See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/291331788

Towards Effective Security Control Assignment in the Industrial Internet of

Things

Conference Paper · December 2015

DOI: 10.1109/WF-IoT.2015.7389155

CITATIONS

44READS

838

3 authors, including:

Amin Hassanzadeh

Accenture Tech Labs

35 PUBLICATIONS   336 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Amin Hassanzadeh on 20 January 2016.

The user has requested enhancement of the downloaded file.

Towards Effective Security Control Assignment inthe Industrial Internet of Things

Amin Hassanzadeh, Shimon Modi, Shaan MulchandaniAccenture Technology Labs, Arlington, Virginia, USA

Email: {firstname.lastname}@accenture.com

Abstract—The Industrial Internet of Things (IIoT), enabledby sensor driven computing, industrial analytics and intelli-gent machine applications, is driving new growth opportunitiesand operational efficiency for enterprises across a range ofcommercial sectors. Increasing interconnectivity of industrialinfrastructure, however, has expanded the attack surface andmade it a prominent target of cyber attacks. Recent cyberattack campaigns against Industrial Control Systems (ICS), suchas Stuxnet and Night Dragon, have shown the rise in levelof sophistication of such attacks and the need to rethink ICSsecurity. Although there is merit in applying security controlsdesigned for enterprise/IT infrastructures to IIoT, this by itselfis insufficient. In this paper we argue the need to rethink howsecurity controls are applied to IIoT, and account for the uniquenuances of its architecture stack and operational processes. Wealso propose a new framework for analyzing effectiveness ofsecurity controls in IIoT environments, and show how it canbe used by security architects to design and deploy new systems.

I. INTRODUCTION

A number of disruptive technologies over the last decadehave changed how we think about enhanced productivity, andhave redefined business models. These include cloud comput-ing, pervasive access through mobile devices, and big dataprocessing. The Internet of Things (IoT) combines numeroustrends and shifts, with advances in sensor technology andubiquitous communication, to provide smarter solutions toend-users. These end-users can be broadly categorized intotwo groups: (1) Consumer (2) Industrial.

Consumer-facing IoT, characterized by wearables and smartdevices, is enhancing our lifestyle by enabling easier trackingand modification of daily activities. Product examples includefitness trackers, wearables, and home automation devicesamongst others. Industrial IoT (IIoT) is characterized by sensordriven computing, industrial analytics, and intelligent machineapplications that directly impact automation in critical infras-tructure, and enhance enterprise productivity. Although con-sumer IoT devices receive a majority share of media publicity,IIoT is a key driver of growth, efficiency, and competitivenessin a global economy. As an example, predicting the onsetof equipment failure allows asset owners and operators tosave up to 12 percent when compared to scheduled repairs.This reduces overall maintenance costs up to 30 percent,and eliminates the likelihood of breakdowns by up to 70percent [1]. Smart factories are using sensors for improvedvisibility, and advanced process control, to increase productioncapacity/efficiency and minimize operation disruption.

While a new age is being ushered by IIoT, these capa-bilities have far-reaching security implications. Traditionalbest practices of enforcing air-gaps in industrial networks arebecoming difficult to implement, and impossible to maintain,as organizations seek to leverage real-time analytics. Increasedconnectivity will allow attackers to exploit new attack vectors,and manipulate processes that directly impact the physicalrealm. Insecure industrial communication protocols, previ-ously not assessed for risks, must be reassessed within aconnected ecosystem.

Cyber security frameworks developed for enterprise/IT sys-tems provide us with lessons learned. Unique characteristics ofIIoT, however, prevent these frameworks from being directlyapplicable. For example, SANS Critical Security Controls [2]provides 20 recommendations targeted to improve risk posture,and mitigate against contemporary threats. While these havebeen vetted and gained strong consensus, they do not accountfor operational realities of the IIoT.

