Security is a foundational element of IIoT adoption. Before diving into the paradigms of the IIoT security framework, let's first define and fathom the expanses of IIoT.

The Internet of Things in itself is gaining a pervasive scope, resulting in the many ways that it is defined and described. The Internet Engineering Task Force (IETF), states that "in the vision of the IoT, "things" are very various such as computers, sensors, people, actuators, refrigerators, TVs, vehicles, mobile phones, clothes, food, medicines, books, etc." (Minerva, Biru, and Rotondi 2015 (https://www.tandfonline.com/doi/full/10.1080/23738871.2017.1366536) Minerva, R., A. Biru, and D. Rotondi. 2015. "Towards a Definition of the Internet of Things (IoT)." IEEE Internet Initiative, Torino, Italy, 1. (Google Scholar)).

However, for the scope of our discussion in this book, we shall primarily lean on the following definition of the Internet of Things, which has been excerpted from (IEEE-IOT):

"An IoT is a network that connects uniquely identifiable "things" to the internet. The "things" have sensing/actuation and potential programmability capabilities. Through the exploitation of the unique identification and sensing, information about the "thing" can be collected and the state of the "thing" can be changed from anywhere, anytime, by anything."

(https://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_Things_Revision1_27MAY15.pdf)

This definition mentions the collection of information about the thing and also the possibility of changing the state of the thing from anywhere, anytime, and by anything. In other words, the connected things are, by design, vulnerable to harvesting and subjugation without the need for authority. This highlights the importance of security to protect IoT, a topic that will be delved deeper into in the rest of this book. 

From a functional perspective, IoT is essentially an enabler to digitize and interconnect physical assets. By embedding the communication protocol stack and software logic (or smarts), otherwise dumb entities such as appliances, sensors, actuators, or any device or machinery can intelligently communicate data without any human intervention. The enormous quantity of data (rather big data) generated by things can be analyzed to gain data-driven insights and to offer value-added products and services.

The IIoT digitally transforms industrial and enterprise operations by adding smarts and connectivity to machines, people, and processes. IIoT converges technical advancements in multiple areas, including:

• Innovations in network connectivity (low energy wireless, edge and cloud technologies)
• Low-cost sensing and computing with machine learning
• Sensor-generated big data
• Machine-to-machine (M2M) communications
• Automation technologies those have existed in the industry for many years

IIoT is also interchangeably referred to as the Industrial Internet, a term originally coined by General Electric (GE). GE defines the Industrial Internet as (GE-IIoT) "the convergence of the global industrial system with the power of advanced computing, analytics, low-cost sensing and new levels of connectivity permitted by the internet."

GE's Industrial Internet refers to the third wave of innovation in industrial environments, the first two waves being the industrial revolution, followed by the Internet revolution, as shown in the following diagram:

Industrie 4.0 is a digital transformation project that was launched (https://www.i-scoop.eu/industry-4-0/) by Germany in 2011 and widely referenced in Europe (ISP-4IR). It refers to connected cyber-physical systems (discussed later in this chapter). The Industrial Internet concept is comparable to the fourth revolution, as illustrated in figure 1.2.

Industrie 4.0 is primarily focused on the digital transformation of manufacturing by leveraging technologies such as big data/analytics and IoT. This transformation is catalyzed by the convergence of information technology (IT) and OT, robotics, data, artificial intelligence, and manufacturing processes to realize connected factories, smart decentralized manufacturing, self-optimizing systems, and the digital supply chain in the information-driven, cyber-physical environment of the fourth industrial revolution, sometimes called 4IR (ISP-IIoT):

According to top analyst firms, over the next decade, the number of connected machines is estimated to be in the order of tens of billions, while through accelerated productivity growth, the global gross domestic product (GDP) is estimated to expand in double digits. Increases in efficiency, data management, productivity, and safety are the core drivers for IIoT adoption.

Interestingly, this wave of digital transformation in various industry verticals is also a key driver for safety and security technologies in order to realize reliable systems and architectures.

The value of sensor-embedded connected devices took a giant leap with the ubiquity of smartphones. Hand-held mobile phones morphed from being just a data and voice communication device to a versatile commodity that assists in navigation, news, weather, health, and so on. The iPhone itself boasts of a number of sensors for proximity, motion/accelerometer, ambient light, moisture, a gyroscope, a compass, and so forth. Apple watch, Fitbit, Amazon Echo, and so on have heralded a whole new era of smart, personal wearables, along with ingestible and home controls, thus opening up entirely new market segments. These home and personal devices together are most commonly understood as the Internet of Things.

However, these same principles when applied at scale—in enterprises and industries—multiply both in terms of complexity and benefits. The Industrial Internet Consortium (IIC) was established in March 2014 with the mission to accelerate the industrial adoption of IoT, by creating standards to "connect objects, sensors and large computing systems." This formally delineated IIoT from consumer IoT, the latter being more focused on personal and home automation gadgets and appliances, and dealing with different security postures when compared to IIoT.

In this book, the term IIoT refers to scalable internet of things architectures that are applicable to enterprises across a wide variety of industry verticals, such as energy, water, farming, oil and gas, transportation, smart cities, healthcare, building automation and so on, and will be referred to by its short form, IIoT.

In many contexts, the use of the term IIoT is limited to being a connectivity enabler, just like the internet enabled the connection of computers. However, we look at IIoT as more than connectivity. It encompasses the entire industrial value chain, which involves embedded intelligence, network connectivity, harnessing big data, machine learning/AI, the smart supply chain, and advanced analytics-driven business insights.

Digital connectivity of industrial machinery and equipment (or any physical asset) with advanced IT platforms is a unique advancement that opens up unprecedented social and economic opportunities. This convergence of the physical and cyber worlds at an industrial scale translates to managing operations thousands of miles away, preventing critical machine failures through proactive detection and remediation, digitally tracking the supply chain, providing elderly care remotely, and many similar use cases.

The use cases are promising, no doubt. However, cyber threats are the bane of ubiquitous connectivity, and currently it is a major deterrent to IIoT adoption.

At the Industry of Things 2017, 62% of industrial participants cited cybersecurity and data privacy as their concern in regards to adopting IoT. The lack of standards for interoperability and interconnectivity comes next at 39% (IOT-WLD).

