Once every few years I decide to head to Hannover and attend Hannover Messe, probably the largest industrial trade fair in Germany and apparently on of the most important in the world. As this year’s main topic was “Industrie 4.0” I simply could not resist to go out on a hunt for new and interesting (secure) smart connected magic! And trust me, I was not disappointed – here’s a few of my impressions.
It seems industry has decided to start connecting every “dumb” device and to make them all smart: the smart circuit breaker (German: Sicherungsautomat). Surely the idea of adding sensors to a circuit breaker to fingerprint and analyze errors in large electric circuits does make sense and is most valid. The interesting aspect now is the fact that the circuit breaker also has an up-link. A technician is able to log into the circuit breaker, check the sensor data and, well, reset the circuit when/after the breaker opened it. How? – A webserver on a gadget attached directly to the circuit breaker and then connected via LAN, WiFi, Bluetooth or the “cloud”.
“Cloud” as an Interface
While cloud is often associated with data processing and storage, the core aspect in Industrie 4.0 rather seems to be connectivity. As the sensors and actors are placed in a highly decentralized manner and might not have a public IP addresses, they simply connect to the cloud, or basically a central server which is nowadays called “cloud”. The client, often a smart phone app, also connects to the cloud and is then able to communicate with the actual device. Even though this cloud might not process any data i’s security is still highly critical – if you manage to get access to this backend/cloud, you control the devices. Whereas awhile back everybody seemed to be setting up their own cloud and own platform, from what I’ve seen yesterday, small vendors/manufacturers have decided to only implement connectivity and leave the cloud service to other (specialized) companies. Which surely is a valid approach, as electronic engineering companies do not have experience with running back-end server systems. Sadly, they’re also still making the same old mistakes with their small smart devices.
Direct LAN / WiFi Access
Usually when you go for a stroll through one of the booths, you’ll find large tables or walls full of devices and quite some buzzword-heavy descriptions next to them. For all devices I had a look at the vendors claimed to support things like encryption, TLS, VPN, IPSec and authentication. Thing is: I myself (and probably most of you) do not trust such descriptions, so let’s have a closer look. For me the closer look was a simple peek at the browser’s address line: Not a single web interface I saw was opened via an encrypted connection. As such every single device was accessible via plain HTTP. I have to admit, yes, all devices were only setup for demonstrative use, but isn’t it sad that companies will not actually present their applied security? An unfair/harsh explanation might be the fact that they did not want visitors to see any SSL warnings due to invalid or unknown certificates. Or did they maybe just not think it was not so interesting or important?
Quite a few vendors/manufacturers have started adding Bluetooth Low Energy interfaces to their devices. These on the one hand can be used for controlling the devices and on the other hand for diagnosis purposes. One example I saw yesterday consisted of an embedded device and an arbitrary app. When pairing the two a display on the device presented a six digit code while the app showed a message like “Please enter code. This typically is 0000 or 9999.”. It is just hard to say if the default codes are a relict from past times or a hint towards other product ranges.
One thing all implementations had in common was the fact that they seemingly had no further security applied (at least that was the response when I asked). As we have already seen a few times and also fellow TROOPERs have shown, you can not simply rely on Bluetooth security.
Human Machine Interfaces
Another typical and classical way of controlling industrial devices are HMIs. Most of the HMIs I saw yesterday where simple embedded platforms running Windows with a touch screen. Depending on the manufacturer they either ran a dedicated piece of software or a web-browser. Here, yet again, old flaws come into the game: When accidentally swiping from right to left Windows presented it’s on-screen keyboard and, well, a system running as administrator. By the way, these were the systems talking to the actual device via HTTP. At least most systems seemed to be running a current version of Windows and nothing Windows XP based as I’ve seen in the past.
Security and Safety
Looking at the variety of products & their features, and taking into account all the chats and discussions I had yesterday, it seems industry has recognized that security is crucial. What I also noticed is that there seem to be two main motivations for adding connectivity. The first one is an overall concept in which the new features are used to optimize and further automate processes, the second one is the certainty that the customers want just these features. This sadly results in half-baked security concepts. It is a fact that safety is industry’s rule number one and it has to be. It is also a fact that many people would love to roam their production plant just with a tablet PC and be able to do and see everything. So what happens if safety critical components (sensors, emergency off-switches) are extended with smart interfaces? Read only is only good until you find the first vulnerability!
All in All,
smart stuff is on the move! Industry knows they have to do something but we will need to offer them a helping hand!
Just because one uses arbitrary RF communication, it doesn’t mean that it’s secure 🙂