Industrial systems are designed to adhere to strict perfor-mance and reliability requirements, owing to their provisionand support of critical functionality. Should a patch or updatebe required, an industrial system cannot simply be powereddown or rebooted as a result of downtime cost and intangibleimpacts. These systems often use highly-customized infras-tructure programmed for specific tasks, with lifecycles of over15–20 years. Certain instances may mandate continued opera-tion of systems despite lack of continued support. Vulnerabilitypatches effective for IT systems may not be effective onor even applicable to such industrial systems. Furthermore,enterprise security teams prioritize Confidentially and Integrityover Availability (CIA), while industrial systems operators ac-count for maximum availability (i.e., AIC) due to operationaldemands.

Numerous security challenges in both enterprise/IT and IIoTdomains exist, however solutions effective in one domainmay not always apply to the other. In this paper we focuson analyzing the effectiveness of security controls for IIoTarchitectures, and the need for security architects to rethinkhow security controls are deployed. Our analysis consists ofthe following steps:

• Enumerating traditional security controls, obtained frombest practices documents, and mapping them to theframework in Table I).

• Analyzing several industrial security incidents, e.g. NightDragon, Stuxnet, Shamoon, and overlaying controls onto

the framework, which if applied would have prevented ordetected these attacks (Table II).

• Conducting a gap analysis to determine efficacy of secu-rity controls in the IACS architecture (Table III).

Our analysis included multiple incidents across differentindustrial sectors, and highlights security controls which whenactivated appropriately, can improve prevention and detectionof such attacks.

II. BACKGROUND AND ANALYSIS

A. IIoT Architecture

The Industrial Internet of Things, which includes traditionalIndustrial Control Systems (ICS) and Operational Technology(OT), underpins several critical infrastructure and industrialsectors (e.g., manufacturing, distribution, and transportation)that provide control and monitoring functionalities for thesefacilities. As the IIoT brings about a convergence of enterprisenetwork and ICS infrastructure, new architectures that includeend–to–end Information Technology (IT) and OT networkingcomponents are rapidly emerging. Contemporary ICS arerarely air-gapped from enterprise networks due to businessprocesses that require communication between IT and OT [3].An ICS network consists of multiple zones, where a zone is aset of assets grouped together to expose a subclass of servicesand applications for the entire ICS network. Figure 1 depictsa typical ICS network consisting of multiple zones that isreferenced in the Industrial Automation and Control Systems(IACS) Security standard (ISA-62443) [4]:

• Level 0: Physical processes run at this level, with avariety of sensors and actuators involved in basic man-ufacturing processes. Examples include driving a motor,measuring variables, and setting an output.

• Level 1: Intelligent control devices (e.g., PLCs1 andDCS2) that manipulate manufacturing processes reside atthis level, and interact with Level 0.

• Level 2: Control systems supervise, monitor, and con-trol physical processes during their runtime. Real-timecontrols and software, HMI3 and alerting systems, andSCADA4 software are examples that use Ethernet and IPnetworking protocols.

• Level 3: Manufacturing operations systems provide site-level operation and asset/material management. Report-ing, production scheduling, plant historian, and middle-ware are also at this level. Patch, file, domain, DHCP,DNS, WINS, NTP, and terminal services for the OTnetwork reside at this level.

• DMZ: This zone is critical to ensuring separation of ITand OT networks. DMZ includes all corporate–accessibleservices (e.g., web, email) and prevents direct access toOT devices from the enterprise network.

1Programmable Logic Controller2Distributed Control System3Human-Machine Interface4Supervisory Control and Data Acquisition

Fig. 1. ISA-62443 Zoned Architecture

• Level 4/5: Business logistics and enterprise systemsreside at this level, known as IT network. Logisticssystems are responsible for managing material use, assetinventory, and production schedule.

B. IIoT Security Controls

The inherent difference between prioritization of securitycapabilities in IT and OT environments (CIA vs. AIC), poses achallenge to architecting secure, reliable ICS networks [5]. Assuch, cyber security controls utilized for ICS security cannotsimply mirror or replicate those within IT environments.

