Managing the Security Issues & Risks of Industrial IoT
To many people, the Internet of Things (IoT) seems like a new concept. They run around with the idea that IoT is a recent collection of Wi-Fi-enabled Internet-accessible gadgets, from coffee makers, soda machines and refrigerators to Google Glass and FitBits®. Though these are fun toys with some usefulness, most deliver limited utility. These devices are placed on the Internet for convenience, creating a significant public nuisance at the minimum, in some cases real infringement on privacy, and in the extreme are used to create broad Internet attacks. Some examples of this threat include incidents like the recent series of attacks generated from the Mirai botnet, which is comprised primarily from Internet-connected home security cameras1 and the recent WikiLeaks article on how the Central Intelligence Agency (CIA) is able to use smart televisions as in-home listening devices.2
The Mirai botnet drove one of the largest Distributed Denial of Service (DDoS) attack to date, making significant parts of the Internet unavailable for hours. Cameras are not only an issue because they are available to the highest bidder as a DDoS tool,3 but cameras and smart TVs are also being used to invade personal privacy. A recent article outlined that a security-conscious website called insecam had posted the feeds to nearly 73,000 unsecured webcams to demonstrate the privacy issues surrounding lax use of cameras.4
IIoT, Critical Infrastructure and Exponential Risk
Though the issues here are significant, they do not compare to the life impacts that can be incurred with Industrial IoT (IIoT) devices. These devices have been around for decades, working behind the scenes in the form of industrial control technology. They maintain day-to-day operations of machines working across numerous industry verticals, including safety controllers, boilers, power relays, Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) systems in power plants, nuclear power plants, and management and monitoring tools in systems that include things like air quality management and pumps in water treatment facilities.
More about Securing Industrial IoT
Some concerning examples of compromises on these systems include:
- Worldwide between 2011 and 2016, multiple water supply plants were hacked and sabotaged, tainting or stopping the water supply to tens of thousands of homes.5
- Between 2013 and 2014, hackers successfully infiltrated the US power grid 17 times.6 In 2015, state-sponsored attackers took down the power grid in the Ukraine.7
- Between 2009 and 2015, multiple nuclear plants in countries including Iraq, North Korea, and Germany (to name a few) were attacked,8 and at least one was confirmed as successful.9
Each of these situations should raise considerable concern. Loss of water or power at critical times of the year means serious public health and safety concerns. In the case of a nuclear plant, the stakes increase exponentially. So the big question is, “What can we do?”
It is crucial for administrators to have visibility of the control systems including what is in the environment and which devices are trying to communicate with them. Successful IIoT visibility and protection strategies will include examining IIoT cybersecurity solutions that provide agentless options while supporting segmentation and isolation on the internal networks. Visibility will also deliver the scalability into IIoT processes and technology required in machine-to-machine environments.
1Hacked Cameras Power Massive DDoS Attack
2CIA Hacks Samsung Smart TV
3World’s biggest Mirai botnet is being rented out
4Creepy Website streams 73,000 unsecured cameras
5Water Utilities Hacked
6Energy Grid Hacks
7Why the Ukraine power grid attacks should raise alarm
8Nuclear power plants vulnerable to hacking attack in ‘nightmare scenario’, UN warns
9Security News This Week: Hackers Hit a Nuclear Plant
The article was written by David Monahan, Research Director, Security and Risk Management at Enterprise Management Associates (EMA) and first was published on ForeScout blog. Prior to becoming an analyst, David was an information security executive for over 20 years.