In traditional industrial settings, obscurity has ensured security. Air-gapping has been a prevalent security strategy for protecting sensitive industrial systems. By definition, an air- gapped system is not connected to any external network or system. Air-gapping as a strategy seems questionable in a digital era where assets are never fully immune to intrusion.

Connecting enterprise systems to boost productivity and efficiency came at a price. The Equifax cybersecurity breach in August 2017 reportedly exposed the identity of several million users, and this is just one of many instances of DDoS attacks, ransomware, fraudulent transactions, and even meddling with national administration and governance.

While the impact of enterprise cybercrimes has been mainly limited to loss in finances, brand reputation, and privacy, the impact of a security breach for mission critical assets is feared to be much more severe. For example, a breach in an airline database can expose confidential passenger records and personal data. However, by compromising an aircraft's flight control system, highly sensitive aviation data can be manipulated in real time; for example, the navigation dashboard could display the plane as traveling at a higher altitude than it actually is. A breach in an airline database is serious enough; however, loss of altitude (and safety) could have much worse consequences (WLT-ICS). A cybersecurity intrusion in a connected nuclear facility, manufacturing plant, smart energy grid, or connected hospital environment could cause massive damage in infrastructure and cost human lives.

That's why security is such an important criteria in every IIoT use case. In any IIoT deployment, security can neither be considered in isolation, nor can it be an afterthought. Processes, people, and things—the three components of any IIoT architecture—dictate its safety and security requirements. IIoT security encompasses the full solution life cycle, and this book provides security guidance across most of it. Awareness and proper cognizance of the unique security characteristics of connected industries, risk evaluation, mitigation across a product's life cycle, and "security by design" principles are central to any successful IIoT business strategy. Otherwise, costly security compromises could far outweigh the social and economic promises of IIoT.

Cybersecurity is the foster child of the internet. With the proliferation of networks and networks of networks, information (data) and intelligence (software programs and applications) stored in a given network domain became vulnerable to unauthorized access. To prevent such access and its consequences, cybersecurity and information security became an indispensable discipline. Cybersecurity can be generally defined as a technology stack of processes, protocols, and practices to protect computing systems (servers, application endpoints), data, and networks from unauthorized access, malicious attacks, and other forms of intentional and unintentional damage.

Securing the Industrial Internet can be considered as a superset of cybersecurity, since now we are talking about protecting cyber-physical systems.

A cyber-physical system (CPS) refers to any network-connected instrumentation that also interacts with the physical world. Consider the example of a thermostat that's connected to a data network. In the industrial context, a common example of a cyber-physical system is an industrial control systems or ICS. An ICS is a general term used to describe a wide variety of control systems and instrumentation that's used to control industrial processes. This ranges from small panel-mounted controller modules with few control loops to several geographically distributed controllers.

Large-scale ICS is usually deployed using supervisory control and data acquisition (SCADA) systems, or distributed control systems (DCS) and programmable logic controllers (PLCs). All systems receive data from remote sensors that measure process variables (PVs), compare these with desired set points (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

When a CPS is connected to an external network (let's say to a centralized cloud infrastructure), we can refer to it as a cyber-physical IoT. The following diagram is a generalization of an ICS or a cyber-physical system. The system could be controlling engine performance and acceleration in an automobile, or the temperature-based controls in a power grid:

In the case of cybersecurity, the prime focus is to protect the data itself. Data privacy and identity protection are the top priorities. In the case of cyber-physical security, visibility into the controls is important. For example, if a temperature sensor in a power generation plant is hacked remotely, it can incorrectly output very high temperature values, which would cause the control system to shut down the entire power plant. In the reverse case, that is, if the sensor output is much lower than what it should be, the control action may result in much more dangerous consequences.

General characteristics of any CPS/ICS system include:

• Ability to interact with the physical environment over a communication channel to receive inputs (for example, temperature) and/or feedback. In this case, unlike a cyberattack, an attacker can cause damage without breaking into the system by remotely triggering a set of physical actions. These actions can be sensed, causing the CPS to exhibit unexpected behavior. This highlights the need to secure the communication channel and the end devices.
• Management and control are typically distributed.
• Uncertainty regarding readings, status, and trust.
• Involves real-time control loops with deterministic performance requirements.
• Can be geographically spread over a large area, with components in locations that lack physical security.

These characteristics render cyber-physical security more complex than cybersecurity. In CPS, due to environmental interactions, a security breach has physical safety implications.

This necessitates cyber-physical control systems being inherently resilient. A control system is characterized as resilient when it can maintain state awareness and an accepted level of steady state behavior (operational normalcy) when exposed to abnormal conditions, which include intentional and unintentional errors, malicious attacks, and disturbances (RIE-GERT).

In ITU-T Y.2060, we came across the following definitions for devices and things in the context of IoT (ITU-IOT): "Device: A piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage, and data processing. Thing: An object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks."

In the IoT context, the capability to communicate and decipher data is an intrinsic property of things. With increasing digitization and connectivity in industries, industrial "things" include a wide spectrum of equipment and devices, starting with low memory, power, and computing footprints. In addition to physical assets, things include virtual objects, too. For example, certain IoT cloud platforms uses the concept of a digital "twin", which is an exact digital replica of its physical counterpart (for example, a wind turbine), to gain greater visibility and easier access to a CPS for efficient fault detection and remediation.

Technologies and platforms that come under the umbrella of IIoT are, in a sense, laying the foundations for greater levels of process efficiency and optimization, ushering in new business models and revenue paradigms. Connectivity is an inseparable dimension of these advancements, and one of the fundamental facets of connectivity is cyber threats, however unfortunate that may sound. As standard-based connectivity technologies replace proprietary industrial protocols, threats commonly seen in IT domains, for example, malware, data exfiltration, unauthorized remote access, and so on, become increasingly applicable to industrial networks as well.

OT refers to the hardware and software dedicated to detect or induce changes in physical processes. OT involves technologies that are used to directly monitor and/or control physical devices such as valves, pumps, and so on. As an example, consider the computing and connectivity technologies involved in an ICS/SCADA system of a power station or a railway locomotive manufacturing facility, which monitors and controls the various physical systems and plant processes.

