From Nuclear Centrifuges to Machine Shops: Securing IoT

IOT or the ‘internet of things’ has been around for a lot longer than the buzzword or the media would have you believe. Industries have been utilizing network connectivity to interlink hosts to one another for as long as such a technology has been available. Because these hosts are on networks, they can receive data from outside sources and are thus vulnerable to being exploited just like any laptop or server.

Remember Stuxnet?

Let’s begin our review of how to secure these IoT networks by discussing one of the most prevalent and well-known malwares that fits into this category — Stuxnet. Of course, you’ve heard of it. Here’s the history. This particular worm was created specifically to interface with SCADA systems and their associated logic controllers before making adjustments designed to cause damage to the attached systems.

The original, intended target for this malware was a facility in Iran being utilized for enriching uranium with the purpose of creating nuclear material. A contractor working at the plant had the malware on a USB device. Upon returning to work, the contractor plugged the device into a system and unknowingly, or knowingly, released the malware into the network. The malware spread undetected to the plant’s PLCs, making minute adjustments to the rotation of the nuclear centrifuges leading them to spin out of control and collapse.

While you may think this a very dramatic, political, and James Bond-esque example, the principles are just as applicable to large industrial facilities as they are to a small, mom-and-pop manufacturing plant. Both systems require the same amount of care and security diligence regardless of the size of the email server or database. Unfortunately, there are a number of security issues plaguing many IoT networks, large and small.

Security issues such as outdated technology, unpatched software, unsupported operating systems, and unmonitored hardware are all prevalent in many IoT networks. Some of these are an unfortunate byproduct of necessity. Here is an example. Some legacy controllers require very particular software, and this software only runs on a very particular operating system, which is no longer supported by the vendor.

As you can imagine, the cost to upgrade to more modern software and PLCs is daunting, particularly to a small- to medium-sized business and there is very much an attitude of “if it isn’t broke why fix it.”

How you can protect your network.

So what can you do? As with any network, update all software to the latest, known good version and apply all appropriate security patches to all systems within the network. Segregate IoT hosts and their respective networks from the general corporate network and especially the internet.

You have help. There are a number of software solutions available which can scan a network and specifically locate IoT hosts to help administrators identify where these devices are sitting. You can then add these devices to an ongoing inventory and your network team can architect an appropriate segregation strategy to ensure these hosts are not being accessed unnecessarily.

So you’ve upgraded and patched all hosts, and segregated the networks from the internet and the corporate system. It’s all good now, right? Unfortunately no. In the Stuxnet example, the network in question was actually air gapped, meaning there was no way to get into the network from outside. The malware was tracked in via a contractor with an infected USB.

This is where monitoring comes into place. Just like any other computer system IoT hosts can be monitored via their logs. There are a number of solutions on the market which can receive the logs from these hosts, normalize them, and correlate them to detect potential threats. These can even be tied directly to a SIEM or XDR platform to continue the correlation across any number of different host types.

You can stop potential threats in their tracks before they have a chance to destroy your ‘nuclear centrifuges’ through good system and network hygiene, monitoring, alarming, and remediation.