Strategic alignment for the protection of IoT systems

Critical infrastructure industries are especially in focus when dealing with issues of security. A current UL research project shows how the US Military wants to protect these kinds of infrastructures and what role open source software plays.

Critical infrastructures are mostly evolved systems. They consist of control and automation systems that previously operated independently and now are increasingly being networked via the Internet. That makes them particularly prone to cyber attacks.

Special attention is thereby required in the use of third-party software such as open source software, software provided by suppliers, or code snippets that come from online sources. More than 80 percent of the software applications available today consists of open source components (1). For this reason, companies must pay special attention to their software supply chain management systems and processes to reduce the potential risk from third-party applications.

A project launched by DARPA shows how important the software-related security of critical infrastructure is. The Defense Advanced Research Projects Agency is a US agency that invests in national security-related research projects on behalf of the US Department of Defense. DARPA has an annual budget of about $3 billion and supports innovation in almost every field – from biology to microelectronics as well as unmanned aircraft.

Its tasks also include securing critical infrastructures such as in hospitals or industrial systems, and moving forward the cybersecurity in Internet-linked devices and medical devices. For this reason, at the end of 2016 DARPA commissioned UL to research the cybersecurity of IoT gateways for industrial control systems (ICS).

Research is a strength of UL

The contract spanned a period of nine months. “The cybersecurity team at UL has determined the main areas of an IoT gateway, which affect the cybersecurity of an ICS, as well as analyzed the data that passes the gateway outside of the ICS system,” reports Alexander Köhler, Business Development Manager at UL Cybersecurity.

In order to keep an overview of all requirements, the team had the entire IoT architecture in focus – in other words, all microchip software, the components and systems. “We conducted structured penetration tests and checked how systems access remote devices and how they process software updates,” Mr. Köhler explains.

UL was selected because it has over 20 years of experience in the security sector. For the US government, the company has already specified security standards for cryptographic engines and has collaborated on other security standards. For a period of four years, in its Cyber Assurance Program (CAP), UL has been analyzing the risks of Industry 4.0 systems in the automotive, factory automation, pharmaceutical and lighting industries.

Strategic advice from the DARPA Project

Through this research, UL will be able to recognize at an early stage in which direction the IoT systems are currently developing. A significant part of this is the consideration of the lifecycle. If, for example, a product algorithm was hacked, then it must be replaced. “So, a component supplier must keep an eye on the early development of a product and must define what happens when the components are used in specific systems,” explains Köhler.

That also means that beginning now responsible IT managers require an ongoing monitoring of their IoT landscape including its processes so that they can react in case something changes in terms of the IoT components or the security situation. “Here we are expecting a corresponding level of automation to manage IoT devices,” says Köhler.

It its tests, UL analyzed how patches for components and management software affect the safety of IoT systems. “That is a part of our risk analysis, even updates must be cyber safe,” explains Köhler. The patch management is also a component of the UL Standard 2900 and regulates how a component manufacturer must deal with this.

Based on this research activity, it has become clear why UL considers itself to be a global company in the segment of security and risk science. “For us, the project with DARPA is recognition for the expertise of UL in the cybersecurity segment,” summarizes Köhler. “And it shows that our research is helping to fill Industry 4.0 with life.”

(1) “Protecting the open source software supply chain,” posted on GCN, https://gcn.com/Articles/2016/07/22/software-supply-chain.aspx.