By adopting IoT, as industries accelerate into the future, it is important to evaluate the current industrial assets and technologies in a typical industrial deployment, and to determine practical mechanisms to transition to greater efficiencies without compromising resiliency. So, before diving deeper into the subject of IIoT security, the prevalent industrial devices, systems, and technologies are discussed in this section.

Though often incorrectly confused with IoT, digital M2M has existed in industries for the last two to three decades. Broadly speaking, M2M refers to any technology that enables machines to exchange information and perform actions without any human mediation. From that end, M2M is foundational to the development of IoT.

To quote from (GART-IOT) ,"The key components of an M2M system are: Field-deployed wireless devices with embedded sensors or RFID-Wireless communication networks with complementary wireline access includes, but is not limited to cellular communication, Wi-Fi, ZigBee, WiMAX, wireless LAN (WLAN), generic DSL (xDSL), and fiber to the x (FTTx)."

The cellular M2M communications industry can be traced back to when Siemens developed and launched a GSM data module called M1 in 1995. M1 was based on the Siemens mobile phone S6, which was used for M2M industrial applications; it enabled machines to communicate over wireless networks.

In industries, telemetry was a very common use case for M2M, in addition to remote monitoring and the control of field assets.

SCADA is a distributed control system architecture used to control geographically dispersed assets. Distribution systems such as electrical power grids, oil and natural gas pipelines, water distribution, railway transportation, and so on heavily rely on centralized data acquisition and control. A SCADA control center monitors alarms and processes data for field sites, usually over long-distance communications networks. This information from the remote stations is used to push automated or operator-driven supervisory commands to remote field devices (which will be discussed later in this section) to control local operations such as the opening/closing of valves, breakers, collecting sensor data, and so on (NIST-800-82r2).

A DCS is functionally similar to SCADA, though it is typically used for localized control in continuous manufacturing process use cases, for example, a fuel or steam flow in a power plant, petroleum in a refinery, and distillation in a chemical plant. As DCS localizes control functions near the process plant, it is a more cost-effective, secure, and reliable option for uses cases where the control room is not geographically remote.

PLCs are extensively used in most industrial processes. PLCs are solid-state closed-loop control system components that are used in SCADA and DCS to provide operational control of discrete processes such as automobile assembly lines.

Being localized within a factory or plant, DCS and PLC communications use reliable and high-speed local area network (LAN) technologies. On the contrary, SCADA systems cover larger geographical territories, and need to account for long-distance communication challenges, delays, and data loss in remote sensor networks.

An ICS is an overarching industrial technology that usually includes SCADA, DCS, and PLC functionalities.

An ICS is a generic term used for all industrial systems that perform data acquisition, monitoring, and supervisory control of local and remote devices and assets. In the previous section, we talked about SCADA, DCS, and PLCs, which are the basic building blocks for centralized monitoring and control of distributed assets and operations, which are sometimes scattered over thousands of square kilometers. The following diagram shows the various functional levels of a manufacturing control system:

From the preceding diagram, we come to know of the following:

• Field devices such as sensors and control valves in level 0
• Industrial microcontrollers and input/output (I/O) modules, which are shown in level 2
• Control room elements, including supervisory computers with consolidated process information and operator control screens, which are in level 2
• Production control, which is shown in level 3, is mainly concerned with the monitoring of production activities and assets
• Production scheduling functions are captured in level 4

Field devices are remote station control devices that can act on either automated or operator-driven supervisory commands from central control stations. These control stations generate commands, such as for opening or closing valves and breakers, collecting data from sensor systems, monitoring local environments for alarm conditions, and so on, based on information received from other remote stations (NIST-800-82r2).

These are industry-specific components that interface with digital or analog systems and expose data to the outside digital world. They provide machine to machine, human to machine, and machine to human capabilities for ICS to exchange information (real-time or near real- time), thus enabling other components of the IIoT landscape. This includes sensors, interpreters, translators, event generators, loggers, and so on.

Plant devices and equipment include sensors and actuators, control valves, and so on, which sense and act on commands from ICS.

The following diagram shows the various components of an ICS/SCADA system:

An overview of the various ICS/SCADA control components is provided here:

• Control server: The control server hosts supervisory control software (for DCS and PLC), which communicates with subordinate control devices over an ICS network.
• Master terminal unit (MTU): MTU or the SCADA server acts as the master in a SCADA system, while remote terminal units and PLC devices, which are located at remote field sites, act as slaves.
• Remote telemetry unit (RTU): The RTU supports data acquisition and control in SCADA remote stations. As field devices, RTUs are equipped with both wired and wireless (radio) interfaces.
• Intelligent electronic devices (IED): These are smart sensors/actuators containing the intelligence required to acquire data, communicate to other devices, and perform local processing and control. An IED could combine an analog input sensor, analog output, low-level control capabilities, a communication system, and program memory in one device.
• Human-machine interface (HMI): The HMI is usually stationed in centralized control rooms, and includes the software and hardware that allow human operators to monitor the state of a process under control, modify control settings, configure set points and control algorithms, and manually override automatic control operations in the event of an emergency. The HMI displays process status information and reports to supervisory personnel, who usually have internet access.
• Data historian and IO server: The data historian is a centralized database for logging all processed information within an ICS and supports various planning and report generation functions, while the IO server collects and buffers information from PLCs, RTUs, and IEDs.

Industrial control networks involve a lot of connectivity across the various levels of the control hierarchy, as shown in the following diagram:

Field devices and sensors usually communicate with a Fieldbus controller, which can uniquely identify them. For long-distance SCADA communications, routers are used to connect the LAN and WAN segments. Network segregation strategies are implemented using industrial firewalls. Firewalls enable fundamental network-based access control of resources on a particular network segment. Furthermore, depending on deep packet inspection (DPI) capabilities, there is the potential to get into protocol-level filtering as well. Consider an example of a firewall with DPI that is looking at Modbus traffic to manage read versus write versus read/write privileges based on the data source.

Considering the nature of OT traffic and the protocols involved, these firewalls are quite different from IT or next-gen firewalls, which we will discuss in greater depth in subsequent chapters. And yes, modems are still used to enable long-distance serial communications between MTUs and remote field devices in SCADA systems. DCS and PLCs use modems and remote access points to gain remote access to field stations for command, control, and configuration changes for operations, maintenance, and diagnostic purposes. Examples include using a personal digital assistant (PDA) to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access an ICS system.

