Securing The Internet of Things – Industrial Control Systems

The Internet of Things (networks of uniquely identifiable endpoints, or "things," that communicate without human interaction using embedded IP connectivity) is the next industrial revolution. Estimates say there will be 24 Billion IoT devices installed by 2020, and $6 Trillion will be invested in IoT devices over the next 5 years. With that kind of growth and investment, protecting each of these “things” and their corresponding interactions with other components, including our networks, will be critical.

So where is this growth coming from? Businesses, governments, and consumers are all using IoT ecosystems. It is estimated that consumers will have 5 billion IoT devices installed by 2020. While this is impressive, it is dwarfed by governments (an estimate of at least 7.7 billion devices installed by 2020) and businesses (at least 11.2 billion devices installed by 2020). But how secure will those devices be?

An AT&T Cybersecurity survey of more than 5,000 enterprises worldwide found that 85% of enterprises are in the process of or are planning to deploy IoT devices, but only 10% feel confident that they can secure those devices against hackers.

Focusing on Protecting Industrial Control Systems (ICS)

Industrial control system (ICS) is a general term that encompasses several types of control systems used in industrial production. ICS’s are typically used in electrical, water, oil, gas, and data industries. Industrial control systems worldwide are already using “smart” IoT devices and systems, and that use is growing. Some examples include:

• By 2020, we estimate that 5.4 million IoT devices will be used on oil extraction sites. These will primarily be Internet-connected sensors used to provide environmental metrics about extraction sites.
• To meet the rising demand for energy, energy companies around the world will be installing nearly 1 billion smart meters by 2020.
• In the area of Infrastructure, we estimate that municipalities worldwide will increase their spending on IoT systems at a 30% compound annual growth rate (CAGR), from $36 billion in 2014 to $133 billion in 2019.  This investment will generate $421 billion in economic value for cities worldwide in 2019.
• Finally, in manufacturing, 35% of manufacturers already use smart sensors, with an additional 10% planning to implement them within the next year.

Evolution of Industrial Control Systems

In the 1950’s the first analog based supervisory control and data acquisition (SCADA) systems were developed. They were usually monolithic, isolated, and proprietary, residing on minicomputers and backup mainframe systems for added redundancy. Over time, the market saw huge growth in the number of manufacturers and vendors supporting the ICS market. Unfortunately, as standards were still being established, this caused interoperability issues and added significant cost to maintain and upkeep these systems.

Once standardization of application and protocols used to control various ICS systems was established, they allowed for interoperability between different vendors, adding a level of flexibility and interaction not previously seen.

Next, IP communications in the late 1980’s and early 1990’s propagated the concept of local area networks (LAN) and process control networks (PCN), which drove the replacement of older, aging, and limited communication links performed over serial to Ethernet networks. As the IT revolution moved forward, these ICS LAN/PCN’s were upgraded to keep up with the latest benefits in new application and control developments for SCADA-based systems.

Today, in what is known as the 4^th generation of the Industrial evolution, the division of control between ICS and IT infrastructures has become muddled. With added interconnectivity between the very latest in IT and Cloud infrastructure offerings, businesses are able to increase operational efficiencies, and as a result, increase profits while reducing costs.  CEOs, CFOs, and Board members are obviously thrilled with such technological advantages that they can leverage. However, the adverse impact of this next generation in Industrial convergence is the cyberthreat exposure this approach brings with it.

Cyberthreats in ICS Environments

While many cybersecurity threats and incidents that occur inside industrial networks are unintentional, meaning they are due to human error or device or software failure, external threats remain the top concern. Manufacturing and Energy, for example, have been the most targeted sectors in recent years, but many other segments of our critical infrastructure (Water, Transportation, Government Facilities) have seen multiple incidents of cyberattacks.

Fortinet recently commissioned Forrester Consulting to conduct a survey to explore current state, challenges, priorities, and strategies for securing critical infrastructure. Forrester surveyed 214 U.S. organizations across all industries, focusing on companies of 1,000 or more employees, with distributed critical infrastructure sites such as hospitals, power plants, manufacturing plants, dams, government facilities, and refineries.

