Welcome!

WebRTC Summit Authors: Liz McMillan, Elizabeth White, Pat Romanski, Roger Strukhoff, Yeshim Deniz

Article

Enabling the industrial IoT with cyber security in mind

As technology has evolved, so has the intelligence and sophistication of cyber terrorists and their tactics.

Industrial Internet of Things (IIoT) networking technology and wireless Machine-to-Machine (M2M) communications solutions are critical to the daily operations of an increasingly connected and industrial world. With a greater dependence on providing reliable and secure high-speed connectivity to personnel, smart devices, machinery and many other geographically dispersed assets, electric utility operators require powerful, yet flexible, communications solutions for the business demands. The overall value proposition that these technologies bring is important for decision-makers to adopt and integrate into their smart grid infrastructures. Some of the main benefits are:

  • Optimising resource utilisation for increased efficiency.
  • Increasing visibility into potential failures and key operational factors through real-time information.
  • Reducing costs and environmental impact through monitoring/control across large geographic regions.
  • Automating safety and security measures to reduce critical event response time.
  • Centralising policy management to create greater adherence and more uniform enforcement of regulatory and compliance factors.
  • Enabling flexibility, scalability and mobility of networks to increase agility to changing market demands

Since electricity transmission and distribution grids are only as efficient, reliable and safe as the equipment and technology used, wireless communications equipment and technologies used in these grids must follow suit.

Furthermore, as utility operators continue to look for ways to improve their transmission and distribution networks, wireless M2M communications is a critical component because of rapid network installation, lower operational costs, high data throughput, and secure end-to-end transport. In order to achieve these benefits, wireless data networks must be aligned to specific and ranging requirements of the energy grid (generation, transmission, distribution and consumption) in which the wireless communications are utilised and exploited. Wireless IIoT networks transport vast volumes of information from a myriad of applications that are the smart grid; IIoT is the “glue” that holds, binds and delivers the Smart Grid.

In fact, electric utilities are at the forefront of the Industrial Internet of Things with complex and comprehensive wireless networks for advanced metering infrastructure, energy management, distribution and substation automation. It is estimated growth in IIoT applications for utilities and energy industries will increase from 485 million devices in 2013 to over 1.5 billion devices by 2020. This explosive growth in wireless networks, smart sensors and devices, and automated systems requires utilities to address, implement and monitor the security of their data networks because these are the networks providing command and control of critical infrastructure that is the Smart Gird.

As technology has evolved, so has the intelligence and sophistication of cyber terrorists and their tactics. In 2013, 40 per cent of the cyber-attacks handled by the Department of Homeland Security were against companies in the energy sector; one of the 16 Critical Infrastructure Sectors.

Considering the industrial internet threats to an electric power grid

According to the Federal Communications Commission (FCC), the two most common threats to wireless networking and communications technologies are Denial of Service (DoS) and Intrusion:

Denial of Service

Denial of Service is an attempt to make a computer resource or network unavailable to its intended users. DoS attacks could be as simple as jamming an electric or electromagnetic signal or as sophisticated as saturating a system or network with data traffic intended to overwhelm and make the network unavailable. The consequences of DoS attacks range from being simply irritating to destructive. For example, a valve controller does not receive a command to open a value to provide cooling oil resulting in distribution transformer system to overheat resulting in power outages.

Intrusion

Penetrating and intruding into a network or computer resource requires a different level of sophistication. Consequences can range from simply spying or stealing information to corrupting data or maliciously and intentionally causing harm or destruction by taking over network and/or computers and control systems. For example, intentionally penetrating energy management system networks to disrupt and even cut off or redirect the delivery of power to and from substations.

Additional Threats:

  • Sophisticated command and control attacks
  • Packet spoofing
  • Hijacking of sessions / interception
  • Replay attacks
  • Use of worms
  • Trojans and remote controllable Trojans (Back Orifice)
  • Use of a Virus and Anti-forensic techniques
  • Attacks on Domain Name System (DNS) infrastructure

These threats are not limited to wireless communication technologies and need to be addressed as part of a comprehensive cyber security strategy. Organisations must also plan for human error and/or deliberate attacks from internal sources.

Wireless M2M technology and the concept of resiliency

In order to harden a wireless M2M communications network, and further make IIoT networks and their connected assets less vulnerable to cyber threats, organisations need to implement a multi-layer security strategy, which includes robust networking equipment, hardened communications equipment, network access control and data encryption.

Hardened Communications Equipment

The first line of security is “trusted” networking equipment, where trusted equipment is far more than buying a recognised or favourite brand. Equipment should have the following characteristics.

- Enclosure should have a physical indicator that the mechanical enclosure has not been opened. This can be as simple as a tamper tape or more complex potted solutions.