ICS networks involves deterministic, tight control loops. Fieldbus refers to the family of ICS networks used for real-time distributed control. These protocols are usually defined to satisfy the requirements of specific industry verticals, are proprietary, and as such have limited interoperability. Examples include the Common Industrial Protocol (CIP), Modbus (Modbus-serial, Modbus-TCP), DNP3, Profibus, Profinet, Powerlink Ethernet, OPC, EtherCAT, HTTP/FTP, GOOSE, GSSE for automated power substations (defined in the IEC 61850 standard), and so on.

Many of these protocols support both serial and Ethernet-based TCP/IP stacks, and have been in deployment since as far back as the 1960s. Many vulnerabilities exist in these protocols, and these will be examined in Chapter 5, Securing Connectivity and Communications.

To sum up this section, OT technologies have evolved over a very different runway than information technologies, with a life cycle that runs into decades. In industrial operations, maximizing equipment uptime is critical. So, many industrial deployments today adhere to age-old technologies, which were never designed with security and interoperability in mind. Understanding these technologies is important for planning and designing secured IIoT architectures.

Even though security technologies for OT deployments exist today, the Industrial Internet pushes the boundaries much further with state-of the-art software, firmware, and connectivity paradigms, thus calling for a major shift in mindsets. How does IIoT provide an evolutionary path for existing ICS systems? Let's discuss that now.

Industrial systems generate a lot of data. The introduction of the Industrial Internet and Industrie 4.0 is driving a shift in the context for this field generated data. In a manufacturing plant, for example, the data generated by a sensor can pertain to control and actuation, and it may contain telemetry and diagnostics data. The latter may not be immediately consumed by the control level devices, but this telemetry and diagnostics data can be analyzed by higher business application functions for process optimization, anomaly detection, predictive maintenance, and other value-added applications.

This compelling dimension of IIoT is a main driver for organizations to redefine and transform their existing control and information architectures.

Traditionally, industrial enterprises have kept their operational and IT domains separate. The operational dynamics of OT and IT domains have also been discreet. This has two major implications with respect to the Internet of Things:

• An IIoT solution involves connectivity and hardware-software solutions provided by a rather complex ecosystem of vendors. Some IIoT solutions such as connected cars, fleet management, and so on that involve technologies from more than one industry vertical; this calls for the greater need for system interoperability. These factors are driving OT environments to transition to open, standards-based, IT-based solutions, such as the internet protocol stack, containerized software platforms, and so on.
• The main value proposition of IIoT centers on harnessing the value of machine and sensor data to create efficient processes and services. Centralized cloud platforms performing advanced analytics are essential components of IIoT architectures. OT platforms and ICS/SCADA networks now connect to the cloud using IP-based connectivity. This ubiquitous connectivity exposes enterprises to new cyber risks and attack vectors, raising the need to securely interconnect enterprise IT and OT networks.

While legacy industrial deployments (brownfield) may continue to coexist, IIoT is also a major driver for prioritizing security and integrating security into newer architectures.

From a security standpoint, the convergence of IT and OT translates to intertwining the principles of safety and reliability from the OT environment with those of cybersecurity from the IT environment. Now is the time to drive sufficient clarity on the expanded significance of industrial security, and to make it easy for industrial end users to understand and identify security as a critical issue that needs systematic investment.

Although IIoT architectures have many use case-specific variations, in this section, we shall consider a basic example architecture to establish the context. Subsequent chapters present multiple IIoT reference architectures and architecture-based case studies.

Most IIoT deployments are brownfield, and involve both new and legacy technologies. In the following diagram, the main components of the architecture are:

• Sensor networks (communicating over Wi-Fi/BLE)
• A controller/aggregator
• An edge gateway connecting the industrial systems to cloud-based platforms for analytics
• Business applications used for data visualization and insights:

In the case of a brownfield deployment, as shown in the following diagram, the SCADA network is connected to the cloud via an edge gateway. Traffic needs to be securely controlled both at the ingress and at the egress of the edge device:

In the case of a large wind farm, several remote windmill units are controlled by the ICS/SCADA system. With the adoption of IIoT, the wind farm gets connected to a cloud-based IoT platform. Data from the wind turbines is sent up to a data center to do analytics and so on in the cloud. The turbine data has to go through an edge device, which can be a gateway, center hub, or edge controller. This edge device collects telemetry and diagnostics information from the wind farm sensors. In this edge device, a lot of protocol handshakes and translations occur, and as such, it provides a sweet spot for attackers to inject malware. The vulnerable edge device needs to be fortified with security counter measures. For example, deep inspection of packet flow to inspect both IT and OT protocols (MODBUS, TCP, and UDP) to detect anomalies is important.

Such deployments involving multiple vendors and technologies provide a favorable environment for mistakes, oversight, and misconfigurations. So, there must be enough visibility to see exactly what's happening in the OT network. In traditional OT networks, there is a serious lack of traffic visibility as compared to IT networks, in terms of traffic flows, source destination information, and so on. That's because historically, OT environments were considered immune to cyberattacks. Besides that, proprietary technologies and "security by obscurity" principles were erroneously deemed to be secure by design.

In order to effectively comprehend the scope of IIoT security, we need to keep the divergent operational dynamics and priorities of IT and OT in perspective, and mainly those that have evolved over the past decades. This divergence impacts the approach to security as well. The adoption of standard-based IT technologies in OT environments necessitates the adoption of IT security best practices as well. However, these practices must preserve if not enhance the safety and reliability capabilities of industrial systems, and the ability to protect physical assets and processes. These distinguishing characteristics render IIOT security a considerably challenging feat that we must achieve.

The following diagram illustrates a side-by-side comparison of priorities in IT and OT environments in the context of securing operations:

In the case of securing ICS and SCADA networks, the protection of the plant, people, and processes takes precedence. Industrial controls involve engineered processes (for example, the opening/closing of valves, turning energy levels higher/lower, and so on). These controls and commands must function in a deterministic fashion. Thus, although industrial controls are not technically integral to a security framework, security measures must align with industrial control requirements.

In IT networks, it may suffice to inspect network layer traffic, but to secure OT environments, industrial firewalls are expected to perform deep-packet inspection to monitor and analyze actual commands in the application layer.

