The 2016 Distributed Denial of Service attack on Dyn came from more than 100,000 infected devices. DDoS attacks leverage massive quantities of unsecured Internet-connected devices to disrupt Internet services worldwide [DYN]. The malicious and sophisticated attack kicked off serious conversations about network security and highlighted the vulnerability in the Internet of Things devices. These IoT infected devices connect globally to private and public sector networks, so the question is: how can we harden our networks against malicious attacks?
In this blog, we’ll focus on the multi-layers of product security architecture and implementation. We’ll discuss Industrial IoT network devices, such as routers and switches, and hardening requirements to mitigate security risks (particularly when actors are willing to circumvent data breaches and software intrusion).
Malicious attacks, as noted above, are not limited to IoT consumer devices. They also cause significant disruptive and financial consequences for businesses and services. Just a few months ago, a plant in North Carolina lost valuable production time when hackers deployed corrupted software [North-Carolina] designed to disrupt its production and force a payoff. This is one of the main drivers for data breaches as estimated in 2017 Cost of Data Breach Study [Ponemon].
Industrial IoT network designers must integrate device and platform integrity–access control policies, threat detection and mitigation capabilities on routers, switches and wireless access points deployed in plants or outdoor locations–to protect end-devices against attacks. Failing to address these key considerations may allow an attacker to gain access on industrial IoT network equipment, paving the way for data breaches or attacks against the rest of the infrastructure. We saw this happen in [Ireland].
As discussed in Cisco Trustworthy Systems At-a-Glance [CTS-AAG], the threat landscape has evolved, and it is critical that networks be protected from malevolent attacks and counterfeit and tampered products. While product security and security management technologies spread across all layers of the Open Systems Interconnect model, device hardening is an initial — and mandatory — component of trustworthy systems that will help prevent several types of threats, such as:
- Device hardware changes and rogue devices – Halts open door to foreign control of devices joining the network; prevents the insertion of counterfeit equipment in the network to cause abnormal behaviors.
- Device software changes – Thwarts data exfiltration from malicious software.
- Unauthorized users access – Prevents unauthorized users privileges from gaining access to the devices and network security.
- Unauthorized network access – Blocks a network device from being compromised, which includes data sniffing to data exfiltration, scan and reconnaissance of networked devices; man-in-the-middle attacks (MITM) secretly relays information or alters communicating between two parties who believe they are directly communicating with each other.
- DDoS through network protocols – Inhibits the incoming flood of data to delay processing of valid traffic; modification of the control plane protocols behaviors, i.e. IPv4 ARP and DHCP attacks to subvert the host initialization process, routing attacks to disrupt or redirect traffic flows, Layer 3–Layer 4 spoofing to mask the intent or origin of the traffic, header manipulation, and fragmentation to evade or overwhelm the network (i.e. Smurf attack or broadcast amplification).
- Malware infiltrates application – From viruses to application’s protocol exploitation, malicious data may lead to data exfiltration, DDoS or data corruption (i.e. ransomware and Spectre). With the emergence of Fog and Edge computing, network devices hosting applications may face both.
This is what IIoT network and device security looks like
The Cisco Industrial IoT portfolio starts from the initial design of a product as documented in Cisco Secure Development Lifecycle [CSDL]. Each hardware platform embeds an ACT2 chipset, a Secure Unique Device Identity compliant with IEEE 802.1ar that contains product identity information and a certificate chain (x.509) provisioned at manufacturing. The installed certificate ensures an anchor of trust for the boot chain, enabling detection and recovery of boot code integrity as shown in Figure 1.
Software integrity against any backdoor image modification is achieved through Image Signing and Secure Boot support, with characteristics such as:
- Golden bootloader images are always stored on a permanent read-only boot flash that is encapsulated in epoxy and has tamper evident label signed.
- FPGA bootloader images are signed so they can be validated by Cisco Secure Boot using burnt into certificates in ACT2.
This system protects the boot sequence against changing boot sequence, booting from an alternate device, bypassing integrity check, or adding persistent code. Each step of the software booting, as shown in Figure 2, is authenticated by the previous stack to ensure integrity all the way through the system.
Finally, once the device boots, the device integrity may be validated as documented in Cisco IOS Software Integrity Assurance [CSIA] while some commands may vary depending on the platform.
The next step is to harden the functionality of the software configuration following recommendations from Cisco IOS hardening to protect the user access and network control plane.
The important take away is that we can’t always be perfect. “You protect against what you know, and mitigate the risk against what you don’t know.”
Let us know the problems your organization is facing. Feel free to share your thoughts in the comments below.