Proactive Fraud Prevention for Industrial IoT

The Industrial Internet of Things (IIoT), with its drive toward Industry 4.0, is transforming businesses across a wide range of industries. While initially focused on operational efficiency and cost optimization, primarily via automation, the arrival of new technologies, such as 5G, is driving companies to look at IIoT opportunities in new ways.

Proactive Fraud Prevention for Industrial IoT
Proactive Fraud Prevention for Industrial IoT. Photo by chuttersnap on Unsplash

At the core of these new opportunities is the ability to collect and aggregate data from assets, devices, and machines, and turn that data into intelligent, value-generating actions that can be immediately carried out by humans or via automation.

Unfortunately, with IIoT’s promise of ubiquitous connectivity and automation come the all too familiar risks of hacker intrusion, fraud, and revenue leakage.

Read this article to discover the four essential capabilities to successfully prevent Industry 4.0 from becoming Intrusion 4.0.

With IIoT’s promise of ubiquitous connectivity and automation come the all too familiar risks of hacker intrusion, fraud, and revenue leakage. Securing IIoT networks will require intelligent threat detection and prevention solutions that automate the process of not just mitigating risks, but proactively preventing them. Intrusion events must be identified and acted upon in real-time, which equates to single-digit milliseconds.

“The use of IIoT devices in industrial settings is exploding and will continue to do so. One aspect of this rapid growth is easy to predict: fraud. Fraudsters will be stepping up their efforts to hack IIoT networks and drain revenue from a multitude of businesses.” – Dheeraj Remella, Chief Product Officer, VoltDB

Table of contents

Intro
The IIoT stakes are high
What telco can teach us about IIoT
Preventing Industry 4.0 from becoming Intrusion 4.0
Capability 1: Data collection and processing must happen at the edge
Capability 2: Machine learning must happen in a central depository
Capability 3: Intrusion events must be identified and acted upon in real-time
Capability 4: Aggregation – fraud prevention’s secret sauce
Conclusion

Intro

The Industrial Internet of Things (IIoT), with its drive toward Industry 4.0, is transforming businesses across a wide range of industries. While initially focused on operational efficiency and cost optimization, primarily via automation, the arrival of new technologies, such as 5G, is driving companies to look at IIoT opportunities in new ways.

At the core of these new opportunities is the ability to collect and aggregate data from assets, devices, and machines, and turn that data into intelligent, value-generating actions that can be immediately carried out by humans or via automation.

The core value proposition of Industrial IoT, therefore, is that systems can operate with minimal to no interruption or intervention, which is why the emerging field of IIoT device command, control, and communication (C3) is so important. If by definition, IIoT is dependent on a remote controlling intelligence, it follows that either compromising communications or sending false commands could cause catastrophic problems.

Unfortunately, with IIoT’s promise of ubiquitous connectivity and automation come the all too familiar risks of hacker intrusion, fraud, and revenue leakage.

It’s a sad fact that fraud has been a reality as long as technology has been with us. At VoltDB, we’ve seen it happen across industries as diverse as telecommunications, online advertising, network management, and financial services. As soon as new business opportunities are introduced for revenue and innovation, new threats will follow.

As our customers have learned, the only way to address threats is proactive, by architecting solutions that incorporate security into every step of their operations. This allows them to stop the threat at the first sign of it happening.

The IIoT stakes are high

When discussing IIoT security, it’s natural to focus on traditional topics, such as securing assets, preventing DDOS attacks, spoofing, bypass attacks, and others.

But there’s another enormous implication in IIoT. The rise of the digital twin – a digital representation that enables physical assets and processes to be monitored, managed, tested, analyzed, and controlled in real-time. Digital twins can represent products, machines, robots, production lines, energy grids, medical patients, and more. In fact, for a successful meaningful digital transformation, one can say that digitalization of all physical assets, living or nonliving, with evolving behaviour, is quintessential. Thus, when we think of industrial automation in the context of Industry 4.0, we are thinking of digital twins.

If a digital twin is an intelligent digital model that can be used to make physical assets perform predictably, it follows that hacking a digital twin can lead to manipulating its intelligence such that it performs unpredictably.

Hacking into a digital twin could be catastrophic, depending on what it is controlling. Imagine hacking the digital twin of an energy system, for example, or a robot in a medical device factory.

The point is that the very IIoT devices that are necessary for a digital twin to function create multiple access points for attackers to exploit.

What telco can teach us about IIoT

Throughout the history of computing, a clear pattern has emerged of malign activity that exploits standards and norms, appearing almost as soon as the technology in question reaches critical mass. As soon as people had PC’s and started copying games on floppy disks, malign viral code started proliferating. The invention of internet bulletin boards turned virus management from an obscure problem into a major industry. Fraudulent internet advertising costs are measured in billions per year.