- The equipment should have a Secure Bootloader, which resides in secure memory so that it cannot be altered or replaced. In addition, the Secure Bootloader validates the executable software image prior to loading it into memory. If the software image is not validated, the device is considered compromised and does not boot or boots with minimum functionality.

- Software images should be encrypted and keyed. This enables the Secure Bootloader to validate the software image prior to execution and prevents the software image from being copied for malicious purposes.

- Equipment must allow data ports to be enabled and disabled so unused ports are unavailable to persons in the proximity of the network equipment.

Consider networking equipment that is Federal Information Processing Standard (FIPS) 140-2 Level 2 validated.

FIPS 140-2 validation consists of four levels of increasing security.

- Level 1 (lowest) – Basic security requirements are specified for cryptographic module.

- Level 2 – Adds requirements for physical evidence of tampering, as well as role-based user authentication.

- Level 3 – Requires physical tampering resistance and stricter identity-based authentication.

- Level 4 (highest) – Adds even more physical security requirements and requires an even greater robustness to the platform, in order to hold up against environmental attacks.

Network Access Control

Network Access Control (NAC) is an essential security feature for wired and wireless networks, since it prevents unauthorised access and intrusion – external or internal – into managed networks. The result is the only right users or devices have access to the right information.

NAC tools are centralised policy and role-based tools, offering combined permissions auditing and management solution for administrators looking to secure their networks against authorised and unauthorised access. As a centralised tool, policy and role base profiles are managed and rapidly deployed across networks of any size.

Policy and role based should include:

- Access restrictions for time of day, day of week and location

- Personnel or device role (e.g. admin, user, guest, process controller)

- Work Group

- MAC Address of device through which access is initiated

A proven M2M communications network security strategy must go even further and protect data “in transit” as well. Even if an unauthorised device manages to gain access to the M2M communication network, it isn’t necessarily gaining access to the actual data without passing yet another layer of security.

Data Encryption

Data encryption is an essential part of any security strategy because it does not prevent unauthorised parties from intercepting a message, but encodes a message so only authorised parties can read it, which is a fundamental tenet for wireless networks.

Today, Advanced Encryption Standard (AES) with three keys lengths of 128, 192 and 256 bits is the industry default and used worldwide. As a US Federal Government standard and even used by the National Security Agency, AES can be trusted to protect sensitive information and maintain data privacy.

Wireless links should be encrypted using AES 128 at a minimum.

For a higher level of trust, consider networking equipment that is FIPS 140-2 Level 2 validated.

When a device is FIPS 140-2 validated, a known set of keys and test vectors are passed through the AES algorithm to validate the strength and completeness of the key generation and the encryption algorithm.

Overall, incorporating encryption is a way to ensure data privacy and is yet another way to layer security for information being communicated wirelessly.

Options for security policies and safeguards

The aforementioned access control and data encryption considerations create resilient and secure wireless networking and communication capabilities for critical infrastructure. However, an IIoT network security strategy also needs to address and implement policies that serve as safeguards, which make it difficult to circumvent security measures and limit the potential impact of a security breach.

Limitation of Permitted Activities

One method to implement safeguards is to limit permitted activities on the wireless network to only those absolutely required to perform or executed the assigned task. This is achieved by disabling ports not required such as TELNET, Port 23.

As an example, a wireless network primarily used for sensor data collection and remote command and control of devices should not allow a hacker that compromised the network to gain access to financial or other critical data. Such a limitation of permitted activities can be achieved through various means of security measures.

Firewalls and Packet Filtering

Packet Filtering and Firewalls based on packet filtering (executed in Layers 4 and lower) are essential features for IIoT devices. IIoT devices typically do not have the processing power for more sophisticated firewall schemes that require packet inspection and are performed at Layer 7.

Virtual Local Area Networks

Virtual Local Area Networks (VLANs) are used to separate the wireless network infrastructure and its management from the production network, devices and/or communication endpoints. By using VLAN’s, we see the introduction of another level of security, especially if combined with Quality of Service (QoS) mechanisms. Think of it as an emergency access to your wireless network infrastructure for remote management and control, in case a Denial of Service (DoS) attack overwhelms the actual payload and production network.

User Level Access

By implementing user-level access (password protected), network administrators provide personnel access to wireless network and devices to maintenance personnel, but limited to monitoring system health or performance without opening the system up to misuse because configuration and other privileges are reserved for a different user level and password.

Access limitation of local ports

The ability to control who is allowed access from local ports (e.g. through MAC address filtering) or even completely turning off local port access when they are not in use, making it essentially impossible (or at least very hard) for someone who gained physical access to your network infrastructure and devices to get connected and gain access to your private networks.

There are of course several additional safeguarding tactics and strategies worth considering, but these ideas are meant to provide a place from which to expand and adjust as needed.

