Practical Industrial Internet of Things Security

The IIoT digitally transforms industrial and enterprise operations by adding smarts and connectivity to machines, people, and processes. IIoT converges technical advancements in multiple areas, including:

IIoT is also interchangeably referred to as the Industrial Internet, a term originally coined by General Electric(GE). GE defines the Industrial Internet as (GE-IIoT) "the convergence of the global industrial system with the power of advanced computing, analytics, low-cost sensing and new levels of connectivity permitted by the internet."

GE's Industrial Internet refers to the third wave of innovation in industrial environments, the first two waves being the industrial revolution, followed by the Internet revolution, as shown in the following diagram:

Figure 1.1: Industrial Internet—the third wave of industrial innovation; Source: Adapted from https://www.i-scoop.eu/industry-4-0/

Industrie 4.0 is a digital transformation project that was launched (https://www.i-scoop.eu/industry-4-0/) by Germany in 2011 and widely referenced in Europe (ISP-4IR). It refers to connected cyber-physical systems (discussed later in this chapter). The Industrial Internet concept is comparable to the fourth revolution, as illustrated in figure 1.2.

Industrie 4.0 is primarily focused on the digital transformation of manufacturing by leveraging technologies such as big data/analytics and IoT. This transformation is catalyzed by the convergence of information technology (IT) and OT, robotics, data, artificial intelligence, and manufacturing processes to realize connected factories, smart decentralized manufacturing, self-optimizing systems, and the digital supply chain in the information-driven, cyber-physical environment of the fourth industrial revolution, sometimes called 4IR (ISP-IIoT):

Figure 1.2: Industrie 4.0 as the fourth Industry Revolution (4IR); Source: Partially adapted from DKFI 2011 www.dfki.de

According to top analyst firms, over the next decade, the number of connected machines is estimated to be in the order of tens of billions, while through accelerated productivity growth, the global gross domestic product (GDP) is estimated to expand in double digits. Increases in efficiency, data management, productivity, and safety are the core drivers for IIoT adoption.

Interestingly, this wave of digital transformation in various industry verticals is also a key driver for safety and security technologies in order to realize reliable systems and architectures.

The value of sensor-embedded connected devices took a giant leap with the ubiquity of smartphones. Hand-held mobile phones morphed from being just a data and voice communication device to a versatile commodity that assists in navigation, news, weather, health, and so on. The iPhone itself boasts of a number of sensors for proximity, motion/accelerometer, ambient light, moisture, a gyroscope, a compass, and so forth. Apple watch, Fitbit, Amazon Echo, and so on have heralded a whole new era of smart, personal wearables, along with ingestible and home controls, thus opening up entirely new market segments. These home and personal devices together are most commonly understood as the Internet of Things.

However, these same principles when applied at scale—in enterprises and industries—multiply both in terms of complexity and benefits. The Industrial Internet Consortium (IIC) was established in March 2014 with the mission to accelerate the industrial adoption of IoT, by creating standards to "connect objects, sensors and large computing systems." This formally delineated IIoT from consumer IoT, the latter being more focused on personal and home automation gadgets and appliances, and dealing with different security postures when compared to IIoT.

In this book, the term IIoT refers to scalable internet of things architectures that are applicable to enterprises across a wide variety of industry verticals, such as energy, water, farming, oil and gas, transportation, smart cities, healthcare, building automation and so on, and will be referred to by its short form, IIoT.

In many contexts, the use of the term IIoT is limited to being a connectivity enabler, just like the internet enabled the connection of computers. However, we look at IIoT as more than connectivity. It encompasses the entire industrial value chain, which involves embedded intelligence, network connectivity, harnessing big data, machine learning/AI, the smart supply chain, and advanced analytics-driven business insights.

A cyber-physical system (CPS) refers to any network-connected instrumentation that also interacts with the physical world. Consider the example of a thermostat that's connected to a data network. In the industrial context, a common example of a cyber-physical system is an industrial control systems or ICS. An ICS is a general term used to describe a wide variety of control systems and instrumentation that's used to control industrial processes. This ranges from small panel-mounted controller modules with few control loops to several geographically distributed controllers.