The telco industry, especially, has a long history of battling fraud, which accelerated rapidly as digital services took over from analogue. It offers some valuable lessons that can be immediately applied to the prevention of IIoT fraud.

While standards and protocols are developed by standard bodies such as 3GPP for conducting standard business interactions between systems, the dynamic nature of fraud means there are no standards or protocols for addressing fraudulent behaviour. The industry was simply not prepared for the lengths that fraudsters would go to to make money. Every industry experiences this and IIoT is not going to be any different.

So, if we look at the evolution of telco technology…

  • Specialized ‘firmware’ equipment gave way to commoditized equipment.
  • The speciality function is now software-enabled defined (virtualization, containerization, etc.).
  • Intelligence is now within the software, making it more nimble and agile for faster updates and patches.
  • While becoming software-enabled means the system is more prone to malicious attacks, it also means that it can be modified to address these threats in addition to satisfying the normal functional requirements.

…we can see the same progression in IIoT

  • Specialized (and expensive) devices are giving way to commoditized sensors. Online articles predict that we will likely see <$6 devices by 2022.
  • As with telco, the reason for this shift is that intelligence is moving from the device firmware into the controlling software. In other words, IIoT devices are becoming dumber in themselves and depending on cloud interaction to provide intelligence.
  • This creates the same vulnerabilities we have seen elsewhere.

While we are culturally predisposed to think of computer crime as the work of individual actors, the reality is that sophisticated ecosystems appear over time as unauthorized access becomes commoditized. The internet has ‘botnets for hire’, which give you wholesale access to other people’s compromised devices. Telco has a well-developed ecosystem for ‘SIM boxing’, which allows you to bypass international call costs. Because of the amount of money involved, and difficulty in obtaining prosecutions, the involvement of professional criminals is inevitable.

Given this trajectory, it would be naive to assume that there is no requirement for high level, automated, real-time oversight of IIoT networks. If history is a guide, we can expect to see dedicated businesses emerge whose goal is to secure the IIoT. Security will undeniably become a significant part of the total cost of ownership.

Preventing Industry 4.0 from becoming Intrusion 4.0

Thanks to pioneering efforts across other industries – primarily telco and financial services – there is a proven solution for fraud prevention.

Successfully addressing fraud requires four essential capabilities:

  1. Data collection and processing must happen at the edge, closer to the source of the event.
  2. Machine learning must happen in a central depository, so insights learned from local events can be shared globally.
  3. Intrusion events must be identified and acted upon in real-time, which means single-digit milliseconds.
  4. Real-time aggregation must be possible to obtain up-to-date aggregate views of the IIoT to manage it successfully.

When combined, these capabilities provide the ability to act upon enormous volumes of fast-moving streaming data at the precise moment an exception is identified, and before the threat is fully manifested. This is the only way to move from post-loss reconciliation to proactive prevention.

Capability 1: Data collection and processing must happen at the edge

For Industry 4.0 to become a reality, billions of sensors and IIoT devices will be needed to drive it. These devices produce a lot of data. Continuously sending that data to centralized systems for analysis before sending actionable results back to the device slows everything down and quickly negates the point of automation. That’s why Gartner and so many other analysts and industry experts talk about the speed that distributed computing, storage, and resources are being pushed away from a centralized data centre and closer to the location where it’s needed. In other words, to the edge.

Not surprisingly, Gartner predicts 75% of generated data will be processed outside centralized data centres or the cloud by 2025. It’s a shift that is happening now and it’s happening fast.

This matters in the context of threat prevention, because time is the critical element. To move to a prevention model, the entire event data management cycle of ingest-store-aggregate-measure-detect-decide-act must happen in single-digit milliseconds. This means decisions must happen as close to the event source as possible. You simply can’t achieve the real-time, single-digit millisecond decisions necessary for intrusion prevention when you need to make trips back to the centralized data centre or run a batch process on your backend database.

But for processing at the edge to be effective, it requires ‘intelligence’ to reside in a central depository, where it can deliver insights back to multiple edges to ensure precise, in-the-moment decision making.

This is the domain of machine learning.

Capability 2: Machine learning must happen in a central depository

Real-time threat prevention requires automatically analyzing every event inside massive streams of fast data and looking for exceptions in that event data. You then leverage those exceptions to ask, “Is this a threat?” and act upon the answer. Presenting an accurate answer is made possible by machine learning.

In the context of intrusion detection, we must understand that machine learning cannot be a one-time activity. Fraudsters are continuously evolving their activities and levels of sophistication. Just being able to apply a collection of static rules and alerting someone is not enough. The only way to counteract fraud is to stay many steps ahead of evolving intrusion events and threats, and acting to secure everything instantly.