The availability of OT systems and infrastructure is shown next in terms of priority. With the introduction of data-centric models and the Internet of Things, data integrity is arguably more important than availability in certain use cases.

In IT environments, data confidentiality, integrity, and system availability are the main priorities (not necessarily in any particular order, as in some use cases, system availability takes precedence over confidentiality).

Attack surfaces differ considerably in IT and OT environments. IT is characterized by ever-evolving and intertwined technology stacks, which makes the attack surface rather fluid and dynamic. IT data traffic is primarily hierarchical, north-sound bound. The IT cybersecurity approach is usually threat-based, constantly plugging holes for new malware and viruses. The threat actors in IT typically target monetary gains and, as such, range from miniscule to large, organized cybercriminals.

In the case of OT, although the processes and controls are deterministic, the attack surfaces can be vast and scary. Their diverse deployments foster several avenues of intentional and unintentional cyber incidents. An attack surface in the case of OT is laterally spread, as there is not much traffic traversing north-south across the DMZ. OT cyber threats involve a completely different type of adversary. Threat actors in the case of ICS are usually not after money, and often involve nation state actors whose prime motivation is to inflict large-scale disruption in business, national, or political arenas.

The following diagram illustrates the diverse attack surfaces in a typical industrial use case:

Industrial systems are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. This dependency often leads to the interplay of more than one organization or business entity.

In the case of critical infrastructure, this collaborative model is often referred to as a system of systems. The Industrial Internet and Industrie 4.0 further enhance this concept, as IIoT solutions typically involve multiple technologies, systems, and ecosystem collaborators. A failure in any one part of the system of systems can directly or indirectly cascade into other connected systems, thereby intensifying the consequences.

Consider the example of an electric power transmission SCADA system, where a cascading failure can be initiated by disrupting the wireless communications network. In the absence of adequate monitoring and recovery capabilities, such failures could take one or more generating units offline. This event can, in turn, lead to the loss of power at a transmission substation, which could subsequently cause a major imbalance, triggering a cascading failure across the power grid. This would ultimately result in large-scale blackouts and could potentially impact dependent operations such as oil and natural gas production, refinery operations, water treatment systems, wastewater collection systems, pipeline transport systems, and so on, which rely on the grid for electric power.

The following table summarizes the divergent characteristics of IT and ICS security (in a pre-IIoT context) (NIST-800-82r2):

In spite of these differences, it is important to note that there are areas where IT and OT security overlap and converge. According to Gartner's 80/20 rule of thumb (GART-IIoT), with the growing adoption of IT technologies in OT, 80 percent of the security issues faced by OT are almost identical to IT, while the remaining 20 percent are diverging and involve critical assets such as people, environment, and systems.

On the topic of air-gapping OT environments, here's some comprehensive guidance excerpted from GE-Wurldtech' s research paper (WLT-ICS):

"The common notion that industrial assets are immune to cyber-attacks if parts of them are isolated from the internet (or other vulnerable corporate networks) is no longer practical in a hyper-connected enterprise. Although total air-gapping of an industrial network is possible, there are several reasons why this may not be a reliable security measure for industrial enterprises. For example, Wi-Fi, Ethernet ports, and USB ports present vulnerable attack surfaces. File transfers between the company and outsiders are inevitable as a hacker can infiltrate the organization's network by installing malicious software through such file transfers. An increasing number of companies are encouraging their employees to adopt the bring-your-own-device (BYOD) trend; however, the probability of a cyberattack through compromised personal devices is high. Even if an industrial network is completely air-gapped, it is still vulnerable to potential threats from accidental or intentional damage from its internal workforce. The only way to control this internal attack vector is by continuously monitoring the network and by implementing rigid access control mechanisms."

To summarize this section, the differences in operational dynamics and risk patterns between ICS and IT systems necessitates careful consideration when building IIoT security strategies. To counteract these new attack vectors that have been exposed by IIoT adoption, industrial enterprises need to factor in these differences. Merely applying legacy IT security in OT may cause more problems than what it solves. Vulnerabilities and attack surfaces that are specific to the OT infrastructure need to be assessed; advanced security best practices that exist in the IT side of the house, for example, increased visibility into assets and traffic, need to be adopted. The measurement of "security success criteria" between IT and OT need to be aligned by accounting for human and environmental safety. OT-specific vulnerabilities would need to be prioritized, and existing security gaps would need to be addressed.

As we saw in the previous section, any discussion of IIoT security needs to factor in the pillars of information assurance (IA), in addition to physical safety and resiliency. In IIoT, the confidentiality and integrity of data is as relevant as the resiliency of controls and the safety of physical assets and people. In this context, let's define the pillars of IIoT security as follows:

• Confidentiality: Protecting sensitive information from disclosure and maintaining data privacy
• Integrity: Information is not modified, accidentally or purposefully, without being detected
• Authentication: Data is accessed by known entities, while making sure that that data belongs to a known identity or endpoint (this generally follows identification)
• Non-repudiation: Ensuring that an individual or system cannot later deny having performed an action
• Availability: Ensuring that information is available when needed

In addition to these pillars, the disciplines of resiliency and safety are defined as:

• Resilience: Ensuring the industrial control system maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature
• Safety: Ensuing in the event of an attack that the affected system does not cause injury, harm, or damage to the environment or people

In the foundation of these tenets of IIOT security, let's examine the typical threats, vulnerabilities, and risk factors that are pertinent to connected industrial systems.

A threat can be defined as the potential of an exploit for a given system. Threat actors refers to the adversaries who trigger or inflict the exploit. In the case of an industrial system, such as a wind turbine, a threat actor could be either natural or man-made.

In the IIoT context, threats impact both the information and physical domains. The privacy and integrity of machine data—both control and payload—have the potential to be exploited. Unauthorized access and manipulation of IoT platforms, software, and firmware are also potential threats. On the other hand, IoT devices and control systems are exposed to physical reliability, resilience, and safety threats. Control system transfer functions, state estimation filters, sensing, feedback loops, and so on can also be targeted by malicious players. For example, manipulating a sensor/actuator system can cause a control valve to transmit dangerous levels of chemicals that may damage the immediate environment or interdependent system.

There is no silver bullet for industrial security, even though some brands lay claim to it. The adoption of digital technologies expose new types of attack vectors, and newer attack surfaces. A practical approach for IIoT security is to adopt a defense in depth strategy for security, wherein each defense mechanism makes it so much more formidable for the attacker.