Large-scale ICS is usually deployed using supervisory control and data acquisition (SCADA) systems, or distributed control systems (DCS) and programmable logic controllers (PLCs). All systems receive data from remote sensors that measure process variables (PVs), compare these with desired set points (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

When a CPS is connected to an external network (let's say to a centralized cloud infrastructure), we can refer to it as a cyber-physical IoT. The following diagram is a generalization of an ICS or a cyber-physical system. The system could be controlling engine performance and acceleration in an automobile, or the temperature-based controls in a power grid:

Figure 1.3: Industrial control system (ICS) functional flow diagram; Source: (NIST-800-82r2)

In the case of cybersecurity, the prime focus is to protect the data itself. Data privacy and identity protection are the top priorities. In the case of cyber-physical security, visibility into the controls is important. For example, if a temperature sensor in a power generation plant is hacked remotely, it can incorrectly output very high temperature values, which would cause the control system to shut down the entire power plant. In the reverse case, that is, if the sensor output is much lower than what it should be, the control action may result in much more dangerous consequences.

General characteristics of any CPS/ICS system include:

These characteristics render cyber-physical security more complex than cybersecurity. In CPS, due to environmental interactions, a security breach has physical safety implications.

This necessitates cyber-physical control systems being inherently resilient. A control system is characterized as resilient when it can maintain state awareness and an accepted level of steady state behavior (operational normalcy) when exposed to abnormal conditions, which include intentional and unintentional errors, malicious attacks, and disturbances (RIE-GERT).

OT refers to the hardware and software dedicated to detect or induce changes in physical processes. OT involves technologies that are used to directly monitor and/or control physical devices such as valves, pumps, and so on. As an example, consider the computing and connectivity technologies involved in an ICS/SCADA system of a power station or a railway locomotive manufacturing facility, which monitors and controls the various physical systems and plant processes.

By adopting IoT, as industries accelerate into the future, it is important to evaluate the current industrial assets and technologies in a typical industrial deployment, and to determine practical mechanisms to transition to greater efficiencies without compromising resiliency. So, before diving deeper into the subject of IIoT security, the prevalent industrial devices, systems, and technologies are discussed in this section.

Though often incorrectly confused with IoT, digital M2M has existed in industries for the last two to three decades. Broadly speaking, M2M refers to any technology that enables machines to exchange information and perform actions without any human mediation. From that end, M2M is foundational to the development of IoT.

To quote from (GART-IOT) ,"The key components of an M2M system are: Field-deployed wireless devices with embedded sensors or RFID-Wireless communication networks with complementary wireline access includes, but is not limited to cellular communication, Wi-Fi, ZigBee, WiMAX, wireless LAN (WLAN), generic DSL (xDSL), and fiber to the x (FTTx)."

The cellular M2M communications industry can be traced back to when Siemens developed and launched a GSM data module called M1 in 1995. M1 was based on the Siemens mobile phone S6, which was used for M2M industrial applications; it enabled machines to communicate over wireless networks.

In industries, telemetry was a very common use case for M2M, in addition to remote monitoring and the control of field assets.

SCADA is a distributed control system architecture used to control geographically dispersed assets. Distribution systems such as electrical power grids, oil and natural gas pipelines, water distribution, railway transportation, and so on heavily rely on centralized data acquisition and control. A SCADA control center monitors alarms and processes data for field sites, usually over long-distance communications networks. This information from the remote stations is used to push automated or operator-driven supervisory commands to remote field devices (which will be discussed later in this section) to control local operations such as the opening/closing of valves, breakers, collecting sensor data, and so on (NIST-800-82r2).

A DCS is functionally similar to SCADA, though it is typically used for localized control in continuous manufacturing process use cases, for example, a fuel or steam flow in a power plant, petroleum in a refinery, and distillation in a chemical plant. As DCS localizes control functions near the process plant, it is a more cost-effective, secure, and reliable option for uses cases where the control room is not geographically remote.

PLCs are extensively used in most industrial processes. PLCs are solid-state closed-loop control system components that are used in SCADA and DCS to provide operational control of discrete processes such as automobile assembly lines.

Being localized within a factory or plant, DCS and PLC communications use reliable and high-speed local area network (LAN) technologies. On the contrary, SCADA systems cover larger geographical territories, and need to account for long-distance communication challenges, delays, and data loss in remote sensor networks.

An ICS is an overarching industrial technology that usually includes SCADA, DCS, and PLC functionalities.