When real-time data can be continually fed into the machine learning layer, new insights are generated frequently by retraining the model. These retraining exercises generate new predictive and prescriptive insights that are better aligned with reality. Thus, machine learning plays a truly mission-critical role in IIoT fraud prevention. Threats will keep evolving but, if machines can keep learning, they can continue to secure the network against bot attacks and intrusions.

A challenge in all industries, especially with IIoT, is the sheer volume of data streaming in at high speed. Turning that data into valuable insights means being able to first sort the useful data from the noise before it’s moved into the central depository. Otherwise, it’s just noise building upon noise, and of no use to real-time decisions.

Put this all together and the result is a machine learning engine that has moved beyond a localized context and into a globalized context. So, what you learn ‘over here’, you can feed to ‘over there’. For example, if a digital twin of a production line in factory A gets attacked, the ‘learnings’ from the attack, along with the prevention mechanism created in the central depository are then used to preemptively watch for the same threat in factories B & C.

The same intelligence also takes care of processing false positives. After all, no manufacturer wants to shut down a production line because of one bad sensor.

Machine learning with complex relationships and dependencies that humans couldn’t even begin to unravel and understand in the necessary timeframe, and it’s that element of time that leads us to the third critical capability.

Capability 3: Intrusion events must be identified and acted upon in real-time

For IIoT to provide value, decisions must occur within the moment, and it’s this need for precise real-time that is driving core IIoT investment decisions. Near real-time is no longer enough. The shift in machine-to-machine and process automation demands that the entire cycle from event data ingestion, through automatically triggering the necessary protection needs to be completed within single-digit milliseconds. Otherwise, the intrusion is already ‘in the system’ and causing untold damage.

But let’s be clear, we’re talking about more than simple ingestion and movement of data. As we’ve seen, the new expectations of real-time include applying sophisticated rules, algorithms, and machine learning models to multiple streams of event data, using that analysis to detect exceptions, and then making and acting upon a decision – all within 10 milliseconds. Without that, event data just becomes more noise, taking up server space.

For real-time decision to become a reality, a holistic data platform is needed; one that brings database and stream processing together to address the entire event data management cycle of the ingest-store-aggregate-measure-detect-decide act. And where the captured data driving those decisions and actions can be sent to centralized platforms to continuously improve learning and stay many steps ahead of hackers and fraudsters.

Capability 4: Aggregation – fraud prevention’s secret sauce

We’ve already discussed how data streaming in and out of a digital twin enables a physical asset or process to be monitored, managed, tested, analyzed and controlled. An entirely different layer of value becomes available when you start to look at the collective behaviour of digital twins in the aggregate, especially if you can do so in real-time.

While the behaviour of individual elements may be harmless, bad things can happen when that behaviour is scaled. Let’s look at two examples:

Example #1: In the United Kingdom, the companies managing the power grid must pay close attention to TV schedules, as broadcasting popular programs can lead to a ‘TV pickup’, where several million people turn on a kettle to make tea at more or less the same time and threaten to drain the grid.

This demonstrates how events that are harmless at an individual level can become dangerous at the aggregate level.

Example #2: In 2017, popular mapping applications directed motorists towards dangerous fires, because their flawed aggregate view of the world indicated that the roads in the area were mysteriously empty.

This demonstrates how a failure to properly interpret aggregate information can lead to dangerous situations.

The lesson is clear:

Just as the IIoT assumes we have a command and control loop that operates on millisecond timescales, we also need to be able to obtain up-to-date aggregate views of the IIoT to manage it successfully.

A VoltDB customer in the business of IIoT smart meters manages communications network capacity on the dedicated communications system for the power network. Mission-critical messages like, “Please turn off the gas. Your building is on fire.” can get through even when there are millions of requests for routine readings being made.

This ever-evolving, always up-to-date understanding of the state of the network is only possible with the ability to create and analyze aggregate views of activity which, in turn, is necessary to immediately identify and prevent fraudulent activity.

Conclusion

The use of IIoT devices in industrial settings is exploding and will continue to do so. 5G, edge computing, AI, machine learning, advanced real-time analytics and other disruptions have the potential to change the application of IIoT in ways that are difficult to predict.

But one aspect of this rapid growth is easy to predict. Fraudsters will be stepping up their efforts to hack IIoT networks and drain revenue from a multitude of businesses.

IIoT is already proving to be a gamechanger. But for it to work as promised, devices must be running and optimized to ensure they operate at full capacity and data must flow into the digital engine without compromising its usefulness and intent. With the rise of more process automation, digital twins, and real-time control loops, companies must ensure that security becomes intertwined with business-as-usual operations, and not treated as a separate action that is only addressed when time allows.

Securing IIoT networks will require intelligent threat detection and prevention solutions that automate the process of not just mitigating risks, but proactively preventing them.

Source: VoltDB

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.