My Top 10 Security Capability Recommendations for 2020
As reported in a previous article here at ActiveCyber.net, there are some major trends that are affecting the OT systems of today and the rollout of new IIoT systems of tomorrow. One key trend is the security, or rather, insecurity of OT and IIoT systems is increasing. Securing Operational Technology (OT) and the Industrial Internet of Things (IIoT) has been taking on a much more urgent tone over the last couple of years as attacks – both in number and sophistication – are on the rise. As the Fortinet 2019 OT Security Trends report of May 2019 noted … “the industry as a whole, is also tracking a disturbing rise in purpose-built OT attacks designed to target SCADA and ICS systems,” and … “Key takeaways from our 2019 Operational Technology Security Trends Report include the disturbing trend that exploits increased in volume and prevalence in 2018 for almost every ICS/SCADA vendor. And in addition to the recycled IT attacks being thrown at unpatched or non-updated OT devices, 85% of unique threats detected target machines running OPC Classic, BACnet, and Modbus.”
It is not just in-your-face denial of service attacks that worry asset owners. Just tracking and monitoring devices on the edge of the OT / IIoT environment could lead to problems. Not all devices are viewed as critical by asset owners, but even seemingly insignificant information can be valuable to attackers – something as small as monitoring a thermostat’s daily use could signal whether people are in a building or not. There is also the issue of default and weak credentials for these devices. Insecure communication could be a problem as well. We also can’t forget about the physical security risk around IIoT edge computing like tampering and damage.
New major technology advancements are also poised to have a major impact on IIoT and OT systems in the coming year, as AI/ML becomes involved in everything, and the rollout of 5G technology will accelerate. Investment in 5G, for example, is expected to hit $2.7 trillion by the end of 2020, according to Financing the Future of 5G, an October 2019 report by global financing firm Greensill. A significant amount of that spend will go toward [Industrial] Internet of Things (IoT) integration, with $585 billion geared to 5G implementation on [I]IoT hardware and $469 billion for [I]IoT services. The latest marketing report from Frost & Sullivan Technology Advancements Shaping Big Data Progress suggests that a combination of IoT, Big Data and AI could do wonders in the coming days by developing highly productive applications. However, introducing new technology into traditionally analog environments also means increased security risk as more “things” come online. While automation and AI-powered tools are streamlining operations, maintenance and user experience, they are also creating new doors for intrusion and, ultimately, negative results like the loss of IP, downtime or even bodily harm. These concerns have not gone unnoticed as Gartner identified security-related measures — such as social, legal and ethical issues; IoT governance; and trusted hardware and operating systems — as top trends in IoT development for 2019. In fact, security is the most significant area of concern for IoT adoption within organizations according to Gartner.
So what are the security capabilities we should place our bets on in 2020 with regards to OT and IIoT systems? Will these capabilities require major retooling by OT and IIoT asset owners? We all understand that a successful IIoT or OT system is all about matching needs to the right technology or mix of technologies. And we understand that trade-offs must be examined. Depending on the IIoT or OT application, we may choose to weigh the importance of ten key decision criteria differently: coverage, data throughput, mobility, latency, battery life, security, privacy, safety, operational/legacy impact, and cost. From strictly a security focus, the availability, efficiency, and effectiveness of cybersecurity capabilities are often different for IIoT and OT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk in the OT / IIoT environment are not available.
So here are my top recommended security capabilities for OT and IIoT systems for 2020. I based my choices on understanding the unique aspects of these systems, monitoring some of the key threat trends facing these systems, a survey of the current and relevant technologies and security standards, and my professional experience. Tell me what you think – did I get them right? What are your top 10? The following chart summarizes my recommended capabilities.
