INDUSTRY 4.0 IS UNSAFE. OR IS IT?

The world is evolving; second-by-second, day-by-day it evolves towards new frontiers with the evolution of technology. So does the industry. Everything has become wireless, interconnected, and easier to control even without being on site but is it perfectly secure and safe while being more and more easier to control? This article is a brief analysis of the security concerns of the new iteration of industrial evolution, “Industry 4.0” with reference to some recent incidents.

WHAT IS INDUSTRY 4.0?

Industry 4.0 is the latest iteration of the industrial revolution with technological advancement. With the influence of factors such as the internet, wireless communication, “M2M” (Machine to Machine) communication through “IoT” (Internet of Things) concept, IPv6 addressing mode, Machine Learning, etc. the modern industry has evolved into a “Cyber Physical System” from the basic mechanized systems of the age of industrial revolution.

These smart-systems are equipped with modern attributes like;

• Decentralized decision making – Ability of the Cyber-Physical System to make its own decisions based on continuous data analytics performed through Machine Learning algorithms
• Interoperability – Ability of the system to connect and communicate remotely with the system users and administrators via the Internet
• Information Transparency – Ability of the system to create a virtual copy of the exact physical system and its ability to test out several operating scenarios prior to the physical implementation (Basically conducting a simulation of the working environment)
• Technical Assistance -  Assisting humans by performing tasks that are considered to be hard, exhausting, and dangerous to humans

for a much more optimized and user-friendly operation of the said system. (Source: - ECEN 5053-002; Developing Industrial Internet of Things 1: - IoT Markets and Security; Prof. Dave Sluiter; University of Colorado Boulder)

However, with the scale of the interconnection of these systems share with the outside world and the components within these systems, it’s accurate to assume that these systems are quite vulnerable to external security threats than prior generations. Therefore, the ‘Security’ of these “IIoT” (Industrial Internet of Things) based systems should be a primary concern from the basic stages of system implementation.

IIoT SECURITY

As mentioned before there are quite many attack possibilities towards the IIoT systems. They can be listed as brute force attacks, a man in the middle attacks, replay attacks, side-channel attacks, physical components (Power, RF, Temperature) manipulation attacks, and so on. Therefore, you may realize that IIoT security is not a minor aspect that can be ignored or treated lightly.

As countermeasures for high threat possibilities, there are some major techniques, opinions, and practices that are proven to be effective for countering those threats. They can be majorly listed out as follows.

·         Using known and verified data encryption algorithms

·         Using updated firmware and software solutions in IoT systems

·         Considering ‘Security’ as a fundamental concern of the system

·         Building a ‘Security’ mindset for system implementation

·         Constant monitoring and updating of the system security

Some recent examples prove the importance of the above-mentioned techniques as perfect security measures.

USING KNOWN AND VERIFIED DATA ENCRYPTION ALGORITHMS

Since the IIoT systems have the key feature of remote connectivity data transmission comes as a basic need of the system. Although that interconnectivity comes through the insecure, public communication channel of the internet. Therefore, the data which is transmitted through the internet is exposed to many external threats and attackers. So the integrity of data should be protected. That’s where the concept of encryption comes in.

Encryption is basically converting the ‘clear text’ which is to be protected to a ‘cypher text’ which we get after encryption prior to transmission. By encrypting we can make our data impossible to read without the designated decryption key, thereby ensuring that the data is not accessible for a 3rd party other than the sender and receiver.

There are some standard encryption methods and algorithms that are frequently used in IIoT data security such as ‘AES CBC’ (Advanced Encryption Standard Cipher Block Chaining), ‘AES ECB’ (AES Electronic Code Book), AES XTS (for data storage), Diffie-Hellman method, PGP (Pretty Good Privacy) method, RSA (Rivest-Shamir-Adelman) method, Hash functions, MACs (Message Authentication Codes) and so on. Apart from that, to ensure data integrity while transmitting via web sites, communication methods like TLS (Transport Layer Security) & SSL (Secure Socket Layer) are used. Therefore, it is pretty obvious that data security and integrity is certified with these encryption techniques.