With a view toward preparing and assisting industrial sectorsto improve their critical infrastructure security, the NationalInstitute of Standards and Technology (NIST) published aframework to address and manage ICS cyber security risks [6].As network architectures, industrial sectors, and correspondingthreat models may differ widely, the framework serves as abaseline and not a universal solution in and of itself. Orga-nizations may customize, extend, and utilize the frameworkvia application of security controls and functions. At its core,the framework is comprised of five functions: identification,protection, detection, response, and recovery, with each beingimplemented through a set of security controls. As stated inSection I, our research emphasizes prevention and detection ofcyber threats in IIoT, with response and recovery consideredto be outside the scope of this study.

Security controls are defined as technical, operational, andmanagement controls that protect Availability, Integrity, andConfidentiality of IIoT industrial systems, and their informa-tion [3]. Table I provides a list of NIST-recommended securitycontrols for threat protection, detection, and identification inICS environments. These controls are the most frequentlytargeted security capabilities by over 30 commercial products,surveyed as part of our vendor landscape, and classified intosix groups based on underlying technologies addressed byvendors.

TABLE IIACS ARCHITECTURE SECURITY CONTROLS

C. Analysis Methodology

Significant differences in types of control systems imple-mented in each critical sector [7] result in a variation ofattack vectors, and consequently require a specific, optimalset of security controls to safeguard an ICS network againstsuch targeted attacks. Therefore, a recommended securitycontrol for protection of critical assets and infrastructure in oneindustrial sector may not be as impactful in protecting all otherinfrastructures. Moreover, deployment of security controls inan appropriate architectural level of an industrial network iscrucial to their efficacy.

To determine security control effectiveness in an IACSarchitecture, we analyzed ten recently reported industrialsecurity incidents across various industrial sectors listed inthe Repository of Industrial Security Incidents (RISI) [8].Effective control assignment focuses on maximizing threatprotection and detection.

For each incident obtained from RISI, we emulated thethreat scenario (detailed in Section IV) using the IACS ar-chitecture, and highlighted applicable security controls whichwhen activated appropriately could have prevented the said at-tack from negatively impacting critical infrastructure. Further-more, all publicly available security analysis for the incident,and resulting insights, are incorporated in our resultant matrix.

As an example from Table I, in order to measure the effec-tiveness of traffic encryption in Level 2 of the IACS architec-ture, we need to understand how many incidents in our RISI-based list could be (partially or entirely) prevented/detectedif traffic encryption controls had been enabled in Level 2.If traffic encryption in Level 2 could prevent/detect all Kincidents studied, the effectiveness of this security control onthat IACS architecture level is 100%. The number of incidentseffectively prevented/detected by a security control within a

specific IACS level is not only directly proportional to itsefficacy at that level, but also the confidence in its applicabilitywithin a broader range of security deployment scenarios.

It should be noted that the IACS architecture (ISA-62443) isconsidered for the purpose of our research. Our methodologyis extensible, and encompasses additional architectures byoverlaying security controls onto the architecture topology,considering high-impact industrial incidents reported withinthe particular industrial sector, and then distilling a subsetof effective controls based on multiple emulation runs of thethreat scenario and abstraction of analyzed results.

III. INDUSTRIAL SECURITY INCIDENT SURVEY

Technological advances and increased interconnectivityhave led to an exponential increase in IIoT environmentattack surface. The sophistication of cyber attacks have in-creased significantly over the last decade; today’s attackersuse spear phishing, watering holes, and advanced malware asentry points for multi-step, multi-domain attacks. This sectionbriefly reviews cyber attack campaigns from the last few years.

