The forgotten IoT that Should not Be

Commissionning an ICS in a remote location is not an easy task

Imagine you're engaged in a pentest and you discover a misconfigured IoT device still using its factory default password in an operational technology (OT) network. This mistake gives you a strong foothold and opens an actionable opportunity to move laterarly.

This misconfiguration seems quite unusual. The technical profile exposed by the device is very different from its counterparts. Besides, it seems suppliers have recently made efforts to eliminate default credentials that you could easily find on the internet. This is truly an anomaly.

Back at the office, you have an educated guess—what if this opportunity likely resulted from a commissioning error?

A few days later, your hypothesis is confirmed. What an interesting finding.

⚙️ Did you say commissioning?

In few words, commissioning is the structured transition phase between physical installation and commercial operation. It encompasses all technical, security, and operational validation activities required to bring an asset from "installed hardware" to "revenue-generating asset".

Let's imagine your are an energy supplier and you need to cover a designated area with your OT infrastructure. This implies to set up and roll-out several times the same type of asset with identical hardware, software and network configurations in different locations in a structured manner. Commissioning procedures help to achieve this objective with keeping under control your costs and your time.

For historical, organisational and cultural purposes, commissioning procedures often prioritise safety and efficiency over cybersecurity. In addition, they are frequently manual and may be outsourced to suppliers for business reasons.

However, because most commissioning procedures rely on humans, they are truly imperfect, may cause mistakes to happen, and leave behind hidden vulnerabilities.

The risk may be higher when the company is in a strong rollout period, rely on numerous suppliers or simply overtime.

Needles to say, this issue must be tackled as soon as possible because it creates a rising debt that is difficult to identify, scope and mitigate overtime - even more if your commissioning procedure are not properly monitored, I mean, from a security standpoint.

🤖 No human in-the-loop, please!

To address these challenges, security practitioners should advocate for more automated commissioning procedures and ensure the company's OT ecosystem can support these enhancements. These automated procedures should be implemented progressively with a continuous improvement philosophy.

Rather than attempting a complete overhaul, incremental improvements allow teams to adapt while maintaining operational continuity. Keep in mind that if you can't ease change management for departments in charge of commissioning and maintenance, and if you disrupt rollout activity, you have little to no chance of success.

These automation enhancements should include:

  • Drift detection between the site configuration and the registered configuration: automated monitoring tools can identify when an asset's actual configuration deviates from its intended baseline, flagging potential security issues or operational anomalies before they become exploitable vulnerabilities.
  • Configuration versioning powered by Infrastructure as Code (IaC), CI/CD, and pull requests: Configuration versioning powered by Infrastructure as Code (IaC), CI/CD, and pull requests: IaC practices enable version control for configurations, while CI/CD pipelines ensure changes are tested and validated before deployment. Pull requests add peer review. Together, these features reduce human error.
  • Configuration management with batch processing: managing configurations across multiple sites becomes scalable when batch processing capabilities are implemented, allowing consistent updates and security patches to be deployed efficiently across the entire infrastructure.

This transformation implies keeping a sharp eye from start over the technological choices that support the OT network to avoid features bottlenecks and over-dependence on solutions that don't scale. Easier said than done, this requires careful vendor evaluation, architecture planning, and a commitment to choosing flexible, interoperable solutions that can grow with the organization's needs.

What starts as a technical issue ultimately highlights:

  • How technological choices about underlying infrastructure can significantly impact our security framework.
  • How the human factor remains the #1 vulnerability even in OT environments.

Is that so surprising, after all?