacturers.
For particular needs, the most expedient route to find proper guidance is to connect with a cybersecurity expert at your local MEP Center.
About the Author
Michael Powell is a cybersecurity engineer at the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) in Rockville, Maryland. His research focuses on cybersecurity for the manufacturing sector, particularly how it impacts industrial control systems.
Dr. Powell joined the NCCoE in 2017. In his previous positions, he was responsible for the management/oversight of building and commissioning of U.S. Navy DDG-51 class ships. He also served in the United States Navy for over 20 years, retiring as a Chief Petty Officer.
He holds a Bachelor’s degree in information technology, a Master’s degree in public administration, and a Master’s degree in information technology. Dr. Powell completed his doctorate in applied computing at Pace University.
Reprinted with permission of NIST.