Defense in depth (also known as the Castle Approach) is a concept found in IA, where multiple layers of security controls (defense) are placed throughout the architecture to be protected. Its intent is to provide redundancy in the event if any one security control fails or a vulnerability is exploited, the system will still be protected. These defenses can cover aspects of personnel, procedural, technical, and physical security for the duration of the system's life cycle. For any specific use case, system architects need to consider how the data flows and how to secure the data flow. Determining which data is important and needs protection within a given context is also vital.

Threat actors, in the case of IIoT systems, include:

• Cyberattackers: The sophistication of attacks is growing worldwide and monetary gains associated with the dark web are also on the rise. Even if no monetary gains are involved, a cyberattacker may spy, spoof, inject malicious malware, or launch a DDoS attack.
• Bot-network operators: These actors launch coordinated attacks to distribute phishing schemes, spam, malware leading to DDoS, or ransomware attacks.
• Criminal and terrorist groups: Nation state actors, international corporate spies, and organized crime organizations also pose a threat and could take control of processes, identity, and so on, and are often motivated by geopolitical interests.
• Insiders: Exploits from insiders can be both intentional and unintentional. While disgruntled insiders can be threat actors causing serious damage, Wi-Fi/Ethernet/USB ports/BYOD can unintentionally result in a malicious event. In fact, unintentional human errors contribute to a high percentage of incidents in enterprises.

Other threat actors include phishers, spammers, malware/spyware authors, industrial spies, and so on.

Vulnerabilities refer to the software and hardware weaknesses that are inherent in the system and can expose the system to threats. System vulnerabilities can be the outcome of how it was designed, implemented, tested, or is operated. While vulnerabilities are unavoidable, proper assessment and proactive remediation techniques need to be employed to combat them.

Vulnerability in any part of the deployment can be subject to an exploit. Experienced cyberattackers are aware of potential vulnerabilities. This makes the attack surface complex and scary. In subsequent chapters, IIoT security strategies and countermeasures will deal with this topic in greater depth.

The following subsections contain a categorized list of common vulnerabilities that are applicable to any cyber-physical IoT security plan (NIST-800-82r2).

The following is a list that gives some insight into policy and procedure vulnerabilities:

• Inadequate ICS security policy
• Lack of formal ICS security training and awareness program
• Inadequate security architecture and design
• Lack of documented security procedures that have been developed based on ICS security policy
• Absent or deficient ICS equipment implementation guidelines
• Lack of administrative mechanisms for security enforcement

The following is a list that gives some insight into platform vulnerabilities:

• OS and vendor software patches may not be developed until after security vulnerabilities are found
• OS and application security patches are not maintained
• OS and application security patches are implemented without exhaustive testing
• Critical configurations are not stored or backed up
• Inadequate authentication and authorization, inadequate testing of security changes
• Inadequate physical protection (location, unauthorized access) for critical systems
• Insecure remote access on ICS components
• Lack of redundancy for critical components

The following is a list that gives some insight into software platform vulnerabilities:

• Buffer overflow and installed security policies are not enabled by default, including Denial of Service (DoS), lack of password encryption, and the mishandling of undefined, poorly defined, or "illegal" conditions.
• Detection/prevention software not installed, lack of sandboxing, inadequate authentication and access control for configuration and programming software, intrusion detection/prevention software, insufficient logging, incidents not detected, and so on.

The following list explains the main considerations regarding network vulnerability:

• Vulnerable legacy protocols with insufficient security capabilities
• Weak network security architecture
• Network device configurations not stored or backed up
• Unencrypted passwords, lack of password expiration policies
• Inadequate access controls applied
• Inadequate physical protection of network equipment
• Unsecured physical ports
• Non-critical personnel have access to equipment and network connections
• Lack of redundancy for critical networks
• No security perimeter defined, firewalls not used adequately, and control networks used for non-control traffic
• Lack of integrity checking for communications
• Inadequate data protection between clients and access points:

Risk can be defined as the probability of a successful exploit and the associated loss thereafter. While a security vulnerability is innate to a platform, risk refers to the chances of that vulnerability being exploited to cause the anticipated damage. For example, an industrial computer used to process accounting data may be running an application with known authentication and remote access control defects. If this computer is air-gapped, the risk associated with these defects is almost negligible. However, when connected to the internet, the associated risk increases by a great degree (IOT-SEC).

Risks can be managed by using threat modeling (which will be described in Chapter 2, Industrial IoT Dataflow and Security Architecture), which helps to ascertain the possible exposure, impact, and overall cost associated with an exploit. It also helps to estimate the importance of the exposure to the attackers, their skill levels to launch the attack, and so on. Risk management practices help to deploy mitigation strategies proactively.

Some examples of ICS risks that have been introduced by brownfield IoT deployments are:

• The adoption of open-standard protocols and technologies with known vulnerabilities
• The connectivity of the control systems to external networks and data centers
• Insecure and rogue connections
• Widespread availability of technical information about control systems

Over the last decade, the frequency and sophistication of industrial cyberattacks have evolved remarkably.

Prior to the year 2000 and the related Y2K concerns, cyberattacks were much less frequently reported and less sophisticated, and generally involved breaking into computers by cracking the passwords. In the past decade, the attacks have become more sophisticated, involving ransomware, malware injected denial of service attacks, data spoofing, and so on. Increased coordination and the formation of botnets of up to 100,000 nodes paints a bleak picture as to what to expect in the future. Nation state actors and cyber criminals backed by major funding are in a position to exploit a nation's social, financial, and critical infrastructures.

The cybersecurity for the C-Level fact sheet (DHS-NCCIC) from the Department of Homeland Security (DHS) entreats industrial enterprise leaders to prioritize cybersecurity strategies in increasingly connected industry environments. It highlights the growing rate and sophistication of malware attacks, citing Havex and BlackEnergy as examples. Havex, which operates as a Remote Access Trojan (RAT), can inject unauthorized control commands onto ICS/SCADA devices and cause denial of service in critical infrastructures (for example, water, and energy); BlackEnergy, another Trojan-type bug, can compromise HMI software to gain access to control systems:

Based on the discussions so far, you can probably appreciate the enormity of the opportunities the Industrial Internet presents. The unique convergence of Moore's law with mobile and cloud-based technologies is enabling several breakthroughs in predictive services, intelligent processes, efficient control, ubiquitous connectivity, newer streams of revenue, and above all better living standards.

