Open Source: The IIoT Security You’re Looking For?

By Martin Keenan

With traditional IT-style approaches unable to scale cost-effectively, new approaches will be required as the volume of devices and applications increases exponentially.

As the Industrial Internet of Things (IioT) market continues to mature, new devices flood onto networks that also contain a host of legacy and early-generation devices. This combination is increasing the complexity of network traffic, as well as raising integration questions, forcing enterprises across the spectrum to reappraise the best security approaches, with open-source solutions increasingly coming to the fore.

IoT security has become one of the hot topics of today, with a Gartner report predicting a total market value of $3.1 billion by 2021. While there is an element of fear, uncertainty and doubt to some of the more doom-laden predictions, the fact is that IIoT security presents some significant challenges.

OT Plus IT: A Heady Mix
In just one example, a study from  Trend Micro, in association with  Politecnico di Milano, conducted in its Industry 4.0 lab, has identified a variety of methods by which attackers are able to leverage unconventional new attack vectors to sabotage smart manufacturing environments. The security firm highlights two key problems. Firstly, IIoT systems were originally designed to be isolated from traditional IT infrastructure, so network trust is high and there are few integrity checks. Secondly, many IIoT platforms utilize proprietary languages that, while more niche than widespread languages, can still be effectively exploited to input malicious code, traverse through the network or steal confidential information.

That increasing erosion of IIoT isolation is, indeed, at the heart of the next wave of IIoT security concerns. As OT and IT systems are integrated more widely, those underlying security issues will be enhanced. There is also a significant issue with regard to legacy systems—the simple fact is that many pilot projects and early-adopter enterprises did not have security at the forefront of their thinking.

LoRaWan: Pros and Cons
The LoRaWan protocol has been widely deployed across the globe in applications ranging from IIoT climate-control systems to smart meters and asset tracking. As a non-cellular protocol, it has been popular; there are approximately 142 countries with LoRaWAN deployments and 121 network operators in 58 countries, with around 100 million LoRaWAN-connected devices online, a figure projected to hit 730 million or more by 2023.

However, a  recent study released by IOActive found that the root keys used for encrypting communications between LoRaWAN smart devices, gateways and network servers are often poorly protected and easily obtainable through several common hacking methods. The researchers found that many deployments simply used default keys in their enthusiasm to test out the technology, leaving the door open.

Moreover, another core issue with LoRaWAN is managing security revisions—a particularly problematic question throughout the IIoT, due to power limitations and access difficulties. In the case of LoRaWAN, 1.0.3 devices can't be updated to version 1.1 due to hardware limitations, locking an entire generation of devices into outdated software. This is something that hackers are more than well aware of how to exploit.

Limitations of the PLC
Another specific battleground is the industrial programmable logic controller (PLC), which has been a core part of  industrial automation applications for decades. These were never built with security in mind, creating the difficult scenario of either updating the PLCs, creating open-source gateways to secure them or replacing them with custom IIoT devices.

Either option requires in-house developers or a third-party systems integrator to build something bespoke—that "something" being reliant on a wide range of software libraries used to program the devices. The gateway route has been explored by developers using the open-source Apache MyNewt, Apache's first RTOS built for systems too small to run Linux.

Open-Sourced Trust?
Of course, open-source technology is not entirely invulnerable to security flaws and vulnerabilities, as demonstrated by the recent Heartbleed security bug affecting OpenSSL. However, the open-source community is taking the initiative in many ways, perhaps most visibly in the shape of  Project Alvarium. Set up by the  Linux Foundation in October 2019, Alvarium is dedicated to building a data confidence fabric (DCF) to facilitate trust and confidence in data and applications spanning IIoT/IoT and traditional IT systems. The game plan is to collaborate on the baseline open-source framework and related APIs that bind together the various ingredients that constitute trust fabrics, as well as to define the algorithms that drive confidence scores.

The idea of introducing and quantifying trust in IIoT networks is not entirely new, but it does potentially offer a more scalable and robust solution than traditional IT approaches. Another leading light in developing IIoT trust frameworks is, of course, blockchain stalwart  IOTA, which has been pushing the adoption of its distributed ledger technology (DLT) for some years. Recent announcements include collaborating on the E.U.-funded  Dig_IT project to use DLT for increasing sustainability (via the IIoT) in the mining industry, as well as joining the  Eclipse Open-Source Foundation.

Future Values
Of course, the road of open source is littered with failures, as well as notable successes, and whether Project Alvarium and IOTA will thrive and prosper remains to be seen. However, it's increasingly clear that traditional IT-style approaches to IIoT security are not able to scale cost-effectively, and new approaches will be required as the sheer volume of devices and applications continues to increase exponentially. Open source also has the major inbuilt requirement of good collaboration between enterprises, a critical element in cementing the future of the IIoT.

Martin Keenan is the technical director at  Avnet Abacus, which assists and informs design engineers in the latest technological challenges, including designing for Industry 4.0 and Industrial IoT manufacturing.