For example, let’s consider a recent incident. The electronic lock manufacturer for ATMs “Kaba Mas” high security electronic combination locks have encountered a serious design flaw in their lock systems. A cybersecurity researcher discovered electronic feedback which is emitted through the lock circuitry which can be observed through an oscilloscope, as perusing a stethoscope to crack the lock key combination of the old safes. This electric feedback has become a severe drawback of the system such that it allows to copy the EEPROM contents to its CPU and unlock it; making these modern safes vulnerable for attackers those who can open these in a matter of minutes.

The most important fact is, a more upgraded version of the same lock was introduced with the same vulnerability later but this new system used “AES” system encryption to encrypt the unlock key. Although the system had the same drawback that mentioned before, breaking into it has become almost impossible, computationally expensive, and time consuming with the use of the encryption algorithm to encrypt the unlock key. This is not a justification of using encryption algorithms just to cover up the technical failure. But just by using a verified encryption algorithm in your system makes it less vulnerable for the attacks. (Source - WIRED; “How Safecrackers Can Unlock an ATM in Minutes - Without Leaving a Trace”; Andy Greenberg; 08/09/2019)

USING UPDATED FIRMWARE AND SOFTWARE SOLUTIONS IN IoT SYSTEMS

The IIoT systems are sophisticated and complex. Therefore, they often depend on a number of software and firmware solutions not only to maintain optimal working conditions of both software, hardware components but also to make them up to date with countermeasures for the latest security threats. Keeping those software and firmware up-to-date is considered to be a key concern of system maintenance. Otherwise, it is considered to be malpractice and the particular happens to be more vulnerable to security threats than an up-to-date system. The following is a comprehensive example of that. 

As we know, due to the recent outbreak of ‘COVID-19’ pandemic, healthcare, and medical services attracted a lot of attention towards them. Due to the reduced workforce, IoT based systems are the ideal solution for the optimized operation of healthcare services. However, the implementation of these systems shows poor configuration structures and more vulnerable to threats compared to the other systems. It is known that the IIoT solutions based on medical and healthcare platforms give much less attention to the security feature of the system than other respective fields. As mentioned above, the escalated security vulnerabilities of the medical sector-based IoT systems during the past breakout period might have been due to another critical reason as the author mentions.

 “IoT devices are notoriously behind when it comes to the operating systems they are using, and many more are unpatched. In fact, 83% of IoT devices are no longer running supported software.”

So that it is quite obvious that being up-to-date with the software and firmware you use in your system determines the vulnerability of your system to the external security threats. The more up-to-date, the less vulnerable you are. Apart from that running on non-supported software might result in frequent authentication errors in data transmission between devices and can result in an under-performing system that is also highly vulnerable to security threats. (Source - DARK Reading; “Social Distancing for Healthcare’s IoT Devices”; Ori Bach; 6/3/2020)

CONSIDERING ‘SECURITY’ AS A FUNDAMENTAL CONCERN OF THE SYSTEM 

(Courtesy: - Prof. Dave Sluiter; University of Colorado Boulder)

Building an IIoT system is a quite complex job concerning the number of component layers, subsystems, software that has to be built. Along with these components, there is another key feature that should be considered throughout the building and implementation stages of the system, “Security”. It should not be considered as another sub-element of the system, after its construction. Security should be considered as a key element from the basic stages of the system. Otherwise, it would be more vulnerable for external threats and it would be pretty much impossible to even diagnose the system to see what had gone wrong in case of an attack. The following is a good example of that.

As we know, due to the recent outbreak of ‘COVID-19’ pandemic, healthcare, and medical services attracted a lot of attention towards them. Due to the reduced workforce, IoT based systems are the ideal solution for the optimized operation of healthcare services. However, the implementation of these systems shows poor configuration structures and more vulnerable to threats. It has been reported in an article.

 As the article says, “Many hospitals do not separate their IoT devices from other resources, such as databases storing patient records. The lack of separation simplifies discovering the prime targets. Attackers will then either steal the information or launch a ransomware attack.”

