Industrial IoT: Firmware Loopholes Are an Unpredictable Risk

Market for IIoT set to multiply – IP-based systems have been the focus of hackers for some time now

Bad Homburg v.d.H., July 27th, 2021 – As more and more manufacturing and production facilities are integrated into an IT infrastructure, the market continues to be on the rise thanks to the general increase in digitalization and automation. According to a market study conducted by IoT Analytics, global spending on the Industrial Internet of Things platforms for the manufacturing industry will increase significantly. Growth of 24 percent is expected in 2021, and 26.7 percent in subsequent years. In 2020, a total of $128.9 billion was spent on IIoT equipment. “As investments pontificate, so does risk. Unlike PCs in the network, IIoT devices are implemented with significantly less risk awareness,” explains Florian Lukavsky, IoT expert and managing director of IoT Inspector. The security platform analyzes the firmware of IoT devices and has already published many advisories for concerned manufacturers in the past. Random sampling has revealed serious security vulnerabilities in nine out of ten devices – ranging from routers to printers and even production machines that are integrated into manufacturing facilities.

Stuxnet was just the beginning

The Stuxnet worm was first identified in 2010. At that time, it had already infected a number of industrial plants around the world. Among them was the Iranian nuclear power plant Bushehr. It was not until July 2021 that a new, undefined incident occurred there, which led to the power plant being taken offline. “Stuxnet was an appetizer. There are more than just suspicions that such attacks will spread massively with the growth of IoT technology. Security auditing according to established guidelines is therefore essential,” insists Florian Lukavsky of IoT Inspector. The company has one of the largest platforms for the in-depth inspection of factory-installed device software, known as firmware, in terms of security vulnerabilities. A common problem here is that production computers and other IoT devices often contain OEM technology from numerous third-party manufacturers. This means that the security vulnerability is often hidden and almost invisible to the company’s own IT department, unless a thorough firmware analysis is carried out.

VDMA: Downtime threatens existence

Production plants can easily come to a complete standstill for four to six weeks if a hacker compromises the firmware by exploiting its vulnerabilities. “With all the knock-on effects, this can take up to three quarters of a year. In the end, the company will no longer look the same as it did before,” says Steffen Zimmermann of the VDMA* (German Engineering Federation). Ultimately, this makes any attack by a hacker an existential threat to a company. If the infection is introduced via a firmware vulnerability, the entire network must be shut down. This means that not only production but also administration become inoperative. Often, customers cannot even be informed, as access to CRM and ERP systems is similarly denied. Further digitization in the course of Industry 4.0 can therefore only take place if IT security is an inherent part of the process and integrated as early as the planning stage of industrial plants.

*Article in German