With the emergence of smart technology driven by the Internet-of-Things (IoT) in India, the industrial sector has been relatively quick to take to the smarter aspects. Now, with rapid penetration of IoT within the industrial sector being the criteria, it is only obvious that the Industrial Control Systems (ICS) have practical layers of security to secure the entire system from external threat actors.
This is true in the Indian small and medium enterprises (SME) scenario as well. In this regard, Rahul R of Electronics For You interacted with Aditya Gupta who is Founder and Principal Consultant at Bengaluru-based Attify. Aditya offered valuable insights on the security threats (and related aspects) accompanying ICS devices and how these can be combated.
Q. Talking about the industrial internet of things (IIoT) security, what are the types of breaches that Indian SMEs should be aware of?
A. It is worth understanding that for both the IoT and industrial control systems (ICS), manufacturers make lot of mistakes when it comes to implementing secure layers. One of the biggest mistakes that IoT device developers commit is missing out on firmware integrity and signature verification. Even Google Nest had this vulnerability.
Device developers also do not pay attention to making attempts to verify genuineity of source. In fact, it is difficult to verify this, but it does no harm to at least put efforts to try and verify the sources from where smart devices and sensors are procured. This is a major issue that could potentially open- up doors for newer attacks to hit industrial systems.
The second major issue is the insecurity of radio-based communication. This often leads to attacks such as eavesdropping that in turn results in breaching data privacy levels.
Q. In line with your above insights, how relevant do you think that ethical testing is from an industrial perspective?
A. In fact a lot of companies do not resort to ethical testing, or do this very poorly. Maintaining dedicated security teams (resorting to ethical hacking of networks internally) is vital today. Penetration testing should also be carried out on all devices before these enter production.
Therefore, in this context, I think that ethical testing is completely relevant in today’s industrial scheme of things, especially in vital sectors such as healthcare and finance. Finally, ethical testing leads to proper evaluation of the entire architecture of devices. This approach naturally leads to formulation of enhanced security protocols for securing networks.
Q. From an IoT security layman’s perspective, why do cyber-criminals even target industrial systems?
A. Industrial systems today are viewed as ‘extremely lucrative’ by cyber-criminals. When digital industrial systems are compromised, the entire functioning of a particular industry can be slowed down several notches thereby resulting in both systematic as well as financial losses.
The best illustration, now, is a scenario where a city’s entire power grid system is taken down by hackers. This often results in irreplaceable losses.
A corporate competition perspective also comes into picture when we mention cyber-attacks. A competitor, in the corporate scenario, has lots to gain by taking down rival systems.
Q. Being an engineer yourself, can you suggest best practices for Indian embedded engineers to develop industrial systems having security of acceptable standards?
A. The first thing for Indian engineers is to get a grip of the embedded scenario (including the underlying threats) in the physical world. This can be accomplished via heuristic research.
Now, as per my experience, a major issue plaguing IoT security and ICS is poorly designed code. This is a result of improper research by engineers (about embedding security from the chip level). Security protocols should be properly defined within individual levels, in modules. These ‘well-secured’ modules can them be integrated to the main components in order to ensure near-perfect secure IoT devices.