An ICS is a generic term used for all industrial systems that perform data acquisition, monitoring, and supervisory control of local and remote devices and assets. In the previous section, we talked about SCADA, DCS, and PLCs, which are the basic building blocks for centralized monitoring and control of distributed assets and operations, which are sometimes scattered over thousands of square kilometers. The following diagram shows the various functional levels of a manufacturing control system:

Figure 1.4: Functional levels of computerized manufacturing

From the preceding diagram, we come to know of the following:

Field devices are remote station control devices that can act on either automated or operator-driven supervisory commands from central control stations. These control stations generate commands, such as for opening or closing valves and breakers, collecting data from sensor systems, monitoring local environments for alarm conditions, and so on, based on information received from other remote stations (NIST-800-82r2).

These are industry-specific components that interface with digital or analog systems and expose data to the outside digital world. They provide machine to machine, human to machine, and machine to human capabilities for ICS to exchange information (real-time or near real- time), thus enabling other components of the IIoT landscape. This includes sensors, interpreters, translators, event generators, loggers, and so on.

Plant devices and equipment include sensors and actuators, control valves, and so on, which sense and act on commands from ICS.

The following diagram shows the various components of an ICS/SCADA system:

Figure 1.5: Functional components of a SCADA system; Source: (NIST-800-82r2)

ICS network components

Industrial control networks involve a lot of connectivity across the various levels of the control hierarchy, as shown in the following diagram:

Figure 1.6: Distributed ICS/SCADA connectivity diagram; Source: (NIST-800-82r2)

Field devices and sensors usually communicate with a Fieldbus controller, which can uniquely identify them. For long-distance SCADA communications, routers are used to connect the LAN and WAN segments. Network segregation strategies are implemented using industrial firewalls. Firewalls enable fundamental network-based access control of resources on a particular network segment. Furthermore, depending on deep packet inspection (DPI) capabilities, there is the potential to get into protocol-level filtering as well. Consider an example of a firewall with DPI that is looking at Modbus traffic to manage read versus write versus read/write privileges based on the data source.

Considering the nature of OT traffic and the protocols involved, these firewalls are quite different from IT or next-gen firewalls, which we will discuss in greater depth in subsequent chapters. And yes, modems are still used to enable long-distance serial communications between MTUs and remote field devices in SCADA systems. DCS and PLCs use modems and remote access points to gain remote access to field stations for command, control, and configuration changes for operations, maintenance, and diagnostic purposes. Examples include using a personal digital assistant (PDA) to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access an ICS system.

Fieldbus protocols

ICS networks involves deterministic, tight control loops. Fieldbus refers to the family of ICS networks used for real-time distributed control. These protocols are usually defined to satisfy the requirements of specific industry verticals, are proprietary, and as such have limited interoperability. Examples include the Common Industrial Protocol (CIP), Modbus (Modbus-serial, Modbus-TCP), DNP3, Profibus, Profinet, Powerlink Ethernet, OPC, EtherCAT, HTTP/FTP, GOOSE, GSSE for automated power substations (defined in the IEC 61850 standard), and so on.

Many of these protocols support both serial and Ethernet-based TCP/IP stacks, and have been in deployment since as far back as the 1960s. Many vulnerabilities exist in these protocols, and these will be examined in Chapter 5, Securing Connectivity and Communications.

To sum up this section, OT technologies have evolved over a very different runway than information technologies, with a life cycle that runs into decades. In industrial operations, maximizing equipment uptime is critical. So, many industrial deployments today adhere to age-old technologies, which were never designed with security and interoperability in mind. Understanding these technologies is important for planning and designing secured IIoT architectures.

Even though security technologies for OT deployments exist today, the Industrial Internet pushes the boundaries much further with state-of the-art software, firmware, and connectivity paradigms, thus calling for a major shift in mindsets. How does IIoT provide an evolutionary path for existing ICS systems? Let's discuss that now.

 

The following diagram illustrates a side-by-side comparison of priorities in IT and OT environments in the context of securing operations:

Figure 1.9: Divergent priorities of IT and OT

In the case of securing ICS and SCADA networks, the protection of the plant, people, and processes takes precedence. Industrial controls involve engineered processes (for example, the opening/closing of valves, turning energy levels higher/lower, and so on). These controls and commands must function in a deterministic fashion. Thus, although industrial controls are not technically integral to a security framework, security measures must align with industrial control requirements.

In IT networks, it may suffice to inspect network layer traffic, but to secure OT environments, industrial firewalls are expected to perform deep-packet inspection to monitor and analyze actual commands in the application layer.

The availability of OT systems and infrastructure is shown next in terms of priority. With the introduction of data-centric models and the Internet of Things, data integrity is arguably more important than availability in certain use cases.

