Many industrial IoT systems have open doors that create unintended vulnerabilities.
What information could be exposed by open communications protocols? How do hackers identify vulnerable systems? What security resources are available? How do IoT firewalls protect against such threats?
TCP Port 502 vulnerabilities
Many industrial systems use TCP Port 502, which allows two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and that packets will be delivered on port 502 in the same order in which they were sent. This creates the risk of remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502. Scans from services such as Shodan identify systems that have an open TCP port 502 that could be vulnerable.
Security auditing firms such as Splone identify threats with scans and other penetration testing techniques to propose counter-measures. A scan returns the host’s IP address, open ports, the country, the vendor, the product and firmware information.
xxx.xxx.xxx.xxx: Schneider Electric BMX P34 2020 /v2.5
Securing the Modbus communication protocol
Downtime is extremely costly when it comes to Industrial Control Systems (ICS), HVAC equipment and refrigeration systems. Such industrial Internet of Things (IoT) systems are especially vulnerable because they’re deployed in a factory but communicate with external cloud-based IoT services. Multiple protocols being used and delegated administrative rights add to the security concerns.
Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communications protocol and is now a commonly available means of connecting industrial electronic devices. Modbus is widely used and was developed with industrial applications in mind. It’s easy to deploy and moves raw bits with few restrictions.
The danger with Modbus is that when TCP/IP packets are inspected for their source IP address, they look harmless. What’s needed is a deeper level inspection. Industrial devices rarely have much in the way of application-layer security, so additional security is needed.
Barracuda NextGen Firewalls protect industrial IoT systems in addition to other corporate resources. They use a small Secure Connector appliance (FSC1) to connect remote devices with multiple uplinks. This also enables zone-based firewalling, Wi-Fi and VPN connectivity. Network traffic is backhauled to a Concentrator (FSAC) running at a central office or in the cloud where it is inspected for URL filtering, intrusion prevention (IPS), antivirus protection and application detection.
The approach minimizes the disruption to existing systems and offloads the security scanning to the cloud or another internal server. Firewall updates can be made over the network as new threats emerge.
Industrial IoT security resources
- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT): ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control systems owners, operators and vendors. It collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.
- The Industrial Internet Consortium has developed a Security Framework with recommendations for securing industrial IoT devices that is available free of charge. “To avoid security hazards, especially as systems from different sectors interoperate and exploitation attempts are made in the gaps between them, it is important and urgent to build early consensus among the participants on IIoT security,” the consortium says.
- ScadaHacker provides security alerts and training on securing Industrial IoT systems.
Often, it just isn’t possible to secure all the doors to a building. A doorman that screens people coming in and out of the building can help. For industrial IoT systems, a doorman named Barracuda may be just what’s needed.
This article is published as part of the IDG Contributor Network. Want to Join?