Finally, in order to complete the M2M security approach, it takes vigilance.  Today’s M2M networks are not heuristic, self-healing, adaptive, self-optimising automatons.  They require an educated observer who is looking for anomalies, aberrations, outliers, exceptions and flat-out failures. M2M requires standards based protocols for determining the health of the network, integrity of the links and performance of the overlying applications.

Going forward with confidence

With the explosive growth of the IIoT market over the next 6 years in sensors, communication equipment (wired and wireless) and the applications to enable ever increasing levels of automation, electric utilities and companies in the energy sector must upgrade existing networks or deploy new networks with security at the forefront. While upgrading or implementing higher levels of security in IIoT and M2M networks, it is a double-edged sword.

- Can’t upgrade devices on a production network because it would disrupt a process

- A cyber-attack is going to disrupt the production network if it occurs.

Today, it is not a matter of “if” a cyber-attack is going to take place, but when.

The path forward is clear. Develop a cybersecurity plan that secures your expanding IIoT network, but understand threats that exist, and the services and features that are needed from your IIoT devices and networking equipment to lock down communications so they are available to the right persons or devices, when they need to be and can be managed as changes in policies or roles or processes dictate.

More Stories By Scott Allen

Scott is an executive leader with more than 25 years of experience in product lifecycle management, product marketing, business development, and technology deployment. He offers a unique blend of start-up aggressiveness and established company executive leadership, with expertise in product delivery, demand generation, and global market expansion. As CMO of FreeWave, Scott is responsible for product life cycle/management, GTM execution, demand generation, and brand creation/expansion strategies.

Prior to joining FreeWave, Scott held executive management positions at Fluke Networks (a Danaher Company), Network Associates (McAfee), and several start-ups including Mazu Networks and NEXVU Business Solutions. Scott earned his BA in Computer Information Systems from Weber University.

@WebRTCSummit Stories
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers learn their thoughts on their experience.
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented a comprehensive view of the numerous testing challenges researchers have faced before arriving at the first release candidate of the WebRTC specifications.
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multiple Intel RealSense Depth Camera to scan 3D and build 3D models in real-time, and display as hologram in front of remote participants.
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone innovative products that help customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business and personal computing needs.
SYS-CON Events announced today that Google Cloud has been named “Keynote Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Companies come to Google Cloud to transform their businesses. Google Cloud’s comprehensive portfolio – from infrastructure to apps to devices – helps enterprises innovate faster, scale smarter, stay secure, and do more with data than ever before.
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interoperability. It has lots of potential to address current issues around IoT - security, connectivity and so on - based on P2P technology. It will become a key-component especially in edge computing use cases, in his view.
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
DevOps at Cloud Expo – being held June 5-7, 2018, at the Javits Center in New York, NY – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits, DevOps is correlated with 20% faster time-to-market, 22% improvement in quality, and 18% reduction in dev and ops costs, according to research firm Vanson-Bourne. It is changing the way IT works, how businesses interact with customers, and how organizations are buying, building, and delivering software.
@DevOpsSummit at Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, is co-located with 22nd Cloud Expo | 1st DXWorld Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.
SYS-CON Events announced today that T-Mobile exhibited at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on quality and value. Based in Bellevue, Washington, T-Mobile US provides services through its subsidiaries and operates its flagship brands, T-Mobile and MetroPCS. For more information, visit https://www.t-mobile.com.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness. For more information, please visit https://www.cedexis.com.
SYS-CON Events announced today that Vivint to exhibit at SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California. As a leading smart home technology provider, Vivint offers home security, energy management, home automation, local cloud storage, and high-speed Internet solutions to more than one million customers throughout the United States and Canada. The end result is a smart home solution that saves you time and money and ultimately simplifies your life.
SYS-CON Events announced today that Opsani will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Opsani is the leading provider of deployment automation systems for running and scaling traditional enterprise applications on container infrastructure.
SYS-CON Events announced today that Nirmata will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nirmata provides a comprehensive platform, for deploying, operating, and optimizing containerized applications across clouds, powered by Kubernetes. Nirmata empowers enterprise DevOps teams by fully automating the complex operations and management of application containers and its underlying resources. Nirmata not only simplifies deployment and management of Kubernetes clusters but also facilitates delivery and operations of applications by continuously monitoring the application and infrastructure for changes, and auto-tuning the application based on pre-defined policies. Using Nirmata, enterprises can accelerate their journey towards becoming cloud-native.
SYS-CON Events announced today that Opsani to exhibit at SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California. Opsani is creating the next generation of automated continuous deployment tools designed specifically for containers. How is continuous deployment different from continuous integration and continuous delivery? CI/CD tools provide build and test. Continuous Deployment is the means by which qualified changes in software code or architecture are automatically deployed to production as soon as they are ready. Adding continuous deployment to your toolchain is the final step to providing push button deployment for your developers.