Cybersecurity is a many-pronged approach. From smart thermostats to the automated factories of Industry 4.0, today’s embedded systems require multiple layers of protection to prevent cyberattacks. These different layers are known as the cybersecurity stack.
As seen in the image above, a secure system relies on both hardware and software methods of cybersecurity.
The hardware layers range from Physical solutions, like tamper protection and fault tolerance to the Root of Trust, which includes key storage, crypto engines, and secure boot. Sitting on top of the hardware layers is the software portion of the stack. This includes Compartmentalization and Encryption, as well as Kernel- and Application-level solutions like, virus scanning and credentials management.
All of these layers are important to securing today’s embedded systems, however, as you can see there is a gaping hole between the hardware and software portions of the stack—and that hole is leaving our systems vulnerable to an endless number of cyberattacks.
Relying on software is insufficient
All software has bugs, including the cybersecurity software that is supposed to be protecting our systems.
This is proven day-after-day in the headlines, with cyberattacks like Stuxnet, Heartbleed, WannaCry, and Triton grabbing national attention. These attacks all occurred in the vulnerable software layers of the stack. And as long as the hole between the hardware and software layers remains, we will continue to see cyberattacks that exploit software vulnerabilities dominating the news cycle.
The bottom line is that systems, particularly those on the IIoT, are vulnerable. Companies operating with a traditional cybersecurity stack run the risk of incurring various, potentially catastrophic, costs, including financial losses, damage to brand reputation, and even physical harm to employees.
The IIoT is under attack
Recent history has proven that cyberattacks targeting IIoT aren’t just increasing in quantity, but in intensity as well. In the first six months of 2018, over 41% of all industrial control systems were attacked by malicious software at least once, according to a survey by Kaspersky Lab. That number is only growing, and it’s possible that very soon we will reach the point that organizations operating in the world of IIoT will be more likely to be attacked than not.
While the sheer number of these attacks is alarming enough, it is only the tip of the iceberg when it comes to IIoT’s cybersecurity problem—the next logical question is: how much damage can an attack cause?
A cyberattack’s bottom line
Let’s take a look at an cyberattack that occurred in March 2019. Norsk Hydro, a Norway-based aluminum and energy company, was hit with the LockerGoga ransomware attack that locked down its corporate network and halted production across its facilities.
Norsk chose not to pay the ransom and instead reported the attack to Norweigen authorities. Unfortunately, this meant that it took them over a month to return to full operations and as a result the company suffered significant financial costs due to reduced production. According to the Wall Street Journal, the attack cost the company an upwards of 550 million to 650 million Norwegian Kroner, or $61 million to $71 million.
Cybersecurity insurance isn’t a failsafe
With the prevalence of cyberattacks, cybersecurity insurance seems like a no-brainer.
The cybersecurity insurance market is projected to grow over 33% in the next four years, to a total value of over $16 billion. Some have even argued that companies don’t take their cybersecurity efforts as seriously as they should because the cost of an attack would be mitigated by an insurance payout.
However, not only does insurance do nothing to rehabilitate a brand’s reputation (the cost of which is incalculable, but inevitably significant), insurance payouts may not always cover the entirety of the loss incurred. For Norsk Hydro, their cybersecurity insurance only paid about $3.6 million of their total projected $71 million loss.
Financial loss only scratches the surface
Shockingly, financial loss and negative brand value are not the most serious repercussions of a cyberattack on IIoT. Attacks on industrial facilities have the potential to cause severe physical damage and potentially even result in loss of life.
For example, in 2014, a malicious attacker infiltrated a steel manufacturing facility in Germany. The attacker used spear phishing emails to target industrial operators and gain access to the plant network. From there, they were able to take over the plant’s industrial control systems and cause multiple components to fail—most notably causing a furnace to be shut down improperly. This resulted in massive physical damage and could have seriously endangered manufacturing workers.
Luckily, no one ended up getting hurt in this specific case. However, if our Industrial IoT systems remain vulnerable due to the existing hole in the cybersecurity stack, the next attack could have more dire consequences.
Securing the IIoT is possible
The good news is that there is a solution.
Let’s take another look at the cybersecurity stack mentioned earlier. Remember that hole that left the IIoT open to attacks? That’s exactly where Dover’s CoreGuard solution fits in.
CoreGuard lives in the Enforcement layer of the cybersecurity stack and fills that gap between the hardware and software layers. It is the only solution that prevents the exploitation of software vulnerabilities and immunizes embedded systems against entire classes of network-based attacks. Because CoreGuard is specifically designed to protect against common categories of vulnerabilities (or CWEs) and not just individual vulnerabilities (or CVEs), CoreGuard can even prevent zero-day attacks.
Protection against cyberattacks like the one that hit Norsk Hydro requires a defense-in-depth approach. Relying on software-only solutions is actually leaving our industrial facilities even more vulnerable to these types of attacks. IIoT needs to fill the Enforcement layer of the stack to protect their brand value, reduce the risk of financial losses due to an attack, and ensure the safety of their facilities, as well as their employees.
To learn more about the cybersecurity stack, download our white paper: The Cybersecurity Stack: How to Secure Embedded Systems with a Defense-in-Depth Approach.