Attacks on the Industrial Internet of Things – Development of a multi-layer Taxonomy

Abstract

The Industrial Internet of Things (IIoT) provides new opportunities to improve process and production efficiency, which enable new business models. At the same time, the high degree of cross-linking and decentralization increases the complexity of IIoT systems and creates new vulnerabilities. Hence, organizations are not only vulnerable to conventional IT threats, but also to a multitude of new, IIoT-specific attacks. Yet, a literature-based and empirically evaluated understanding of attacks on the IIoT is still lacking. Against this backdrop, we develop a multi-layer taxonomy that helps researchers and practitioners to identify similarities and differences between attacks on the IIoT. Based on the latest literature and a sample of about 50 attacks, we deductively and inductively determine attack characteristics and dimensions. We demonstrate the usefulness and practical relevance of our taxonomy by applying it to a real-world incident affecting a German steel facility. By combining IT security, IIoT, and risk management to form an interdisciplinary approach, we contribute to the descriptive knowledge in these fields. Industry experts confirm that our taxonomy enables a detailed classification of attacks, which supports the identification, documentation, and communication of incidents within organizations and their value-creation networks. With this, our taxonomy provides a profound basis for the further development of IT security management and the derivation of mitigation measures.

Introduction

The use of digital technologies is now widespread in the industrial sector. These technologies – for example, cloud computing – create increasing connections between the physical and the digital world, leading to the emergence of an Industrial Internet of Things (IIoT) (Sisinni et al., 2018). In highly flexible, self-organizing, and self-optimizing smart factories, the IIoT enables real-time monitoring and control of production (Brettel et al., 2014; Lasi et al., 2014; Radziwon et al., 2014). This enables manufacturing companies to remain competitive in turbulent markets characterized by ever-changing demands for customer-specific products, shorter research and development cycles, and resource and energy efficiency throughout the entire product life-cycle (Kagermann et al., 2013; Lasi et al., 2014).

Yet, in addition to these manifold opportunities, the development of the IIoT leads to additional IT security risks. In particular, increasing levels of cross-linking and decentralization make IIoT systems more complex. This not only increases the probability of unintentional or negligent disruptions and errors but also creates new targets for IT attacks (Broy et al., 2012); targets that are now vulnerable to both conventional IT attacks and emergent IIoT-specific threats (Alaba et al., 2017). For example, the fact that sensors and network nodes in the IIoT are limited in terms of energy, memory, and processing power (Lu et al., 2014) means that they can provide new entry points for attackers. Meanwhile, the continuing trend toward more sophisticated, multi-stage attacks (Ervural and Ervural, 2018), together with high levels of cross-linking, facilitates the spread of attacks within and across systems (Berger et al., 2019; Moustafa et al., 2018). In addition to the malfunctioning of IT components, compromised systems may entail physical damage or may even be life-threatening (Bhamare et al., 2020).

Attempts have already been made to classify IT attacks and so provide structure in this dynamic and opaque field. In the academic literature, one-dimensional category lists classify IT attacks related to individual characteristics (e.g., Lin et al., 2017; Zhao and Ge, 2013), while taxonomies conceptualize attacks based on multiple characteristics in various contexts (e.g., Elhabashy et al., 2019; Pan et al., 2017; Yampolskiy et al., 2013). However, these works show no uniform structure, only focus on selected attributes with differing levels of granularity, and do not fully account for the context of the IIoT (see Section 2.3). The professional literature authored by management consulting or IT institutions (e.g., CISCO, 2019; Kaspersky, 2019), meanwhile, is primarily focused on individual attacks.

Despite expressing their intentions to bring structure to the field, the majority of industrial organizations still struggle to identify, collect and use the information on IT threats (Iannacone et al., 2015). The comparison and exchange of information are further hampered by the fact that individuals and organizations often use different languages (Hansmann and Hunt, 2005; Howard and Longstaff, 1998). Hence, organizations still lack both an overview and an understanding of potential attacks and how they might be dealt with them (Kaspersky, 2017). However, a common understanding and the use of common language (across organizations) are not only necessary to identify and analyze attacks but also to develop mitigation measures (Shirazi et al., 2014; Spreitzer et al., 2018). The variety, heterogeneity, and complexity of security threats underline the need to order and classify attacks (Shirazi et al., 2014). Hence, we address the research question: How can attacks on the IIoT be classified?

To answer this research question, we set out to identify similarities and differences between attacks on the IIoT. To do so, we followed the iterative development method of Nickerson et al. (2013) and created a multi-layer taxonomy for classifying attacks. Our taxonomy, which comprises 8 dimensions and 19 characteristics, spanning 3 layers, was initially based on a structured literature review. The taxonomy was refined in the course of four iterations using a sample of 53 attacks. We confirmed the validity and reliability of the taxonomy by calculating object- and dimension-specific hit ratios. An illustrative example involving a real-world scenario is used to demonstrate the usefulness of the taxonomy.

Combining the fields of IT security, IIoT, and risk management, our interdisciplinary approach provides both researchers and practitioners with a common understanding of attacks on the IIoT. Based on various dimensions and characteristics of comparable granularity, our taxonomy enables the comparison of conventional and emerging IIoT-specific attacks. From an academic perspective, our taxonomy contributes to the descriptive knowledge, providing a means to identify similarities and differences between attacks on the IIoT. This understanding is key to the advancement of research in this fast-moving field. From a practical point of view, managers, IT security experts, system designers, and network administrators can use our taxonomy to collect and analyze attack information in a structured and comprehensive manner. This information will, in turn, support the development of mitigation measures for counteracting existing and future threats.

The remainder of this paper is structured as follows: In Section 2, we introduce key terms related to the IIoT and IT security and discuss related work. In Section 3, we present our research method. Next, we present the dimensions and characteristics of our taxonomy as the core of our work in Section 4. In Section 5, we present the evaluation results. After discussing theoretical and managerial implications in Section 6, we conclude by summarizing our results, limitations, and suggestions for future research in Section 7.