In IT environments, data confidentiality, integrity, and system availability are the main priorities (not necessarily in any particular order, as in some use cases, system availability takes precedence over confidentiality).

Attack surfaces differ considerably in IT and OT environments. IT is characterized by ever-evolving and intertwined technology stacks, which makes the attack surface rather fluid and dynamic. IT data traffic is primarily hierarchical, north-sound bound. The IT cybersecurity approach is usually threat-based, constantly plugging holes for new malware and viruses. The threat actors in IT typically target monetary gains and, as such, range from miniscule to large, organized cybercriminals.

In the case of OT, although the processes and controls are deterministic, the attack surfaces can be vast and scary. Their diverse deployments foster several avenues of intentional and unintentional cyber incidents. An attack surface in the case of OT is laterally spread, as there is not much traffic traversing north-south across the DMZ. OT cyber threats involve a completely different type of adversary. Threat actors in the case of ICS are usually not after money, and often involve nation state actors whose prime motivation is to inflict large-scale disruption in business, national, or political arenas.

The following diagram illustrates the diverse attack surfaces in a typical industrial use case:

Figure 1.10: Attack surfaces in IT and OT domains

A threat can be defined as the potential of an exploit for a given system. Threat actors refers to the adversaries who trigger or inflict the exploit. In the case of an industrial system, such as a wind turbine, a threat actor could be either natural or man-made.

In the IIoT context, threats impact both the information and physical domains. The privacy and integrity of machine data—both control and payload—have the potential to be exploited. Unauthorized access and manipulation of IoT platforms, software, and firmware are also potential threats. On the other hand, IoT devices and control systems are exposed to physical reliability, resilience, and safety threats. Control system transfer functions, state estimation filters, sensing, feedback loops, and so on can also be targeted by malicious players. For example, manipulating a sensor/actuator system can cause a control valve to transmit dangerous levels of chemicals that may damage the immediate environment or interdependent system.

There is no silver bullet for industrial security, even though some brands lay claim to it. The adoption of digital technologies expose new types of attack vectors, and newer attack surfaces. A practical approach for IIoT security is to adopt a defense in depth strategy for security, wherein each defense mechanism makes it so much more formidable for the attacker.

Defense in depth (also known as the Castle Approach) is a concept found in IA, where multiple layers of security controls (defense) are placed throughout the architecture to be protected. Its intent is to provide redundancy in the event if any one security control fails or a vulnerability is exploited, the system will still be protected. These defenses can cover aspects of personnel, procedural, technical, and physical security for the duration of the system's life cycle. For any specific use case, system architects need to consider how the data flows and how to secure the data flow. Determining which data is important and needs protection within a given context is also vital.

Threat actors, in the case of IIoT systems, include:

Other threat actors include phishers, spammers, malware/spyware authors, industrial spies, and so on.

Vulnerabilities refer to the software and hardware weaknesses that are inherent in the system and can expose the system to threats. System vulnerabilities can be the outcome of how it was designed, implemented, tested, or is operated. While vulnerabilities are unavoidable, proper assessment and proactive remediation techniques need to be employed to combat them.

Vulnerability in any part of the deployment can be subject to an exploit. Experienced cyberattackers are aware of potential vulnerabilities. This makes the attack surface complex and scary. In subsequent chapters, IIoT security strategies and countermeasures will deal with this topic in greater depth.

The following subsections contain a categorized list of common vulnerabilities that are applicable to any cyber-physical IoT security plan (NIST-800-82r2).

Network vulnerability

The following list explains the main considerations regarding network vulnerability:

• Vulnerable legacy protocols with insufficient security capabilities
• Weak network security architecture
• Network device configurations not stored or backed up
• Unencrypted passwords, lack of password expiration policies
• Inadequate access controls applied
• Inadequate physical protection of network equipment
• Unsecured physical ports
• Non-critical personnel have access to equipment and network connections
• Lack of redundancy for critical networks
• No security perimeter defined, firewalls not used adequately, and control networks used for non-control traffic
• Lack of integrity checking for communications
• Inadequate data protection between clients and access points:

Figure 1.11: The flow sequence of threat and risk assessment; Source: Practical IoT Security Book, Packt Publishing

Risk can be defined as the probability of a successful exploit and the associated loss thereafter. While a security vulnerability is innate to a platform, risk refers to the chances of that vulnerability being exploited to cause the anticipated damage. For example, an industrial computer used to process accounting data may be running an application with known authentication and remote access control defects. If this computer is air-gapped, the risk associated with these defects is almost negligible. However, when connected to the internet, the associated risk increases by a great degree (IOT-SEC).

