IoT and Security

IoT and Security

Written by Harjyot Sethi

Table of Contents

Contents

TOC o "1-3" h z u Introduction PAGEREF _Toc133762578 h 3Critical Analysis PAGEREF _Toc133762579 h 3Literature Review PAGEREF _Toc133762580 h 4Conclusion PAGEREF _Toc133762581 h 7References PAGEREF _Toc133762582 h 7

IntroductionToday, security for digital assets are being forced into the spotlight and analysed for weaknesses after the advent of various attacks; most recently the attack on Medibank and Optus. This is evident in every industry such as telecom, Manufacturing, Automobiles and Banking etc. These industries are developing their technology using the standards set by Industry 4.0. Industry 4.0 in simple terms is the 4th industrial revolution is the digitization of various industries due to increased connectivity and automation. Every industry has been affected in some way by Industry 4.0. Take banking for example: Credit determination and reporting which was a human process has been completely automated. Today, a credit card application is reviewed by a machine for a conditional approval barring any documents. These are some examples as to how Industry 4.0 has influenced real-world processes. Artificial Intelligence is emerging as a key player for these industries and IoT is used in security applications. Due to this open network interconnectivity, the threat of cyberattacks has increased and irrespective of the intention and intensity of the attacks the manufacturers have to incur financial losses, supply chain disruption as well as loss of reputation. One of the biggest fear for everyone is the theft of their trade secrets. In this world of advanced interconnectivity, various sectors have adopted digital transformations in their real world processes. The motto being to integrate physical space with the digital space. Companies/Organisations still focus on protecting their Operational Technology (OT) instead of Information Technology (IT) even though the line between OT and IT is diminishing every day. Attackers are aware of this and exploit it as much as they can. Irrespective of their attack length, depth/intention, victims are forced to pay a high price to reinforce systems they thought were secure. Sectors such as manufacturing, banking, insurance etc. are using IT on a large scale and are promoting the use of technology to better consumers lives. Companies have started to outsource the process of identifying flaws in their system. This causes most people to check and report on major/minor flaws in the system but some do it with malicious intent. Companies such as Allianz, medibank, ANZ, Commbank etc. collect personal information about their consumers such as name, DOB, Address, Tax file number etc. This information is a unique identifier to every consumer and should be treated with care. While companies take the utmost care to safeguard and protect this information. But since this is considered OT and not IT, this will have the most secure system whereas the network connecting to this information database may not. For example, the database may require a physical security key to gain access whereas the network may not require a physical security key to connect to it. In this case, an attacker can gain access to the network and steal information by listening to the packets being sent between sender and receiver (Man in the middle attack).This paper will present various solutions presented by various authors and compare them in real-world scenarios including the recent attacks on the telecom, insurance and banking sectors.

Critical AnalysisPaper: A mechanism for detection and prevention of cyberattacks on SECS/GEM communications in industry 4.0 landscape

This is a well written, logical and sequential paper which is vital to our research on detection, real-time defence and prevention from cyberattacks. It talks about how the manufacturing sector is integrating sensors, microcontrollers, robotics and AI to expedite its manufacturing process and reduce human interaction, creating cyber physical systems using IoT, cloud computing and robotics and the problems in the emerging cyberspace in the manufacturing sector and shows the possible vulnerabilities in the automated manufacturing processes being adopted by factories worldwide. It talks about how the manufacturing industry focuses on primarily protecting its operational assets and Information technology assets being secondary on their priority. It also talks about how IT is not being prioritised and that attackers are using this knowledge to gain illegal access to their environments for reasons major and minor. This in turn is leading them to incur heavy costs on reinforcing a network which was underdeveloped which affects the entire market. It also talks about how cyberattacks are increasing day-to-day and creating problems for the manufacturing sector. 48% of manufacturers have faced a cyber-incident at some point in their lifetime according to Engineering Employers Foundation. Cyberattacks are estimated to be worth $10.5 trillion by the year 2025 according to cyber security ventures. This figure was lower back in 2015 around $3 trillion. This paper also takes some real world examples into account such as the Taiwan Semiconductor Manufacturing company malware attack. TSMC malware was a ransomware called WannaCry. It spread to more than 100 countries affecting more than 300,000 computers and existed in 29 languages. (Source: CW). This kind of attacks cause a factory to come to a screeching halt because without access to the data, they cannot conduct tests, create updated versions and assemble products. This is one of the biggest attacks on factories in history. As factories race to adopt industry 4.0, the manufacturing units fail to/cannot update their security protocols. Laghari S.U.A et al address these problems and have proposed a system which adopts industry 4.0 model and provides adequate security for factories. The existing protocols in place are: Message Queuing Telemetry Transport, Open Platform Communications Unified Architecture, Constrained Application Protocol and Data Distribution Service. Laghari S.U.A et al have conducted a literature review on the various solutions offered by various authors, explained in depth about SECS/GEM, its message types, connection states and communication processes. Section 4 deals with different attacks on SECS/GEM such as Denial of Service, Replay attack and False Data Injection Attack. Section 5 deals with the proposed mechanism to address these issues pointed out earlier. They have proposed 5 objectives to improve SECS/GEM architecture. In summary, this paper identifies the security flaws in the current protocols used and adequately tries to propose patches to address the previously identified security flaws. We believe this paper is adequate in understanding the manufacturing sector and it gives us valuable insight on how the manufacturing industry is falling behind on security measures and is uniquely vulnerable to cyberattacks.