Stuxnet: Stuxnet can be credited with bringing industrialdomain threats into mainstream discussion around cyber at-tacks. This malware was designed to compromise PLCs andsurreptitiously modify the behavior of centrifuges used toenrich uranium. The malware operates in three phases. Firstit auto-executes on USB drives, which allows for infectedportable devices to infect networks traditionally isolated by air-gaps. Second, the malware determines if the target is runningSiemens PCS7 or Simatic WinCC software, and attempts tomodify Step7 project files used to control PLCs. Third, afteraccess to a S7-417 PLC is obtained, valve settings are modifiedand recorded measurement readings are played in a loop toavoid detection by HMI operators [9].

Shamoon: The W32.Disttrack/Shamoon virus was designedto wipe the hard drives of computers and it targeted energycompanies in the Middle East. Shamoon is comprised of threecomponents: (1) Dropper that creates system files, and exe-cutes itself remotely (2) Wiper that is activated on a hardcodedconfiguration date to collect file names and overwrite themwith a JPEG image or 192KB blocks of random data, includingthe master boot record, and (3) Reporter that sends a HTTPGET request to the command-and-control (C&C) server toreport the domain name, IP address, and number of filesoverwritten. By acquiring user credentials and gaining domaincontroller access, attackers can deploy malware across manysystems [10].

Dragonfly: Dragonfly is an ICS malware campaign thattargeted industrial process suppliers with the purpose ofcollecting sensitive information from infected targets. Themalware was spread using the following tactics: spam emailsand spear phishing attacks, wherein emails related to officeadministration issues and containing PDFs were sent to energysector organizations; watering hole tactics targeting Java or In-ternet Explorer vulnerabilities to deploy C&C malware on thevictims computer; and compromising several update sites forICS software vendors, and bundling malware with legitimateupdates. Once installed on a victims computer, the malwaregathers system information, along with file lists, applicationsinstalled, and the root of hard drives. The data collected bythe malware is then encrypted and stored in file to be sent toa remote C&C server. It also allowed an authenticated userto download a compressed version of the stolen data for eachparticular victim [11].

Night Dragon: Night Dragon was a malware campaignthat was first discovered by McAfee threat researchers. Theintent of the malware was to conduct espionage and collectsensitive information from energy sector. The attack lever-aged SQL injection vulnerabilities present in web-based SQLServer databases, which can be exploited by HTTP GETrequests, as the initial entry point. Malware is deployed onthese servers via installation of web shells, and is used toharvest employee account credentials. Employee accounts aresubsequently utilized to access servers in the OT network,with remote administration tools (RAT) malware installed onOT-based devices to conduct additional reconnaissance andexfiltrate confidential data [12]. An instance of this attack isdemonstrated in Section IV.

IV. EXPERIMENT RESULTS

The availability, scope, and magnitude of security controlsthat can potentially be deployed across different layers of theICS architecture poses a challenge in determining an optimal,objective assignment. An empirical approach is needed toemphasize the relative importance of particular controls insafeguarding against Advanced Persistent Threats (APT) andcampaigns as a function of their tactics and techniques. Inthis section, we present our experiment in simulating an ICSnetwork, developing a pseudo-random generator to executean attack possessing attributes of Night Dragon, and discuss

Fig. 2. Simulated Network Topology for Night Dragon Attack

the appropriate prevention/mitigation controls upon reviewingexperiment results.

Closely representative of the ISA-62443 model, and similarto infrastructure environments compromised by real-worldattacks, we modeled a relatively simple multi-domain environ-ment. As shown in Figure 4, our network topology consistsof a Corporate IT environment comprising user workstations,SQL Server-based Enterprise Resource Planning (ERP) sys-tems, and additional devices on a network with IPv4 range123.43.86.x. Similarly, the OT DMZ present on 114.98.70.xconsists of various servers (Historian, Patch, Application, etc.);while two OT subnets, isolated from each other and notpublicly accessible, are addressed locally by 192.168.50.xand 192.168.150.x respectively. Network Intrusion DetectionSystems (NIDS) and Intrusion Prevention Systems (IPS) aredeployed across the topology as shown. These security sys-tems, along with certain hosts (e.g. SQL Server instances,Historian) have alert/exception logging capabilities.

