Use software composition analysis to secure the industrial IoT

Earlier this year, botnets attacked networked security cameras, shining a light on the vulnerability concerns around industrial systems and the industrial IoT. As with any device connected to the internet, these types of devices have characteristics that make them a compelling target for botnet authors, as well as other types of malware. These devices typically have full-time, high-speed network connections, run embedded Linux, and lack monitoring systems and screens or logs that might alert a user to a hack. Additionally, many of these systems are designed for limited rollout, or come from a company that has paid limited attention to hardening or security. This combination of powerful networked systems with easy ability to be breached, allows for botnets to thrive. In the last few years, malware such as Mirai and Bashlite has taken advantage of vulnerabilities in these IoT devices, and these weaknesses should be kept in mind as the industry designs the next generation of IoT and IIoT devices.

The typical Linux system embedded in IIoT devices uses dozens to hundreds of open source packages. While these components are typically high quality, all software contains defects and, over time, vulnerabilities in these components are discovered and eventually taken advantage of. Many of these devices aren’t designed to be auto-updated and depend on software from commercial and open source organizations that have vulnerabilities discovered every few weeks to every few months.

It’s becoming a best practice to pay attention to a device’s software bill of materials, with special attention to components with known vulnerabilities as seen in places such as the National Vulnerability Database. For IIoT software providers, keeping track of the list of components used in the operating system as well as the application itself is a necessary precaution to stay ahead of malware authors — especially when implemented in tandem with a rigorous patching system.

The irony is that sometimes update systems can be used by malware authors to spread their malware. This occurs when secrets, such as hardcoded passwords, are shared across multiple devices or device families. Many current malware systems use this trivial vulnerability to spread themselves, but as this vector gets locked down, many are moving to taking advantage of common vulnerabilities — such as those seen in OpenSSL, Bash or shared commercial firmware, as seen in DVRs or camera boards.

Today, products and services are available that are designed to help IIoT system designers keep track of their use of open source and commercial dependencies, as well as get alerts when new vulnerabilities are discovered in the components they’re using. This allows them to create products that don’t contain known vulnerabilities when first shipped, and to stay on top of components as they age out when deployed in the field. This type of scanning and management software is known as software composition analysis software.

Developing and maintaining a software bill of materials, alongside ongoing monitoring and frequent patching, are two crucial steps IIoT software manufacturers need to take to ensure their products are safe from hackers. Software composition analysis software can help developers manage these requirements and ensure companies are shipping a device that respects the open source community, as well as protects the company’s users from attacks.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.