Greetings and welcome back. This week we begin a new series on IIoT Cybersecurity through Supply Chain Management. Cybersecurity is no longer an option for any company, especially if your organization is covered under one or more of the specific pieces of security legislation. Until now, most organizations have accepted the fact that they must just “accept equipment as it exists” and do the best they can to mitigate cybersecurity flaws in the equipment the they purchase.
It is clear that virtually every kind of device that is a part of the Industrial Internet of Things (IIoT) incorporates communications that are vulnerable to a cyber attack. The key protocols used and specific vulnerabilities can be found below with links to peer-reviewed vulnerability research papers:
- Modbus – contains NO security whatsoever
- BACnet – contains minimal to modest security.
- SNMP – contains minimal to modest security.
Virtually all Power, HVAC, Security and Fire/Life Safety systems use one of these protocols for continuous monitoring/management. Once they are placed on your network, there will at some point be a cross-connect from the network which these systems are located and the Internet. If you or anyone in your organization can remotely connect to any of these systems over the Internet, then they are part of the Industrial Internet of Things.
It can be stated clearly that all IIoTsystems which use either Modbus, BACnet or SNMP are vulnerable to a cyber attack. With the understanding that your systems can be hacked and used as a weapon against you, its then critical to formulate a plan to mitigate your risks. Fortunately, the National Institute of Standards and Testing (NIST) has created an excellent Guide for Cyber Supply Chain Risk Management to all purchasers of IIoT systems. We will be looking at this short but excellent document and expanding on key tasks that every purchaser of IIoT systems can do to protect their organization.
In today’s blog, we will focus on the first and most important point from this document:
“Develop Your Defenses Based on the Principal and Your Systems WILL Be Breached.”
As the NIST document points out, this very principal changes the game because it ensures that you must take proactive steps within your supply chain. The first and most important steps is to request that each vendor provide the following information:
- What communications does this unit provide?
- What protocols are used in this units communications?
- What security are your providing to mitigate the security weaknesses of Modbus, BACnet and SNMP?
The important thing is that, by using the NIST’s standards, you are able to place the cybersecurity responsibility for every piece of IIoT equipment squarely on the backs of the vendors who supply this equipment. It is no longer acceptable in today’s cyber-risk environment for a vendor to ship you a system with vulnerable communications and expect you to be solely responsible for securing that system.
Please think about these short but powerful rules that the NIST has created. We would be happy to discuss how we can work with your vendors in your efforts to ensure that all your IIoT systems are secured against hackers.
Until Next Time,