Rohde & Schwarz tackled the challenge of protecting Industrial Internet of Things (IIoT) devices from hackers in an Online Technology Talk, “Industrial IoT: New Challenges for Operational Security,” held February 8. The session covered common attacks and defense strategies. In particular, the webinar discussed how machine learning and artificial intelligence have become key tools in detecting and thwarting botnet attacks on IIoT devices.
Alexander Bach, Rohde & Schwarz Information Security Operations, spoke on botnets, the causes for the attacks on IIoT and the different cyber defense strategies. IIoT gives internet access to machines, sensors, and processing devices — technology that assists with the manufacturing processes, which has immeasurable advantages concerning enterprise efficiency, according to Bach. However, the downside of that access is vulnerability to hackers.
“As more and more of these devices get access to the internet, it has certain security implications that need to be observed, because you are putting your production at risk of being accessed by unauthorized people,” Bach said.
When attacked, the Internet-connected device becomes part of a botnet, which can be used to perform Distributed Denial-of-Service attacks, deploy ransomware, steal data, send spam, and allow the attacker to access the device and connection.
One of the first major attacks on an IoT network also turned out to be the largest in history. In 2016, the Mirai botnet, a large network of devices that had been compromised, deployed a massive distributed denial of service (DDoS) attack on a European cloud provider. Today, there are at least 13 known versions of the Mirai malware that puts botnets into the devices, each of which uses a different exploit to gain control of IP devices.
IoT devices are vulnerable to botnet attacks because they have similar configurations and low levels of security. Most common attacks on IP devices include default passwords, open-source components, crypto trojans, and tailored attacks, according to Bach.
“Most IoT devices also use a barebone Linux open-source operating system,” Bach said. “These operating systems have the advantage of being very versatile, but once a device is compromised, it can easily be repurposed for some other purpose as it is actually manufactured for.”
IIoT is increasingly becoming a focus for hackers. Attacks on manufacturing and IIoT have increased by 41 percent, according to Check Point Software’s 2022 Security Report. The reason for the increase in attacks on corporations and damage threats is that it is more profitable than disrupting consumers, according to Bach. Additionally, the rise of cloud services has created opportunities for cyber criminals by giving them a larger attack surface that they can exploit. Additionally, corporations rely on remote access for maintenance but pay little attention to security.
“When you realize there are a million malware variants, it is not hard to understand why some are successful,” Anja Dienelt, Rohde & Schwarz Product Manager, said.
Security Countermeasures
Bach proceeded to discuss several ways to provide protection for a large network of badly secured, vulnerable IoT and IIoT devices. Most of them come from the data center and corporate enterprise, which makes them only partially suitable for the purpose of securing IoT and IIot, he said.
“So what we need to do is build an environment where these devices can be operating safely,” Bach said. “Everyone wants to go to the cloud for cost savings, but this also comes with increasing exposure to public internet.”
A firewall can be placed in front of each unsecurable device, known as virtual patching, but it can be expensive depending on the number of devices that need to be protected. “Using firewalls to isolate devices from each other is doable, but it is a very expensive business and it’s not an option for IIoT,” Bach said.
Another, less onerous option, is network segmentation, which uses fewer firewalls to prevent attacks over network boundaries, but equipment is still vulnerable to lateral attacks inside the sub-networks. And it creates additional overhead in network management and routing.
Micro-segmentation is another possibility. It is where each device resides inside its own private virtual LAN, but it also adds to network overhead. Devices that need to communicate with each other will have to be placed either in a community private VLAN or in different network segments, which demands a lot of pre-planning and close cooperation with the users of the machines. Bach discounted these remedies, as well as the use of virtual private networks for security.
The Importance of Artificial Intelligence
Security Information and Event Management may provide a viable way to protect Iot and IIoT devices from botnets by informing information technology personnel of suspicious transmissions that have run through the firewalls or have been blocked by the firewalls. Screening large amounts of data for malicious activities demands Artificial Intelligence (AI).
AI-enabled components within an enterprise’s security infrastructure are able to react much faster to threats, according to Bach. “You can enable these AI systems to automatically block certain attack patterns before the technician is actually notified,” he said. “This would be the ideal because then we would be able to stop attacks, and it would just take milliseconds to accomplish.”
Hackers access the servers, spy on the network and position the ransomware in secrecy for an average of 177 days before they strike. Dienelt said that time should be used for monitoring the system’s data for malicious activities to provide an additional line of defense.
The first step is to identify, classify and decode thousands of protocols and applications. This is done through “deep packet” probing of the network traffic. The second step is to analyze and correlate the data by using data analytics, machine learning and AI. The results are then correlated and reported.
Artificial intelligence, by itself, is not enough to secure an IIoT system, according to Dienelt. It must be backed up by machine learning. “AI has its disadvantages. It is always behind the hackers. It is better to use machine learning to make a baseline of normal, good behavior and then find anomalies in the data traffic,” she said.
Machine Learning, itself, has detractors and suffers from low acceptance in IT departments, because all the results are based on probability. Rohde & Schwarz uses several machine learning methods and combines them to reduce the number of false positives.
By J. Sharpe Smith, Inside Towers Technology Editor
Reader Interactions