As the network moves from the last mile to the last micron, field sensors, water irrigation pumps, and automobile engines are digitally transforming into data sources and sinks. Just as the orchestration of connectivity, analytics, and control varies across industry sectors, so does the nature of security vulnerabilities, attack surfaces, and cyber threats. In this section, cyber risk gaps are discussed for a few industry-specific IIoT use cases, which sets the IIoT security methodologies discussed in the rest of this book into perspective.

IoT connectivity in power generation and distribution (smart grids) is an important use case that enables utility companies to communicate with their retail and enterprise consumers. This bidirectional communication enables demand-based variable energy production, as well as fuel and cost optimization (NIST-SMG). With smart metering, utility workers no longer need to physically visit consumer premises to obtain meter readings. This makes metering and billing more accurate and cost-efficient. Accuracy in tracking and reporting usage enables utility companies to gain better insights into customer energy usage profiles, which enables them to optimize usage and defer usage away from peak hours.

A power generation utility is a typical example of a system of systems, with highly distributed control systems and networks. Smart grids are, in general, implemented in a way that depends massively on TCP/IP networks, both wired and wireless.

In many power generation facilities around the globe, the cyber defense practices utilized today are often outdated. Inadequate use of risk management practices and security controls such as industrial firewalls with DPI capabilities and access control render these facilities exposed to cyber risks.

As critical infrastructures, the impact of a cyberattack in these facilities could potentially cascade onto other interdependent systems, such as water purification facilities, smart city traffic control systems, and so on. In Chapter 9, Real-World Case Studies in IIoT Security, the anatomy of a power grid cyberattack is discussed elaborately.

Data suggests that energy sectors are more prone to cyberattacks and more than 15% of industrial cyberattacks target the energy sector (ENER-SYMT). Stuxnet, Duqu, Shamoon, and Night Dragon are infamous security incidents that targeted the energy sector. Internet threats are one of the prime concerns in the energy sector, compounded with the ubiquity of legacy systems, which were originally designed as air-gapped systems and still remain to be fortified with security controls.

In manufacturing plants, unscheduled downtime has always been the top reason for lost productivity. Critical asset failures largely contribute to these unplanned shutdowns. Finding effective ways to predict and prevent asset failures on the factory floor has always been a hard-to-win battle. Today, the evolving framework of IoT enables us to better manage physical assets using smart sensing, scaled connectivity, and data-driven predictability. Using the IIoT framework, manufacturing plants can deploy instrumentation across the factory processes to establish a digital continuum, which connects information and utilizes actionable data. Real-time analysis of this data enables early fault detection and data-driven decision making, which in turn helps minimize unplanned downtime and improve performance, and therefore increase profits.

In manufacturing, legacy technologies, inadequate cybersecurity skills among OT operators to conduct timely patches, upgrades, segmentation, perimeter-based defense, and so on pose a serious cyber risk. The interplay of multiple vendors owning the various components of an IIoT solution and the vulnerabilities in third-party systems, such as unsecured APIs, lack of permission-based access, the use of clear text, and so on, need to be carefully examined:

In June 2010, 14 industrial sites, including a uranium-enrichment plant, were infected by a 500 KB computer worm called Stuxnet. The worm entered one of the computers through a USB stick, and feigned a trustworthy digital certificate to evade automated detection systems. It proliferated via the enterprise LAN and infected air-gapped computers, owing to its ability to be transmitted through a USB drive.

The worm attacked in three phases:

• Phase 1: Targeted Microsoft Windows machines and networks.
• Phase 2: Checked whether the ICS was controlled by Siemens Step7, a Windows-based application used to control centrifuges in Iranian nuclear plants. If the system was not a target, Stuxnet did nothing except spy on its sensitive information.
• Phase 3: It attacked PLCs that controlled the centrifuges.

The Stuxnet worm was unusually smart and exploited four zero-day vulnerabilities, namely:

• The LNK vulnerability: LNK is a file shortcut in Microsoft Windows
• Shared printer-spooler vulnerability: Used to spread in shared printers in a LAN
• Privilege escalation vulnerability: To gain system-level privileges even in thoroughly locked down computers

After infecting the controller system, the worm would relay false feedback information to upstream controllers to evade threat detection until it was too late. The Stuxnet worm was estimated to have destroyed 984 uranium enriching centrifuges, which is estimated to have contributed to a 30% decrease in enrichment efficiency (STN-REP).

From the flow of the attack, it seemed obvious that financial gain was not the goal of this attack. The sophistication of the attack suggests the involvement of nation state actors. Although the exact motive of the attack is debatable, the worm specifically targeted the Siemens systems used in the Iranian nuclear plants. To be able to slow down the Iranian fuel enrichment program is also widely accepted as a possible motive.

The Stuxnet cyberattack amply testifies to the impact of a breach in mission-critical industrial control systems, which are widely used in power generation, manufacturing, automobiles, and so on.

A few key takeaways from this incident are as follows:

• Industrial systems can be infected, even if they are air-gapped. LAN connectivity accentuates this risk. The internet and cloud connectivity allow for much easier proliferation, thus multiplying the risk by many factors.
• Financial gain is usually not the goal of industrial attacks. Reports indicate that subverting the Iranian fuel enrichment program was the motive of Stuxnet. In any case, the role of nation state actors in industrial cyberattacks is amply showcased in this case and the impact of such breaches can potentially lead to warfare-like consequences, often dubbed the "Cyber-Pearl-Harbor."

Driverless, autonomous vehicles taking over the city's roads is the grandest human dream of this decade. Fuel efficiency, hassle-free commuting, parking efficiencies, traffic and road safety, reduction in harmful fuel emissions, and so on are the advantages associated with the vision of autonomous vehicles. While we may have to wait some more years before we can live in this dream, internet-enabled connected vehicles and fleet management are very much a reality. Connected sensor meshs, communications using vehicle to vehicle (V2V) and vehicle to infrastructure (V2I), telemetry, AI and machine learning, cloud connectivity, and so on are the building blocks to make connected vehicles a reality. General Motor's OnStar, Ford's Sync, and Chrysler's Uconnect are some examples of early-stage connected vehicle technologies that are already in use.