Utilizing pseudo-random network traffic generation andalert logging, we simulated ICS network traffic to log be-tween 300,000 and 400,000 alerts during a single run of thesimulation. Each run contained an adaptive Markov chain-based instantiation of the Night Dragon attack, wherein aSQL Server database in the IT environment was compromisedeither directly (or via an associated web interface) from anexternal source, followed by access to the OT-based DMZ andcompromise of one or more servers, and eventual installationof Remote Access Tools (RAT) on HMIs and PLCs withinthe OT environment. An analysis of several runs yielded thefollowing:

• Initial attack vectors targeted SQL Server databases viaa combination of SQL injection attempts and default (ortypical) credentials

• OT-based DMZ servers were typically scanned for openports running insecure or vulnerability-ridden services(FTP and NetBIOS were the most common)

TABLE IISECURITY CONTROLS EFFECTIVE IN PREVENTION/DETECTION OF NIGHT DRAGON ATTACKS

– Application patch and data servers were the mostheavily targeted

• NIDS alerts were observed within the OT environment inrelation to DMZ ⇔ OT traffic

– While our experiment simulated bundling of RATswith legitimate patches and data transferred to HMIsand PLCs, the lack of context surrounding observedNIDS alerts in the absence of this prior knowledgewould cause these to be dismissed as false positivesin real-world scenarios

– Lack of any host-based intrusion preven-tion/detection on edge devices (HMIs, PLCs)yields no security-based information or indicationof asset compromise

Our observations are based on simulated data and attackprogressions, which are replicable in real-world environmentsby attackers through the use of phishing tactics or leveragingICS search engines such as Shodan [13] to perform initialreconnaissance, and initiate the kill-chain. However, scenarioslike Night Dragon can be mitigated against or contained,if not avoided altogether, via improvement of applicationsecurity controls at the enterprise level, network perimeterand hardening controls within the DMZ, and introduction ofhost-based controls at the edge. Table II presents a moreelaborate version of effective controls to safeguard againstNight Dragon. While each security control may be furtherexplained, such details are omitted for the sake of brevity.

A. Discussion

We repeated the experiment in Section IV for ten industrialincident scenarios (e.g. Stuxnet, Shamoon, Dragonfly) andanalyzed attacks to determine the most effective security con-trols in these situations. Table III illustrates our consolidated

analysis, wherein the degree of effectiveness of each controlis a function of its efficacy in each scenario analyzed (e.g.“PLC anomaly detection”1 in Level 1). Color intensity (lightto dark) is directly proportional to how effective a particularcontrol is in safeguarding against attacks analyzed.

Our analysis reveals that publicly accessible assets presentwithin Level 3 (Manufacturing Zone) and Level 5 (EnterpriseZone) are the two most vulnerable areas in the IACS architec-ture. These typically serve as entry or initiation points for mostattack vectors. As a result, organizations should emphasizeon threat protection controls (e.g. device and user Identity &Access Management) at these levels. Moreover, while networkprotection mechanisms (e.g. encryption, firewalls) are popularwithin the security community, threat detection and identi-fication mechanisms (e.g. deep packet inspection, anomalydetection, whitelisting) are lacking. Although availability isthe key requirement in IIoT, a survey of RISI incidentsshows that only 7 of approximately 250 incidents focusedon distributed denial of service (DDoS). This indicates thattraditional IT-specific attacks against network availability arenot utilized with the same frequency nor produce the sameresults within IIoT networks; although we anticipate this tochange as more IT-focused attacks propagate to OT domains.