Literature ReviewPaper: A mechanism for detection and prevention of cyberattacks on SECS/GEM communications in industry 4.0 landscape

Industry 4.0 is gaining momentum in the manufacturing sector as it allows for automation of various processes that require little to no human interaction. That allows them to reduce the cost of manufacturing and turning over a bigger profit margin. Laghari S.U.A et al mention in the paper, Industry 4.0 as a driving force is making huge strides, particularly in the manufacturing sector, where all integral components involved in the production processes are getting digitally interconnected. This particular statement shows how much traction industry 4.0 is gaining in the field of manufacturing. As the popular Spider-Man quote goes, With great power, comes great responsibility. With the advent of industry 4.0, comes a responsibility of keeping the interconnected devices updated with the latest security patches, software updates, hardware updates and rolling vulnerability scanning. If that is not done, this will make the entire system susceptible to cyberattacks. Laghari S.U.A et al mention in the paper, Fused with improved automation and robotics, machine learning, artificial intelligence, big data, cloud computing, and the Internet of Things (IoT), this open network interconnectivity makes industrial systems increasingly vulnerable to cyber-attacks. While the impacts and intentions of cyber-attacks vary, they always have a detrimental effect on manufacturers, including financial losses, supply chain disruption, loss of reputation and competitiveness, and theft of corporate secrets. Cyberattacks on any scale, be it major/minor can cause detrimental impact to a manufacturers ability to keep manufacturing, financial loss, reputation loss and much more. Semiconductor Equipment Communication Standard/Generic Equipment Model (SECS/GEM) is a legacy protocol for M2M communications which is used extensively in various manufacturing industries namely semiconductor manufacturing. It was designed to be used mainly in a regulated factory environment separate from external networks. Industry 4.0 has brought big changes to the manufacturing industry and brought SECS/GEM back into focus as it lacks the necessary security protocols to operate within IoT networks. SECS/GEM provides the following protocols: Message Queuing Telemetry Transport, Open Platform Communications Unified Architecture (OPC UA), Constrained Application Protocol (CoAP), Data Distribution Service (DDS) etc. MQTT is a de facto IoT standard protocol for M2M communication and offers an open-source, lightweight publish/subscribe model. It thrives even in in a low-bandwidth/high latency network conditions. Since it is a lightweight transmission protocol, there is no encryption of data sent via MQTT as it is sent in plain text. If encryption is added in this protocol, it will increase the payload required for functioning on an already feeble system. OPC-UA protocol standard, developed by the OPC foundation, is the most widely used M2M communication protocol. OPC-UA was designed with security in mind and has a wide range of fundamental security features. In addition, OPC-UA also offers other features such as heartbeat, buffering, binary transport etc. OPC-UA offers seven security policies out of which 2 have been abandoned due to vulnerabilities. Out of the remaining five, only one provides adequate security. OPC-UA if configured incorrectly, is vulnerable to cyberattacks via port stealing, eavesdropping etc. CoAP is similar to MQTT in the fact that it is a lightweight protocol and can run in resource-constrained network. It runs over UDP by obeying REST architecture and acts like HTTP. DDS is a M2M protocol which is again similar to MQTT in the sense that it is based on the publish/subscribe model and is designed to provide real-time transmission capabilities to systems. DDS can work on both TCP and UDP using TLS on TCP or DTLS on UDP. This is inherently resource-intensive as it is computationally heavy. We believe that based on the above information, SECS/GEM in industries is not ready for industry 4.0 and IoT integration as it needs to have certain security features that it currently lacks. The paper has analysed the entire protocol and come up with five objectives that need to be achieved to make SECS/GEM ready for Industry 4.0. The paper also discusses the message types which are control and data messages. Control messages are used to establish and maintain a connection between the host and the equipment. Data messages provide real-time insights into industrial equipment and are application-specific. SType, the header field is used to differentiate between the two message types. A message is a control message unless it has a non-zero value which makes it a data message. Based on the value, message is differentiated. The table is as follows:

