Information security of the Internet of things: who is the thing and who is the owner?
It's no secret that in the field of the Internet of Things (Internet of Things, IoT), perhaps the least order in terms of information security (IB). Today is we observe developing technology, constantly changing landscape of the industry, forecasts, sometimes leading away from reality, dozens of organizations trying to declare themselves legislators in a particular area, even for an hour. The urgency of the problem is underlined by epic incidents. Industroyer, BrickerBot, Mirai - and this is only the tip of the iceberg, and that “the coming day prepares for us”? If you continue to go with the flow, then the owners of the Internet of things will be botnets and other "malware." And things with an ill-conceived functional will prevail over those who try to become their master.
In November 201? 3-3319. ENISA
(The European Union Agency for Network and Information Security) has released a document Good Practices for Internet Security of Things in the context of Smart Manufacturing. , which collected all sorts of cybersecurity practices for the industrial Internet of things, and analyzed about a hundred documents with the best practices in this area. What is "under the hood" of this attempt to grasp the immense? The article provides an overview of the content.
can be found on the National Institute of Standards and Technology (NIST) website. “Draft NISTIR 8200. International Affairs of the Cybersecurity Standardization for the Internet of Things (IoT)” . The version is dated February 201? and while it still has the status of a draft. It analyzes existing standards, distributed in the following 11 areas: Cryptographic Techniques, Cyber Incident Management, Hardware Assurance, Identity and Access Management, Information Security Management Systems (ISMS), IT System Security Evaluation, Network Security (SACM) ), Software Assurance, Supply Chain Risk Management (SCRM), System Security Engineering.
The list of standards takes more than one hundred pages! It means that there are hundreds of titles there, they are tens of thousands of pages, the study of which can take years, moreover, many documents are paid. This identified multiple gaps in the standardization of the industry, which, obviously, will be filled.
I think the reader has already understood on which side the common sense and sympathies of the author are. Therefore, let us return to the best practices of ENISA. They are based on an analysis of about a hundred documents already released. However, we don’t need to read all these documents, since ENISA experts have already collected the most important things in their report.
The figure below shows the structure of the document, and we will now take a closer look at it.
Figure 1. Document structure Good Practices for Internet Security of Things in the context of Smart Manufacturing.
The first part is introductory.
The second part first introduces the basic terminology (2.1), and then the security calls (2.2), which include: 3r3254.
3r3173. Vulnerable components 3r3174.
3r3173. deficiencies in process management (Management of processes); 3r3174.
3r3173. increasing number of communication links (Increased connectivity); 3r3174.
3r3173. interaction of operational and information technologies (IT /OT convergence); 3r3174.
3r3173. inheritance of problems of industrial control systems (Legacy industrial control systems); 3r3174.
3r3173. Insecure protocols; 3r3174.
3r3173. human factors; 3r3174.
3r3173. excessive functionality (Unused functionalities); 3r3174.
3r3173. the need to consider aspects of functional safety (safety aspects); 3r3174.
3r3173. implementation of updates related to Security; 3r3174.
3r3173. implementation of the life cycle of information security (Secure product lifecycle). 3r3174.
In section 2.? with reference to ISA, the reference architecture is given, which, nevertheless, somewhat contradicts the generally accepted architecture of the ISA (Purdu), since RTU and PLC are assigned to the 2nd, and not to the 1st level (as it is practiced in ISA).
Figure 2. Reference architecture IIoT 3r3-33227.
The reference architecture is an input for the formation of a taxonomy of assets, which is implemented in section 2.4. Based on expert data, the criticality of assets in terms of their impact on information security is estimated. We are not talking about representativeness (the report says that experts from 42 different organizations participated), and this statistic can be taken as “some opinion”. Percentages in the chart indicate the percentage of experts who rated an asset as the most critical.
[i] Figure 3. The results of expert assessment of the criticality of assets IIoT 3r3227.
Section 3.1 describes the classification and description of potential threats as applied to the IIoT area. In addition, asset classes that may be affected are associated with each of the threats. The main classes of threats are identified:
3r3173. Nefarious activity /Abuse (unfair activities and abuses) - various kinds of manipulations with data and devices; 3r3174.
3r3173. Eavesdropping /Interception /Hijacking (listening /intercepting /hacking) - collecting information and hacking the system; 3r3174.
3r3173. Unintentional damages (accidental) - errors in configuration, administration, and application; 3r3174.
3r3173. Outages (outages) - interruptions in work related to the loss of power supply, communications or services; 3r3174.
3r3173. Disaster (catastrophes) - destructive external impacts of natural and man-made character; 3r3174.
3r3173. Physical attack (physical attacks) - theft, vandalism and sabotage (disabling), made directly on the equipment; 3r3174.
3r3173. Failures /Malfunctions (failures and malfunctions) - can occur due to accidental hardware failures, due to the failure of the provider services, and also due to problems in software development, leading to the introduction of vulnerabilities; 3r3174.
3r3173. Legal (legal issues) - deviations from the requirements of laws and contracts. 3r3174.
[i] Figure 3. Threats taxonomy
Section 3.2 discusses typical examples of attacks on components of IIoT systems.
The most important section in the document is the 4th, which discusses the best practices aimed at protecting the IIoT components. Practices include three categories: policies, organizational practices, and technical practices.
[i] Figure 4. Structure of the best practices for providing information security IIoT 3r3323227.
The fundamental difference between policies and organizational practices is not explained, and the procedural level is present in both cases. For example, Risk and Threat Management fell into politics, and Vulnerability Management into organizational practices. The only difference that can be grasped is that the policies are applied, first of all, for developers, and organizational practices - for operating organizations.
The composition of policies (4.2) describes 4 categories and 24 practices. The organizational section (4.3) describes 27 practices, divided into 6 categories, and the technical (4.4) - 59 practices, divided into 10 categories.
In Appendix A, it is noted that this document ENISA continues the research declared in 2017 in document 3-33250. "Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures"
. Of course, IoT is a broader concept than IIoT, and, from this point of view, one could take last year’s document as the basis for this review, however, one always wants to deal with newer material.
Appendix B - this is the main semantic part of the document. The list of practices from section 4 is presented in the form of tables where reference is made to groups of threats and references are given to documents supporting the use of a particular practice, alas, unfortunately, without specifying a specific page or paragraph. Here, for example, several items related to the security of cloud services.
[i] Figure 5. A fragment of the description of the best practices of providing information security IIoT 3r33227.
Appendix C provides a list of cited documents (there are about 100 of them), which were developed and formed the basis of the best practices developed.
Appendix D lists the most significant incidents related to information security breaches in industrial applications.
Good Practices for Internet Security of Things in the context of Smart Manufacturing. , developed in November 201? is currently one of the most detailed documents in the field of information security of the Internet of things. There is no detailed technical information on the implementation of 110 described practices, however, there is a body of accumulated knowledge obtained from the analysis of hundreds of documents from leading expert organizations in the field of IoT.
The document focuses on IIoT, takes into account the industrial architecture and associated with it, assets, threats and scenarios of possible attacks. More common for IoT is the ENISA 3r-3250 predecessor document. "Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures"
Released in 2017.
"Predatory Things of the Century" and the tendency, imperceptible to us, of gaining power of things over people is currently hampered only by isolated resistance to information security measures. On how effective the IS measures will be, in many ways, our future depends.
It may be interesting