Understanding the Vulnerabilities of IIoT Endpoints
Much has been written lately about IIoT endpoints and their many potential security vulnerabilities. As defined by the Industrial Internet Consortium (IIC), endpoints are devices that employ both computation and communications resources and expose functional capabilities. They may be simple sensors and programmable logic controllers (PLCs) or massive cloud servers with significant computing capabilities. Endpoints have many vulnerabilities susceptible to malicious or unintentional errors. These vulnerabilities can be exposed anywhere from the deployment environment to the development environment.
In its recently released Industrial Internet Security Framework (IISF) document, the IIC has identified 15 areas where endpoint vulnerabilities exist and every developer should be aware of them and plan appropriate protections accordingly. Here are excerpts from the security framework document:
Changes in hardware components and configuration (1): Hardware integrity must be assured throughout the endpoint lifecycle to deter uncontrolled changes to the hardware components. A potential vulnerability of the hardware is the usurpation of some part of the hardware resources. The endpoint must be able to protect itself against unauthorized access and the monopolizing of key resources such as memory, processing cycles and privileged processing modes.
Intercepts or overrides of the system boot process: The endpoint boot process (2) can be altered by modifying the firmware interface between the hardware platform firmware and the operating system such as the unified extensible firmware interface (UEFI) or basic Input/output system (BIOS).
Changes to the bootloader (3) are another threat as changes could compromise the integrity of the endpoint by starting unauthorized or insecure versions of the operating system. Attacks at this level could also affect the normal or secure boot process of the endpoint, the recognition of all the hardware resources and the establishment of a solid root of trust for securing other components.
Compromises to the Guest OS, Hypervisors (4) and Separation Kernels (5): These software layers control allocation of hardware resources to applications. Attacks to these layers can alter the behavior of the system, allow information flows to bypass security controls and enable attackers to gain privileged access to endpoint hardware and software resources. Once access is gained to this layer, attackers will have opportunity to affect the entire software stack and further alter security controls built in to this level.
Illicit changes to Application Software or exposed Application Programming Interface (API) in bare metal applications (6), native applications (7), runtime environment (8) or containers (9): Endpoint applications are often the target for malware or an attacker seeking to infiltrate and compromise the endpoint. Execution of malicious applications or overriding of application APIs can adversely impact the trustworthiness of the endpoint. Exposed APIs should also be protected against denial of service attack where continuous access from unauthorized users could limit the responsiveness and access to the exposed functionality.
Vulnerabilities of the Deployment Process (10): Errors and potential malicious code may also infiltrate the endpoint as part of the deployment process, for example, incorrect or malicious installation scripts, intercepted communications, or unauthorized replacement of a package on the update server. Reduction of possible endpoint configurations in largescale endpoint deployments will be important in reducing complexity and vulnerabilities in the deployment process.
Unwanted changes to Endpoint Data (11): Data throughout the endpoint from low-level firmware all the way up the software stack represents a key area of vulnerability. These vulnerabilities include unauthorized access to mission-critical or private data. Attackers may adversely affect the behavior of the system by injecting false data. Denial-of-service attacks on data access may impede timely and accurate execution of the endpoint functionality resulting in costly outcomes.
Breach of the Monitoring & Analysis system (12): An attacker could gain visibility on the functions of the monitored system. For example, an attacker could modify monitoring data to make it appear as if a particular event did not occur. Modification of the security logs and monitoring data may result in undetected vulnerabilities or compromised states. As a result, attackers would benefit from a coverage gap, compromising endpoint hardware and software or destroying evidence of their activities after an attack.
Vulnerabilities in Configuration & Management (13): Vulnerability of the Configuration & Management system may result from improper access control to the configuration management system, insertion of unauthorized changes in the system or corruption of update payloads. Updates to the endpoints should be planned and managed so as to limit the number of different operational configurations and reduce fragmentation of the fleet.
Uncontrolled changes to Security Policy and Model (14): Modification of the security policy and derived security models represent a serious threat to the system and its endpoints. Equally, weakness in the security policy is an area for exploitation by potential attackers.
Vulnerabilities in the Development Environment (15): The introduction of weaknesses during the software development lifecycle can leave the IIoT systems susceptible to attack. These weaknesses may be introduced during architecting, designing, or writing of the code. Use of vulnerable or malicious libraries or untrusted development frameworks may lead to their inclusion in the resulting code running in the IIoT system.
A thorough understanding of these vulnerabilities in relation to the IIoT system is crucial in addressing the architectural considerations required to protect endpoints. If you have further interest, the IIC is hosting a webinar, IIoT Endpoint Security: The Model in Practice, on February 22, 2017 from 8 a.m. to 9 a.m. PST. The webinar will take an in-depth look at the Protecting Endpoints chapter of the Industrial Internet Security Framework (IISF). The live event will be hosted by Marcellus Buchheit, CEO of WIBU-SYSTEMS USA and one of the primary authors and editors of the IISF document, and Terrence Barr, Head of Solutions Engineering at Electric Imp.
You can register here. All registrants will also have access to a recording after the Webinar.