Road safety, mobility, and the environment are the top priorities of the connected vehicle program that the US Department of Transportation (DOT) is driving, in partnership with state and local transportation agencies. The National Highway Traffic Safety Administration (NHTSA) estimates that connected vehicles can reduce the 5 million recorded crashes on US roads by 80% (DOT-VHC). According to DOT, surface transportation loses nearly 4 billion gallons of gas each year due to traffic congestion, which also significantly adds to the greenhouse gases (GHG) that vehicles emit. Smart traffic controls thus equate to both fuel and environmental efficiency.

Nextgen connected vehicle communication uses dedicated short-range communications (DSRC), in addition to cellular, GPS, Bluetooth, and so on, to gain 360-degree road awareness. Forward Collision Warning (FSW) doesn't depend on line-of-sight. Considering a driver's data privacy, vehicle information—heading, position, speed, and so on—are communicated using Basic Safety Messages (BSM), which eliminates any personal identifying information (PII) regarding the vehicle or the driver.

In connected vehicles, several complex technologies intricately interplay. The software and hardware often involve multiple vendors. Cloud connectivity provides inroads for black hat hackers. Vulnerabilities in an automobile's control area network (CAN) databus, use of insecure APIs in the software modules, lack of permission control for third-party applications, inadequate "security by design" practices, and penetration testing provide a wide attack surface that can very well shatter our smart transportation dreams.

By exploiting a software bug, security experts Charlie Miller and Chris Valasek demonstrated the fatal consequences of an on-the-road hack when they wirelessly sabotaged a 2014 Jeep Cherokee. The full exploit is explained in Miller and Velesek's report (http://illmatics.com/Remote%20Car%20Hacking.pdf)

Several IoT applications are digitally transforming healthcare systems around the world. Some of the common IoT use cases are connected hospitals, where connected medical devices are simplifying critical patient monitoring instruments. In hospitals, smart medical equipment provides accurate data and reduces cluttered wiring, thus reducing human error-related accidents. Remote monitoring of patients, particularly the elderly, is also a promising use case.

Real-time tracking of medical devices and personnel (such as doctors) in large healthcare facilities is possible by using Bluetooth low-energy (BLE) and RFID. Real-time OS and high throughput data buses allow the cloud connectivity of medical equipment to optimize equipment usage, reduce cost, and improve patient care with instant reports and health analytics. In the pharmaceutical industry, robotics and biosensors are improving the quality of drug manufacturing. IoT also improves visibility into the supply chain of pharmaceuticals, ensuring improved drug quality and patient safety.

In November 2017, for the very first time, the Food and Drug Administration (FDA) approved a digital pill (FDA-MED). A digital pill is a medication that's embedded with a sensor that can tell doctors whether and when patients take their medicine. Since critical medical devices and drugs are linked to human life/death conditions, conformance to FDA regulation is a helpful safety gate. Although regulatory intervention holds the reins for healthcare digitization, connected medical devices and hospitals are a reality today. Black hat incidents in hospitals also testify to the fluid attack surfaces that have been exposed with the adoption of internet connectivity in this slow-moving sector.

May 2017 saw one of the worst cyberattacks in medical history, which crippled the UK's National Health Service with the WannaCry ransomware. Outdated software and applications, legacy systems, and inadequate cybersecurity practices pose major risks for black hat exploits. Inadequate cybersecurity awareness among hospital staff, and the lack of security disciplines such as regular patch cycles, and so on add to the risk factors. In the case of a cybersecurity breach, loss of confidential information such as a patients' medical and financial records is bad enough, but an OT cyber incident can also temper with medication and monitoring devices, which could cost human lives.

In May 2017, WannaCry ransomware spread across enterprises in 150 countries. The ransomware was combined with a Microsoft Windows Server Message Block (SMB) protocol exploit called EternalBlue (ETN-WRD). The IT infrastructure in enterprises including Telefonifa, Santander, Deutsche Bank, Fedex, and so on was infected. However, the biggest impact was seen in hospitals belonging to the UK's National Health Service (NHS), where swathes of computers were infected, forcing hospitals to turn away patients and cancel surgeries.

The EternalBlue exploit, when successfully delivered, grants admin access to every connected system in an Enterprise IT infrastructure. The vulnerability existed in legacy Miscrosoft Windows versions—Windows 7 and 8, XP, and 2003.

The WannaCry cyberattack went viral quickly and proved the notion of multipliers in force in a connected business world. The impact on the UK's NHS hospitals exposed two facts:

• The cyber risk gaps prevalent in OT environments: The lack of a security patch that exposed the NHS's network to the WannaCry cyberattack, which had been released by Microsoft two months prior to the attack. Threats such as WannaCry highlighted the gap in organizations' priorities and understanding to apply security patches in a timely manner. Newer operating system versions integrate many security fixes over their predecessors. WannaCry affected deprecated Windows operating systems, which meant that Windows 10 escaped unscathed. Lack of enterprise-wide software and hardware upgrades and the use of outdated legacy software is often seen in industrial enterprises. This extends the attack surface in OT environments.
• How a cyber incident can impact healthcare processes and patients: Although there has been no reports of fatal consequences, the attack reportedly locked out numerous devices in acute care facilities (trusts), blood testing and diagnostic equipment, and MRI scanners, leading to the cancellation of thousands of appointments and operations (DIG-HLT).

This chapter acts as a foundation to the subsequent discussion of IIoT security methodologies. This chapter presented the enormity of the opportunities that IIoT offers, and established the need for securing IIoT deployments and investments.

Many foundational concepts of industrial systems and security were laid down in this chapter. Readers now understand the unique characteristics of ICS/SCADA/DCS systems, the implications of OT and IT convergence in the context of their divergent operational paradigms, and the prevailing cyber risk gaps in some prominent industrial use cases with real-world case studies.

As we continue to build an actionable blueprint for secured IIoT deployments, Chapter 2, Industrial IoT Dataflow and Security Architecture, will introduce the IIoT security framework for protecting industrial data flows and architecture. Readers will also find valuable information on IIoT threat modeling, and practical disciplines to decompose and design security architectures for highly sophisticated IIoT deployments.