If we observe effective controls spanning Level 1 of Ta-ble III, it can be argued that controls presented are relativelyfewer and of lesser importance as compared to levels 3 and5. This does not disregard the importance of securing theseassets, or risk of negative outcomes upon compromise, butcontradicts the commonly accepted notion of edge device secu-rity being of paramount importance. While this is true in manyconsumer IoT applications (e.g. healthcare, home automation)and the utilities sector (advanced metering infrastructure)where endpoints are relatively more accessible and provide

TABLE IIISECURITY CONTROL EFFECTIVENESS AGAINST COMPLEX ATTACKS

more incentives for compromise, relative isolation of industrialedge devices result in a higher level of resistance for attackersto overcome in order to serve as an effective entry point.Therefore, a defense in depth strategy that proportionatelyallocates security controls at the edge, without attemptingto overcompensate, is likely to result in an equally effectivesecurity posture.

Our proposed mechanism for determining security controlseffectiveness is directly applicable to real-world, possibly vary-ing, IACS architecture implementations across critical sectorstargeted by different adversaries and their tactics, techniques,and procedures (TTP). Given an IIoT network architectureand super-set of security controls, one can adopt a similaranalytical approach. Through examination and analysis ofrelevant architectural levels, security controls, and publicly an-alyzed incidents, one can determine the corresponding optimalsecurity control assignment matrix.

V. CONCLUSION

With IIoT architectures and threats evolving, new devel-opments require rethinking security strategy in order to havean effective, measurable security posture. As organizationsseek to better understand security controls that provide themost value add, our framework can assist in determiningthe efficacy of deployed solutions, and potentially enableassessment of return of investment on such solutions. Fur-thermore, security architects may utilize this framework inthe design and deployment of new systems or solutions. Ourstudy shows that no single security control assignment matrixcan be universally recommended for ICS networks, howeverwhen considering the IACS architecture, a well-defined control

matrix and analysis enables security professionals to provisioneffective IIoT security controls. As future work, we envisionfactoring in a dimension focused on various ICS protocols andtheir corresponding security controls.

REFERENCES

[1] G. P. Sullivan, R. Pugh, A. P. Melendez, and W. D. Hunt, Operations& Maintenance Best Practices: A Guide to Achieving OperationalEfficiency. Pacific Northwest National Laboratory, 2010.

[2] S. Institute, “The Critical Security Controls for Effective CyberDefense,” https://www.sans.org/media/critical-security-controls/CSC-5.pdf, 2015, [Online; accessed 23-July-2015].

[3] K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial controlsystems (ICS) security,” NIST special publication, 2011.

[4] E. D. Knapp and J. T. Langill, Industrial Network Security: Securingcritical infrastructure networks for smart grid, SCADA, and otherIndustrial Control Systems. Syngress, 2014.

[5] P. Didier, F. Macias, J. Harstad, R. Antholine, S. A. Johnston,S. Piyevsky, M. Schillace, G. Wilcox, D. Zaniewski, and S. Zuponcic,“Converged Plantwide Ethernet (CPwE) Design and ImplementationGuide,” 2011.

[6] National Institute of Standards & Technology (NIST), “Framework forimproving critical infrastructure cybersecurity,” February 2014.

[7] A. Lemay, M. Krotofil, J. M. Fernandez, and S. Knight, “Not allSCADA is equal: Impact of control models on ICS threat landscape,”in Proceedings of the 2nd International Symposium on ICS & SCADACyber Security Research, 2014, pp. 72–77.

[8] Security Incidents Organization, “RISI Online Incident Database,” http://www.risidata.com/Database, 2014, [Online; accessed 23-July-2015].

[9] N. Falliere, L. O. Murchu, and E. Chien, “W32. stuxnet dossier,” Whitepaper, Symantec Corp., Security Response, vol. 5, 2011.

[10] C. Wueest, “Targeted attacks against the energy sector,” SymantecSecurity Response, Mountain View, CA, 2014.

[11] D. Symantec, “Cyberespionage attacks against energy suppliers, version1.21,” Mountain View, California, 2014.

[12] G. E. Cyberattacks, “Night Dragon,” McAfee Foundstone ProfessionalServices and McAfee Labs, 2011.

[13] J. C. Matherly, “Shodan Search Engine,” Available at [Online]:https://www.shodan.io/, 2009.

View publication statsView publication stats