It is possible to assume that the system security has not been a fundamental concern of the people who configured that particular system and that was the reason for them to not separate those database resources from direct access with the IoT devices without implementing a security layer first. (Source: - DARK Reading; “Social Distancing for Healthcare’s IoT Devices”; Ori Bach; 6/3/2020)

BUILDING A SECURITY MINDSET FOR SYSTEM IMPLEMENTATION 

(Courtesy: - Prof. Dave Sluiter, Mr. Don Matthews; University of Colorado Boulder)

The security mindset is basically a way of critical thinking and reviewing something in a way that others don’t do. According to Bruce Schneier 

“This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary, or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems” 

(Source: -WIRED; Inside the Twisted Mind of the Security Professional; Bruce Schneier; 20/03/2008)

In another perspective, the security mindset can be explained as follows. The designer would always be thinking about the ways that it can be bypassed, broken into or hacked, from the very beginning of the system building and implementation process.

As Prof. Dave Sluiter mentions “When working in security, it is an unwise the mental mindset to make statements such as: “That’s impossible”, or “No one will ever figure this out” and other such absolute statements. A better mindset is one that blurs the line between TRUE and FALSE, mental positions such as likely/unlikely, probable/improbable, and practical/impractical. The world is full of some very clever and well-funded people.” He lines up some perfect examples for that; which are the cracking of WWII German Enigma machine by Alan Turing, the sophistication of work done by “Israeli Mossad” & “US NSA” etc. (Source: - ECEN 5053-002; Developing Industrial Internet of Things 1: - IoT Markets and Security; Prof. Dave Sluiter; University of Colorado Boulder)

“Security through obscurity is not security” - courtesy of Don Matthews

According to those expert opinions, security would never be a 100% perfection. It would always be a perspective of “good enough”. Therefore, building such a mindset for a security developer might do some good in system implementation.

CONSTANT MONITORING AND UPDATING OF THE SYSTEM SECURITY

As we all know, continuous monitoring and maintenance of the system should be a key feature of a secure system. After being implemented, the system should better to be continuously tested for hidden vulnerabilities and blind spots for security threats. This might sound quite as same as the second point mentioned- above, using updated software and firmware in the IIoT system. In fact, this basically means that the system should always be tested again and again for security vulnerabilities. There might be hidden vulnerabilities in the system that nobody else could see.

By a security research organization, a white hat hacker, or anyone with the ability and clearance to do the testing; it is a good practice to continuously test the system for security vulnerabilities. If a system is left alone without such monitoring many protocol errors can occur, providing backdoor access to external parties to take control of the system and putting the whole operation to jeopardy. The following is a good example of that.

Such kind of occurrence has happened in a system implemented using “BACnet” data communication protocol for building automation. This web-based data communication protocol had a vulnerability that can be used to modify web application code by injecting “Javascript” in the BACnet device. However, the real issue was the company not responding to the disclosure of these vulnerabilities, even after they were informed by the independent cybersecurity researcher. This may not only damage the system but also damage the reputation of the company. I realized with this, that we should constantly monitor the systems we implement, even after they are setup. Also, we should have the idea of not having a 100% secure system so we might have to acknowledge the feedback of the responsible 3^rd parties like the above-mentioned researchers, in order to make the system as secure as possible. (Source - Computer Weekly; “BACnet IoT building automation devices vulnerable to attack”; Warwick Ashford, Senior Analyst; 13/08/2019)

A similar case has been reported in “Delta industrial control systems”, with a bug caused by a buffer-overflow vulnerability; making the system vulnerable to even broadcast traffic attacks (not directed to the particular IP of the system network) letting the attackers to even take over the system and remotely manipulate it. It was said that if the attack was targeted, the shortcomings might have grown exponentially. The vulnerability has been discovered by the MacAfee Security research team, thus briefing the manufacturer to issue a software patch right away to address the issue. This shows that security should be constantly monitored and updated and not a field to just look over and ignore once setup. (Source - Threat Post; “DEF CON 2019; Delta ICS Flaw Allows Total Industrial Takeover”; Tara Seals; 09/08/2019)

CONCLUSION

Looking back on the heading  INDUSTRY 4.0 IS SAFE OR ISN’T IT?  Yes, it is safe enough to rely on the latest iteration of the industry and move on with it. And Yes, it is safe to invest in the future frontiers of the IoT based market and industrial opportunities. See the statistical analysis for market growth here. IoT Technology Market Forecast till 2022

So, in conclusion, the IIoT sector is quite safer than we think. But we should keep in our minds that “There’s no such thing called perfect, 100% security”. 

An article by:

M. Nimantha Rukshan Fernando

Junior Treasurer,

IESL YMS,

University of Sri Jayewardenepura.