Capability 1: Real-time visibility and compliance tracking of assets that may have limited function and power
Organizations cannot secure what they cannot see, so having deployed devices “report” into a monitoring framework is essential. It’s similarly essential to see which devices have [or can] received regular software updates, to isolate those that have not [if possible] and to see which IIoT / ICS devices are no longer “reporting” data due to theft, power loss or physical damage. “Reporting” can be done actively by queries, such as through SNMP polling or some other type of scanning. This approach is preferred since detailed configurations and state information can be obtained of the device. Another approach is by push by the device to the central monitor such as through intermittent “heartbeats” by a watchdog agent. Many devices may have to be handled passively, by network sniffing of traffic or scanning the network traffic logs, since they don’t have the capacity to host an agent reporter. For example, a Bluetooth-enabled device will carry out a search within its range (typically 10 meters for a mobile device) to find other active Bluetooth devices that have registered themselves as visible to other devices. Finally, a “crowd-sourced” approach can be used where [more intelligent] devices capture their neighbors’ states and report. This approach can help in gathering more contextual information that could be useful to detect lateral movement by an attacker and other signs of attacks or compromise. Ultimately, the goal of this capability is to get visibility of the complete list of assets and conditions of the OT / IIoT environment, and insights into possible threats and systems compromise in real time.
Asset visibility comes with many challenges. IIoT networks are often very large hybrid infrastructures subject to constant change, so maintaining real-time visibility can be difficult. Additionally, IIoT/OT devices typically are closed, low power, or embedded systems that often were never designed with security in mind, so there simply is not the technical capacity for installing client-based agents to secure [or report] the endpoint. With new and legacy OT and IIoT operating systems such as Nucleus, Tizen, QNX, Green Hills, VxWorks, Riot, MyNewt, Zephyr, Windows IoT, and numerous others, organizations are simply not equipped to manage the plethora of these devices. Furthermore, most organizations are focused predominantly on WiFi and traditional OT wired protocols. With new IIoT devices communicating via ZigBee, Z-Wave, LoRa, Bluetooth, Sigfox, LTE, and more, as well as frequencies outside of 2.4 and 5GHz, organizations are simply blind to these devices in their environments. Finally, the critical response-time and availability and uptime requirements for many IIoT and OT devices make it impossible to interrogate these endpoints.
Battery life is also a consideration that affects asset visibility. Autonomous, rechargeable devices that are tracking assets in the supply chain may need anywhere from seven to 30-plus days depending on the transit time or whether the device is traveling by land, sea or air. Simple on-off or full-empty use cases such as monitoring trash cans or liquid storage containers will require years of service in the field on a single battery charge.
Besides an inventory of physical devices, it is important to have real-time visibility of the software that is operating in the IIoT and OT environments so that vulnerabilities can be tracked and impacted, and updates can be managed. To this end, I recommend participation in NTIA’s Software Transparency initiative. This initiative is centered on developing / enhancing a standard for identifying software components and their relationships to libraries of code baselines and mappings to security vulnerabilities (CVEs). This type of software transparency will enhance the ability to pinpoint vulnerabilities in a software package used within an OT and IIoT device. Currently, a couple of standard formats for software identity are being considered – SPDX and SWID.
The software and hardware inventories should also provide pointers to license information, EOL data, required hardware and software configurations, and any other important life cycle information. And don’t forget to capture any software certificates in the inventory and their expiration dates.
In addition to an inventory of hardware and software, it is also necessary to maintain a topology of assets, map communication and data flows over this topology, and categorize components based on criticality and dependencies. This type of “live” architecture should provide a set of situational awareness views with specific priority focus on critical control-layer activity and operational indicators. Ideally, real-time situational awareness should span IT and OT/IIoT subsystems seamlessly without interfering with any operational business processes. This situational awareness will also require shifts or changes in the roles of OT and IT security organizations as the boundaries of technology and corresponding responsibility begin to dissolve.