Risks can be managed by using threat modeling (which will be described in Chapter 2, Industrial IoT Dataflow and Security Architecture), which helps to ascertain the possible exposure, impact, and overall cost associated with an exploit. It also helps to estimate the importance of the exposure to the attackers, their skill levels to launch the attack, and so on. Risk management practices help to deploy mitigation strategies proactively.

Some examples of ICS risks that have been introduced by brownfield IoT deployments are:

IoT connectivity in power generation and distribution (smart grids) is an important use case that enables utility companies to communicate with their retail and enterprise consumers. This bidirectional communication enables demand-based variable energy production, as well as fuel and cost optimization (NIST-SMG). With smart metering, utility workers no longer need to physically visit consumer premises to obtain meter readings. This makes metering and billing more accurate and cost-efficient. Accuracy in tracking and reporting usage enables utility companies to gain better insights into customer energy usage profiles, which enables them to optimize usage and defer usage away from peak hours.

A power generation utility is a typical example of a system of systems, with highly distributed control systems and networks. Smart grids are, in general, implemented in a way that depends massively on TCP/IP networks, both wired and wireless.

In many power generation facilities around the globe, the cyber defense practices utilized today are often outdated. Inadequate use of risk management practices and security controls such as industrial firewalls with DPI capabilities and access control render these facilities exposed to cyber risks.

As critical infrastructures, the impact of a cyberattack in these facilities could potentially cascade onto other interdependent systems, such as water purification facilities, smart city traffic control systems, and so on. In Chapter 9, Real-World Case Studies in IIoT Security, the anatomy of a power grid cyberattack is discussed elaborately.

Data suggests that energy sectors are more prone to cyberattacks and more than 15% of industrial cyberattacks target the energy sector (ENER-SYMT). Stuxnet, Duqu, Shamoon, and Night Dragon are infamous security incidents that targeted the energy sector. Internet threats are one of the prime concerns in the energy sector, compounded with the ubiquity of legacy systems, which were originally designed as air-gapped systems and still remain to be fortified with security controls.

In manufacturing plants, unscheduled downtime has always been the top reason for lost productivity. Critical asset failures largely contribute to these unplanned shutdowns. Finding effective ways to predict and prevent asset failures on the factory floor has always been a hard-to-win battle. Today, the evolving framework of IoT enables us to better manage physical assets using smart sensing, scaled connectivity, and data-driven predictability. Using the IIoT framework, manufacturing plants can deploy instrumentation across the factory processes to establish a digital continuum, which connects information and utilizes actionable data. Real-time analysis of this data enables early fault detection and data-driven decision making, which in turn helps minimize unplanned downtime and improve performance, and therefore increase profits.

In manufacturing, legacy technologies, inadequate cybersecurity skills among OT operators to conduct timely patches, upgrades, segmentation, perimeter-based defense, and so on pose a serious cyber risk. The interplay of multiple vendors owning the various components of an IIoT solution and the vulnerabilities in third-party systems, such as unsecured APIs, lack of permission-based access, the use of clear text, and so on, need to be carefully examined:

Figure 1.13: Chronology and global spread of industrial cyberattacks; Source: Frost and sullivan (FSV-IoT)

In June 2010, 14 industrial sites, including a uranium-enrichment plant, were infected by a 500 KB computer worm called Stuxnet. The worm entered one of the computers through a USB stick, and feigned a trustworthy digital certificate to evade automated detection systems. It proliferated via the enterprise LAN and infected air-gapped computers, owing to its ability to be transmitted through a USB drive.

Driverless, autonomous vehicles taking over the city's roads is the grandest human dream of this decade. Fuel efficiency, hassle-free commuting, parking efficiencies, traffic and road safety, reduction in harmful fuel emissions, and so on are the advantages associated with the vision of autonomous vehicles. While we may have to wait some more years before we can live in this dream, internet-enabled connected vehicles and fleet management are very much a reality. Connected sensor meshs, communications using vehicle to vehicle (V2V) and vehicle to infrastructure (V2I), telemetry, AI and machine learning, cloud connectivity, and so on are the building blocks to make connected vehicles a reality. General Motor's OnStar, Ford's Sync, and Chrysler's Uconnect are some examples of early-stage connected vehicle technologies that are already in use.

