back to article Securing industrial IoT passwords: For Pete's sake, engineers, don't all jump in at once

Cybersecurity has become an increasing priority in operations technology thanks to the growing appetite for the industrial internet of things. Operations technology (OT) is the term given to all those environments in industry, transport, automotive, city and utilities that – before industrial IoT – had been largely isolated …

  1. JohnFen

    Nonsense

    "things have been going wrong from the outset when architects have designed systems where all critical plants are on their own network."

    No, Where things start going wrong is that these systems get connected to the internet. That's what should not happen.

    "The failures come where it is assumed that a firewall is good enough. This is a problem because firewall rules are source- and destination-based and if the attacker or meddler is coming from an allowed source and bouncing off destination systems, then the firewall is useless."

    Unless, of course, you're using a real firewall that is capable of doing DPI, connection tracking, etc. If your firewall is solely source and destination based, then you need a better firewall.

    1. Version 1.0 Silver badge

      Re: Nonsense

      Sure, but "a better firewall" would stop the IoT working and most consumers would bitch and complain and then "fix" the problem by disabling the firewall.

      1. JohnFen

        Re: Nonsense

        From a security point of view, IoT devices shouldn't be talking over the internet in the first place. But your point about consumer acceptance doesn't apply to this article -- this is about industrial use, not home use.

    2. Mark 85 Silver badge

      Re: Nonsense

      Network is fine as long as it's NOT connected to the internet in any way, shape, or form. But, lazy or manglement wanted things "easy" for them and thus not secure. If the control network never touches the internet, it's secure.

      1. Giovani Tapini

        Re: Nonsense

        Agreed but impossible. Manglement will always buy the devices with a "cloud" service offering only available on the internet.

  2. Crazy Operations Guy

    Stop using passwords

    Passwords are useful for authenticating user-computer interactions, but suck otherwise. But what machines are good at is certificates. With IoT devices, I figure the much easier way of doing things would be to have each device posses its own certificate signed by the controlling entity and authenticate by requiring a certificate signed by the same entity to communicate with it. To get the whole thing going in the first place, it could just have a USB port on it for initial configuration and only after configuring it does it turn on its network interfaces.

    1. JohnFen

      Re: Stop using passwords

      "But what machines are good at is certificates."

      Yes, this was my first thought as well -- machines are using passwords to authenticate with each other? That's a weird situation that's hard to explain. Even in my home network, I have very few things that are password protected even with human users. Almost all my authentication is cert-based.

      1. Roland6 Silver badge

        Re: Stop using passwords

        The article isn't really about passwords or or certificates as they don't really address the problem discussed in the article.

      2. Anonymous Coward
        Anonymous Coward

        Re: Stop using passwords

        "But what machines are good at is certificates."

        The reality is that if a device can be configured to use certificates in a meaningful way (i.e. unique certs per device and trusting of certificates/certificate chains) they probably would have had default passwords changed.

        Based on my limited experience with this type of thing, there needs to be a nice and simple standard for providing updates that is close to free for a VM version at least and then there's a chance it might get used. However, it likely needs to be Windows (to handle wsus and an AV management solution or two) as well as more generic cross-platform tools for certificate management and basic device security templates for on-device firewall rules to alliw host based firewall information in addition to any network layer firewalls to protect devices from each other on these isolated networks so that vendors who specify annual patch updates don't compromise the larger environment. Any internet access should be proxies via the management server OR the VM should be hosted in the cloud and accessed via VPN... No direct Internet access ever....

        Do I think this is possible? Maybe. Likely? Nope....

    2. Anonymous Coward
      Anonymous Coward

      Re: Stop using passwords

      I can think of many good use-cases for commercial/industrial IoT and if I were to be designing one of them I'd be thinking of 'pull' only inward comms i.e. the end device would initiate all comms and wouldn't allow any inward connections or remote logins at all. This wouldn't solve all of the problems but would remove some of them.

      1. Roland6 Silver badge

        Re: Stop using passwords

        > i.e. the end device would initiate all comms and wouldn't allow any inward connections or remote logins at all. This wouldn't solve all of the problems but would remove some of them.

        I think the issue isn't so much with the individual IoT device, but where several IoT devices (or a composite device) are effectively monitoring a single piece of real-world kit. So following the article example, the pump can have multiple sensors, but the pump only gets restarted once all are clear. Interestingly, this doesn't do away with the on-site engineer's physical lock - I wouldn't want to be working on a piece of heavy kit controlled from some remote CCC without having some certainty of a local override/protection from remote stupidity.

  3. Drs. Andor Demarteau (ShamrockInfoSec)

    INternet connections are not the only issue

    Things have been going wrong far before "stuff got connected to the Internet" in what is called Industrial IOT.

    Because of the same "this costs money" attitude, industrial systems have been moving away from dedicated build hardware and software to commodity off-the-shell Windows systems for about 2 decades now.

    And yes those come with the same issues, security problems and patch regimes as your office equipment, but with one caveat: patching is either extremely difficult or in some cases impossible, sometimes due to restrictions by software vendors and sometimes due to certification restrictions.

    The solutions proposed in this article may work for new plants, but it will be a hell of a job to implement them in current installations.

    Oh and they have to work not 10 but up to 20 to 30 years too.

  4. Anonymous Coward
    Anonymous Coward

    Put all your IOT crap on Tor.

    No bugger will find it then to try to exploit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021