Command SType Value Description

Data 0 Data (SECS-II) messages

Select.req1 Connection establishment request

Select.res 2 Link establishment Response

Deselect.req3 End connection Request

Deselect.res 4 End Connection Response

Linktest.req5 Periodic Heartbeat to verify link

Linktest.res 6 Link status update

Reject.req7 Not Supported valid message response

8 Unused

Separate.req9 End communication unilaterally

10 Unused

11-127 Reserved for Subsidiary standards

128-255 Reserved but unused

Table 1: SType values and descriptions

To understand on how to attack SECS/GEM, we need to understand the connection states as well. There are two types: connected and not-connected. The names are pretty self-explanatory. Once the connection is established, the selected and not-selected sub-states will merge and wait for a request from HSMS to establish a link. When a connection request is received, the status switches to the selected state. This allows SECS-II and related messages to be transmitted between the entity and the hosts. This model can be used in other places as well with a few tweaks which allow source and message authentication using public/private key. The drawback that we have identified is that the connection is kept alive for several days/weeks, which can be fatal if done with an attacker. This state will allow the hacker to manipulate machinery and equipment as and when they choose. A heartbeat is sent to verify if the connection is still established or not using the SType values 5 and 6. When the connection is to be ended, HSMS can use SType values 3 and 4/value 9. The difference between these values is that value 9(Separate.req) ends the connection from both sides without needing a response.

To attack SECS/GEM protocols, the attacker must be able to sniff packets being sent and carry out an appropriate attack. To do so, he can wait for a control message to be transmitted and modify that messages SystemBytes value and change the SType value to modify it to a new control message. Replies are issued instantly so it more favourable to wait for a reply message. There are three types of attacks that can be carried out in this scenario: Denial-Of-Service, Replay and False Data Injection Attack. As the name says, DoS is denial of service attack wherein the attacker waits for a linktest.req/.res and sends a separate.req to the equipment and control host. The message will be treated as a legitimate message because there is no message verification protocol employed. As industrial equipment is connected sequentially, the attacker can target various machines to avoid suspicion. This attack will have a devastating result as it will completely stop production and make it challenging to pinpoint the exact cause which caused it to fail. The attacker then immediately sends a connection request to the equipment and since the equipment can only maintain one connection at a time, it will ignore the legitimate requests sent to it until the attacker decides to end the connection. This can cause huge efficiency and financial losses not only in the manufacturing sector but also healthcare equipment such as MRIs, X-Rays, CAT scans etc. The healthcare machines run on the hospital network and can accept only one scan request at a time. Since HSMS is based on TCP, attackers who know the loopholes of TCP can easily cause the connection to terminate and create a new connection themselves. But the host is ignorant about the connection failure, so it will try to reconnect to the equipment and it will fail as the attacker has already established a connection. Since HSMS standards restrict the processing of messages to one message, the attacker can send a large message and cause the equipment to overload due to the limited capacity of the equipment.

A replay attack comes into occurrence when an attacker monitors the ongoing communication, captures a message and replays it to the victim for dishonest purposes. Since the SystemBytes value increases monotonically, it becomes predictable. The message that is being transmitted is also in plaintext, which makes the message easy to read, modify and replay it to the victim. This causes SECS/GEM to be vulnerable to DoS attacks. The five objectives mentioned earlier for a more robust and secure system are Entity authentication, message integrity, detection and prevention against cyberattacks, simple mechanism that does not alter the message/packet format and performance evaluation in terms of processing time, control message overhead and resilience against attacks. They have used digital signature to encrypt the message on the senders side and decrypt it on the receivers side using asymmetric key cryptography and RSA with key size set at 2048 bits to achieve the first objective. To achieve the second objective, they have proposed the use of SHA-256 for maintaining message integrity, encryption using RSA algorithm. This prevents forgery and allows the system to filter messages using the updated SystemBytes value which cannot be forged without the private key. This proposed mechanism also helps in achieving the third objective as well. To achieve the fourth objective, proposed mechanism is to add a message signature after each message and fifth objective is achieved by comparing the processing time and control message overhead of both standard SECS/GEM and SECS/GEMsec. This solution style allows us to create similar models for other industries using a model similar to SECS/GEM.

ConclusionManufacturing and other industries which use sensors and IoT face a lot of cyber challenges. With the advent of industry 4.0 taking the world by storm, there are new and more dangerous ways attackers can disrupt businesses and end-users in new and more dangerous ways and there comes a responsibility of keeping the interconnected devices updated with the latest security patches, software updates, hardware updates and rolling vulnerability scanning.To battle these challenges, various solutions have been outlined by various experts. Many of them are practical and some of them are not practical. They can implement the solutions by introducing an additional layer of security and can help manufacturing and other industries using sensors and IoT to be better protected. They can help units be better connected, properly secured and maximize and optimise efficiency. To help further the protection, everyone adopting industry 4.0 and its standards have to also be educated about the various attacks they are susceptible to and have to implement an operational budget allowing for protection and recovery in case of an attack. This combined with solutions tailored to their needs will help the various adopters of Industry 4.0 to help overcome the challenges associated with the cyber space.

ReferencesLaghari, S. U. A., Manickam, S., Al-Ani, A. K., Rehman, S. U., & Karuppayah, S. (2021). SECS/GEMsec: A Mechanism for Detection and Prevention of Cyber-Attacks on SECS/GEM Communications in Industry 4.0 Landscape. IEEE Access, 9, 154380154394.