Capability 2: Real-time anomaly detection including increased use of AI/ML technology and big data analytics
Discovery of physical sensor state using physics-based telemetry [from the data historian], mapped to controller logic and state/sequence information, combined with real-time, continual data collection of cyber sensor data [from the SIEM] can provide a foundation for AI/ML analytics and new anomaly detection capabilities for cyber defense of IIoT and OT environments. As shown in the chart below, pattern recognition, statistical and behavioral analysis, along with AI algorithms across different data streams from many channels can help to identify unusual sensor behavior, compromised systems and network attack traffic along with unusual user behavior and insider threats or internal misuses. The need for continual collection, comprehensive understanding, varied analysis and management of large amounts of dynamic data, in other words knowledge management, from a plethora of sources and devices to develop actionable intelligence could drive some of this processing to the cloud.
Anomaly detection can be augmented by fingerprinting the operating state performance of devices. One example of this augmented approach is the Constellation Based DNA (CB-DNA) Fingerprinting method for ZigBee-like WirelessHART signals supporting SCADA/ICS applications. The goal of this approach is to discriminate between device hardware and/or operating state performance to enable verification-based anomaly detection exceeding 90% on a pulse-by-pulse (command-by-command) basis, and nearing 100% when considering multiple sequential pulses (commands).
Another anomaly detection method for OT systems can be based on features including network traffic, link utilization and CPU usage. The feature vector is fed as input to an auto associative kernel regression model that predicts the correct versions of the inputs. Residuals are formed by comparing the observed input values with the model predictions. A binary hypothesis technique called the sequential probability ratio test is applied to the residuals to determine whether the residuals correspond to a normal or abnormal distribution. An autonomic software protection system that has rules to analyze protocol requests/responses could be built using this model. The autonomic system could selectively drop packets to protect OT systems from flooding and denial-of -service (DOS) attacks by incorporating knowledge of the physical state of the power system.
Sensor data, representing measurements of the physical world or cyber world, always have uncertainties [e.g., false positives] associated with it. Effective management and analysis of sensor data, including understanding uncertainties, is necessary to assess data quality and meaning so the organization can make decisions regarding the data’s use and avoid introducing new risks. Without this type of analysis, error rates may be unknown for the different contexts in which a device might be used. Effective sensor data management is important when mitigating attacks on sensor technology, such as attacks performed through wireless signals, that could cause sensors to produce false results. The resource consumption needed to perform this level of analysis cannot be supported strictly at the edge – some triaging can be done at the edge, but the bulk of the analytic processing needs to be performed at a central place – either on premise or the cloud.
The operational complexity of an IIoT or OT environment can also throw a wrench into anomaly detection. Many OT/IIoT environments represent system-of-systems (SoS) which are not necessarily designed as a coherent system – they can emerge as the result of opportune connections among subsystems that may have never been designed to interact with each other. It can be difficult to pin down the boundaries of a SoS as shown in the following chart. 
Analyses of behaviors for these systems are complicated by the need to understand and address the upstream and downstream dependencies of the component systems. Where the SoS consists of systems owned by multiple entities, there is also the issue of determining responsibility for the security and behavior of the whole environment and how responsibility is shared or trust relationships are established among responsible entities to assure global protection.
Capability 3: Strong, comprehensive authentication
One of the primary attack vectors facing any enterprise today – whether OT or IT – is remote account takeover — characterized by credential theft, phishing scams, or man-in-the-middle attacks. Weak authentication is often the reason these attacks are successful. OT and IIoT systems have been notorious in the past for weak or a total lack of authentication. “Strong” passwords, passwords that are lengthy or complicated to enter, or passwords that require frequent updates are often inappropriate for such environments. On the shop floor, passwords are often shared among all the individuals holding a particular role to eliminate potential discontinuity between shifts and provide rapid emergency access to the system. New mechanisms to establish trust between machines and people are needed for these conditions.
One possible solution is passwordless authentication. In 2017, NIST published “Special Publication 800-63-3, Digital Identity Guidelines,” naming FIDO-based technologies as the highest level of authentication technology assurance for federal use. FIDO-based technologies can be implemented in a passwordless mode.