Road safety, mobility, and the environment are the top priorities of the connected vehicle program that the US Department of Transportation (DOT) is driving, in partnership with state and local transportation agencies. The National Highway Traffic Safety Administration (NHTSA) estimates that connected vehicles can reduce the 5 million recorded crashes on US roads by 80% (DOT-VHC). According to DOT, surface transportation loses nearly 4 billion gallons of gas each year due to traffic congestion, which also significantly adds to the greenhouse gases (GHG) that vehicles emit. Smart traffic controls thus equate to both fuel and environmental efficiency.

Nextgen connected vehicle communication uses dedicated short-range communications (DSRC), in addition to cellular, GPS, Bluetooth, and so on, to gain 360-degree road awareness. Forward Collision Warning (FSW) doesn't depend on line-of-sight. Considering a driver's data privacy, vehicle information—heading, position, speed, and so on—are communicated using Basic Safety Messages (BSM), which eliminates any personal identifying information (PII) regarding the vehicle or the driver.

In connected vehicles, several complex technologies intricately interplay. The software and hardware often involve multiple vendors. Cloud connectivity provides inroads for black hat hackers. Vulnerabilities in an automobile's control area network (CAN) databus, use of insecure APIs in the software modules, lack of permission control for third-party applications, inadequate "security by design" practices, and penetration testing provide a wide attack surface that can very well shatter our smart transportation dreams.

By exploiting a software bug, security experts Charlie Miller and Chris Valasek demonstrated the fatal consequences of an on-the-road hack when they wirelessly sabotaged a 2014 Jeep Cherokee. The full exploit is explained in Miller and Velesek's report (http://illmatics.com/Remote%20Car%20Hacking.pdf)

Several IoT applications are digitally transforming healthcare systems around the world. Some of the common IoT use cases are connected hospitals, where connected medical devices are simplifying critical patient monitoring instruments. In hospitals, smart medical equipment provides accurate data and reduces cluttered wiring, thus reducing human error-related accidents. Remote monitoring of patients, particularly the elderly, is also a promising use case.

Real-time tracking of medical devices and personnel (such as doctors) in large healthcare facilities is possible by using Bluetooth low-energy (BLE) and RFID. Real-time OS and high throughput data buses allow the cloud connectivity of medical equipment to optimize equipment usage, reduce cost, and improve patient care with instant reports and health analytics. In the pharmaceutical industry, robotics and biosensors are improving the quality of drug manufacturing. IoT also improves visibility into the supply chain of pharmaceuticals, ensuring improved drug quality and patient safety.

In November 2017, for the very first time, the Food and Drug Administration (FDA) approved a digital pill (FDA-MED). A digital pill is a medication that's embedded with a sensor that can tell doctors whether and when patients take their medicine. Since critical medical devices and drugs are linked to human life/death conditions, conformance to FDA regulation is a helpful safety gate. Although regulatory intervention holds the reins for healthcare digitization, connected medical devices and hospitals are a reality today. Black hat incidents in hospitals also testify to the fluid attack surfaces that have been exposed with the adoption of internet connectivity in this slow-moving sector.

May 2017 saw one of the worst cyberattacks in medical history, which crippled the UK's National Health Service with the WannaCry ransomware. Outdated software and applications, legacy systems, and inadequate cybersecurity practices pose major risks for black hat exploits. Inadequate cybersecurity awareness among hospital staff, and the lack of security disciplines such as regular patch cycles, and so on add to the risk factors. In the case of a cybersecurity breach, loss of confidential information such as a patients' medical and financial records is bad enough, but an OT cyber incident can also temper with medication and monitoring devices, which could cost human lives.

In May 2017, WannaCry ransomware spread across enterprises in 150 countries. The ransomware was combined with a Microsoft Windows Server Message Block (SMB) protocol exploit called EternalBlue (ETN-WRD). The IT infrastructure in enterprises including Telefonifa, Santander, Deutsche Bank, Fedex, and so on was infected. However, the biggest impact was seen in hospitals belonging to the UK's National Health Service (NHS), where swathes of computers were infected, forcing hospitals to turn away patients and cancel surgeries.

The EternalBlue exploit, when successfully delivered, grants admin access to every connected system in an Enterprise IT infrastructure. The vulnerability existed in legacy Miscrosoft Windows versions—Windows 7 and 8, XP, and 2003.