The organizations surveyed acknowledge the importance of SCADA/ICS security. They currently undertake numerous measures to secure SCADA/ICS, and seek to increase investment in security over the next year.

Fears of outside threats appear to drive this stance. 78% of respondents stated that security attacks from non-state actors drove their SCADA/ICS security strategy. These fears are justified: 77% of organizations report that their SCADA/ICS had experienced a security breach, with 2/3 of those occurring in the past year. Impacts from those breaches ranged from their ability to meet compliance standards to maintaining functionality and employee safety.

Breach points are everywhere within Industrial 4.0 networks, from outside threats to inside threats, and from RTU (Remote Terminal Unit) or HMI (Human Machine Interface) exploits to breaches of air-gapped networks. You need a well-conceived, layered defense to make sure you’re covering all your bases.

ICS Defense Strategy #1: Defense-in-Depth Strategy

A Defense-in-depth strategy deploys application security at both the host RTU and the network level, with tightly integrated multiple detection mechanisms. Fortinet’s Defense In Depth Strategy prevents threats from entering the organization stringent boundary controls by enabling organizations to:

• Deploy web filtering, antivirus, intrusion prevention, and application control (FortiGate) and anti-spam (FortiMail).
• Provide secure remote access (FortiGate SSL and IPsec VPN), together with secure remote authentication methods (FortiAuthenticator).
• Segregate networks and prevent malware propagation with inter-zone anti-virus, Intrusion Prevention, and Application Control (FortiGate)
• Secure wireless communication with rogue access point detection, and segregate engineering traffic on dedicated SSIDs (FortiGate and FortiAP)
• Secure SCADA communications with hardware-accelerated VPN back to the Management HMI Network (FortiGate)
• Prevent malware propagation and non-authorized communication channels with on-the-wire Anti-Virus, Intrusion Prevention, and Application Control (FortiGate)
• Secure, audit, and monitor the HMI database (FortiDB)
• Implement vulnerability assessment, patch management, and auditing of all organizational assets (FortiScan)
• Protect web-based HMI from exploitation with Web Application Firewalling (FortiWeb)

ICS Defense Strategy #2 : Internal Segmentation Architecture

Relying on perimeter security, such as a traditional edge firewall, to protect your internal network is no longer enough. The Fortinet Internal Segmentation Firewall (ISFW) is designed to sit between two or more points on the internal network to allow visibility, control, and the mitigation of traffic between disparate network segments, while protecting different network segments from malicious code as it makes its way through the internal network.

ICS Defense Strategy #3: Advanced Threat Protection (Sandbox technology)
Fortinet's ATP Framework includes:

• FortiGate, FortiMail, FortiWeb delivers sophisticated and collaborative network threat prevention
• FortiClient provides endpoint threat prevention
• FortiSandbox enables analysis and discovery of sophisticated and zero-day threats
• FortiGuard Labs provides relevant, near-real time global threat intelligence to connected Fortinet security devices everywhere

To better understand how these products work together, keep in mind that:

1. All four threat prevention products listed above can submit objects for sandbox analysis and receive results. 
2. FortiMail can hold and block based on those results, while FortiGate can quarantine devices that received those objects in parallel with FortiSandbox analysis with a single click based on results.  FortiClient can be configured to either hold for analysis or quarantine afterwards.
3. In addition to returning the results of individual analyses to submitting devices, FortiSandbox dynamically generates threat intelligence that can be distributed as automated updates to FortiGate and FortiClient, allowing them to dynamically block advanced attacks seeking entry across multiple places. 
4. When customers choose to share FortiSandbox analysis with FortiGuard Labs, all Fortinet customers and products will receive updated protections.

A Layered Defense is the Best Defense

To truly protect ICS systems in your critical infrastructure, an approach like Fortinet’s ICS Layered Defense Model is the best solution. An ATP Framework allows you to detect and act on the latest, most advanced malware. A Defense-in-Depth approach provides you with tightly integrated, multiple layers of protection. And Internal Segmentation allows you to contain any malicious code that has made it past your external defenses, thereby containing a breach and limiting the damage. With the explosion of growth of IoT devices within industrial control systems, and so much at stake with Critical Infrastucture Protection, this is an area where we need to be concentrating our most advanced cybersecurity defenses.