The FIDO Alliance aims to provide a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the organization – passwordless authentication. To lead these efforts the Alliance has formed the IoT Technical Working Group (IoT TWG), which will develop use cases, target architectures and specifications covering:
- IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices
- Automated onboarding, and binding of applications and/or users to IoT devices
- IoT device authentication and provisioning via smart routers and IoT hubs.
The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography. FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F (Universal Second Factor) protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications. With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support. The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.
The vast majority of IIoT authenticating devices only need the basic Universal Second Factor protocol in passwordless mode that can enable the registration of the first U2F key presented as the administrator’s key to the device. With FIDO2, a hardware-based authenticator can replace a username and password as a much stronger form of single factor authentication. Finally, for added security and in cases where humans are involved, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.
Accordingly, IoT devices won’t ever need to store more than two registered keys. Manufacturers can make many assumptions about the protocol when they are designing something for their specific device. Given the price of basic U2F authenticators on e-commerce sites, manufacturers could even give away a free U2F authenticator with each $50 IIoT device to bootstrap this process. There is even open-source FIDO-certified software that will allow manufacturers to bootstrap this process.
Capability 4: Trusted Systems and Trusted Data
In addition to stronger authentication methods, the notion of a chain of trust is also essential for OT and IIoT environments. Roots of trust in OT and IIoT environments represent an important topic, but is still an area under development. Trust anchors are not addressed in a consistent way, and the approaches are fragmented. Assuring that these systems are trustworthy in the broadest sense (e.g., reliable, resilient, secure, private and safe) poses unique cybersecurity challenges.
One group that is taking up the challenge of trust anchors is the Trusted Computing Group. Vendors supporting Trusted Computing Group provide essential tools for remote device management (e.g., secure key storage and remote attestation) but other areas are more challenging (e.g., low power). TCG technology (TPMs to protect credentials and TNC to validate credentials) is applied by extending OpenSSL authentication, which requires a certificate and an integrity report, both protected by a TPM on each device; mutual authentication of devices is required at session start. As the boundaries between OT and IT continue to dissolve, the type of cross-domain trust offered through these capabilities will become more important.
“Trusted systems” (aka “provably secure” systems) can also provide highly assured foundations for establishing chains of trust along with supplying provisions for safe and secure interaction between the cyber and physical worlds. Also, since many IIoT and OT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can, OT and IIoT systems must be trusted to consistently provide reliable, long-term, and safe operation. In general, trusted systems also tend to explicitly recognize the need to fail into a safe state securely. One example is the Muen separation kernel. The Muen Separation Kernel is the world’s first Open Source microkernel that has been formally proven to contain no runtime errors at the source code level. It is developed in Switzerland by codelabs GmbH. Muen was designed specifically to meet the challenging requirements of high-assurance systems on the Intel x86/64 platform. DARPA also continues it research into high assurance systems as evidenced by my interview here. However, it is also important to remember that even a trusted OS such as Muen cannot prevent a phishing email from stealing a user’s credentials via a spoofed website.
Cryptography can also provide an assured basis for establishing and maintaining chains of trust for messaging and collaboration. One example is in the area of digital signature which is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender, and that the message was not altered in transit. A unique approach to digital signatures that may have wide applicability to distributed OT and IIoT systems is the Keyless Signature Infrastructure (KSI) offered by Guardtime.
KSI is a method and a globally distributed network infrastructure for the issuance and verification of KSI signatures. Unlike traditional digital signature approaches, e.g., Public Key Infrastructure (PKI), that depend on asymmetric key cryptography, KSI uses only hash function cryptography, allowing verification to rely only on the security of hash functions and the availability of a public ledger commonly referred to as a blockchain. Each digital asset on the network has an associated digital twin (on the block chain) which provides the cryptographic integrity and provenance of that asset back to a control policy (smart contract) for that asset. Any change in the environment out of policy generates a high-quality alert that can be remediated in real-time. With this approach, real-time breach detection (in seconds) becomes possible when there is a change in infrastructure that is out of policy as well as dynamic attestation of compliance. The cryptography behind the KSI signatures ensures that they never expire and remain quantum- immune i.e., secure even after the realization of quantum computation.
Data-at-rest encryption is a much harder problem for OT and IIoT systems due to technical capacity limitations of many of these endpoint systems. Traditional key management is also ineffective in some cases, such as over large “accidental” and highly distributed populations of endpoints. For example, consider the impact of providing keys to all the driver-assisted or autonomous vehicles on any major road during peak traffic. Encryption mechanisms are not likely to work under such dynamic conditions without new keying mechanisms and protocols.
Capability 5: Threat-Informed Defenses
The next generation of IIOT and OT systems should utilize a threat-informed defense approach. As such, the ability to not only detect one or more threats, but also correlate those threats with their impact on system behavior is a necessary capability. Threat-informed defense is a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine and limitations. This is necessarily a continuous process, leveraging indicators to discover new activity with yet more attack indicators, artifacts, and other observables to leverage. It requires a deep understanding of the intrusions themselves, not as singular events, but rather as phased progressions by an adversary as they apply their tradecraft and technology. It’s a community-based approach to a worldwide challenge.
There are many threat intelligence sources and more seem to be announced each year. Many companies will leverage a variety of public, private, and organic sources to ensure coverage and to help to validate sources. Sharing of indicators is also growing using threat hubs and technology like STIX/TAXII. The ISACs are also a good place for sharing threat information, starting with the ICS-ISAC.
From an organic perspective, full internal and outbound network visibility via deep packet inspection (DPI), and endpoint data is important. This combination ensures the best of both worlds – broad visibility from the network, inclusive of user and app identification, that cannot be obscured or circumvented, and details from endpoints that can confirm where and how an attacker has gained a foothold. DPI is critical here because without it there would be no way to build profiles against actual entities – user and devices – and visibility would be only to IP address, a transient characteristic in most networks. Network and endpoint also strongly complement; as suspicion is developed based on network activity, endpoint analysis can be automatically applied to the hosts in question to validate the suspicion. The combination provides the highest accuracy detections, with the most actionable alerts, across the entire attack lifecycle.
Threat intelligence helps to enhance situational awareness and provides the basis for “hunting” threats that may be lurking in the environment. The harnessing of threat information helps to prevent, detect, and even predict (or rather foresee) attacks. Publishing information about threats and breaches, such as found in the SCADA Incident Database (SCID) – a description can be found in this ActiveCyber.net article – also helps researchers to study attacker TTPs and develop defensive measures as well.
The effect of threat-informed defenses is a more resilient security posture. Cyber attackers, by their nature, attempt intrusion after intrusion, adjusting their operations based on the success or failure of each attempt. In a kill chain model, just one mitigation breaks the chain and thwarts the adversary, therefore any repetition by the adversary is a liability that defenders must recognize and leverage. If defenders implement countermeasures faster than adversaries evolve, it raises the costs an adversary must expend to achieve their objectives.
OT and IIoT asset owners should also take advantage of the MITRE Engenuity Center for Threat-Informed Defenses, announced in November 2019. The center is a non-commercial, non-profit focal point that is missioned to sustain and accelerate the evolution of publicly available resources critical to cyber defenses. Those resources include MITRE ATT&CK™, a freely available MITRE-developed and operated knowledge base of adversary tactics, techniques, and procedures that is based on published threat reporting. Cyber defenders use MITRE ATT&CK to develop threat models and methodologies.
ATT&CK™ for ICS is a new knowledge base useful for describing the actions an adversary may take while operating within an OT network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. Check the following links to become more familiar with ATT&CK for ICS:
- Full list of ATT&CK for ICS techniques
- Software used by ICS threats
- Adversary groups from ICS related incidents
- Assets present in ICS
That is it for the first 5 recommended capabilities. How do they match up to yours? I would be very interested in any feedback you have so far. Stay tuned for Part 2 to find out the next 5 of my Top 10.
And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT/ IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.
