The opportunities available through the Internet of Things are well known – remote control of a variety of devices, enhanced data insights and increased comfort and convenience for consumers.
Yet, a concern which is increasingly raising its head is that of IoT security. It’s very much top of mind following the vast attack on US and European internet structures in October this year, which saw DVD players and webcams along with other unsecured internet-connected digital devices, such as home routers and surveillance cameras, being used to form a botnet.
Security risks and implications for IoT devices can take many forms including hacking sensors and/or abusing devices in general and actuators in particular.
Hack the sensor
The first type of risk entails a sensor being hacked and fooled into behaving in a certain way.
At a Black Hat security conference in 2013, demonstrations showed how sensors could be fooled into spraying the audience with water when a replica water plant component was forced to over pressurise. Another showed how wireless sensors commonly used to monitor temperatures and pressure in pipelines and other industrial equipment could give false readings, tricking automatic controllers or even human operators into taking damaging action. A third showed how flaws in the wireless technology used in 50 million energy meters across Europe made it possible to spy on energy use and even cause blackouts.
More recently, it was demonstrated (albeit sporadically) that hackers could fool Tesla’s autopilot system. By using off- the shelf radio sound and light emitting tools, researchers were able to deceive Tesla’s autopilot sensors, causing the car’s computers to ‘see’ an object where there was none, or even worse, miss a real object in the Tesla’s path.
The second challenge is potentially one of the scariest: abusing actuators and other “things.”
If we go back to the example of self-driving cars, where multiple parts are controlled by the car’s central computer, some of the risks include:
- Tampering with the speedometer, giving incorrect speed readings; thus the car will not be able to correctly determine the speed.
- The anti-skid functionality on the brakes can be de-activated, making the vehicle unable to manage challenging driving conditions.
- The engine can be hacked to increase acceleration, causing a potentially fatal accident.
While these are extreme cases with the objective being to cause harm, milder interventions could cause false alerts or cause machinery to operate outside of normal operating parameters, putting it and the people in the vicinity in danger.
The Department of Homeland Security recently published Strategic principles for securing the Internet of Things, which sets out key considerations for IoT security.
Of specific interest to utilities are the following best practice guidelines:
Incorporate IoT cybersecurity at the design phase
Enable security by default through unique, hard to crack default user names and passwords.
- Because user names and passwords are often not changed by the user and are easily cracked, strong security controls should be something the industrial consumer has to deliberately disable, rather than deliberately enable.
- Build the device using the most recent operating system. Use the most up-to-date operating systems as a way of ensuring system vulnerabilities will have been mitigated.
- Design with system and operational disruption in mind. Knowing what consequences could flow from a failure will enable device developers, manufacturers, and service providers to make more informed risk-based security decisions.
Build on recognised security practices
- Start with basic software security and IoT cybersecurity practices. Take note of sector-specific guidance where it exists.
- Practice defence in depth. Employ security that includes layered defences against cybersecurity threats, including user-level tools as potential entry points for malicious actors. This is especially necessary if patching or regular updating of software is not available or insufficient to address a specific vulnerability.
Participate in information sharing platforms to report vulnerabilities and receive critical information about current cyber threats and vulnerabilities. Information sharing is a critical tool in ensuring stakeholders are aware of threats as they arise.
Prioritise security measures according to potential impact
- Know a device’s intended use and environment, where possible. This awareness helps developers and manufacturers consider the technical characteristics of the IoT device, how the device may operate, and the security measures that may be necessary.
- Perform a “red-teaming” or penetration exercise, where developers or external contractors actively try to bypass the security measures at the application, network, data, or physical layers. This is vital in mitigation planning and will determine priorities on where and how to incorporate additional security measures.
- Identify and authenticate the devices connected to the network. This is especially important for industrial consumers and business networks. In a survey commissioned by ForeScout, 85% of respondents said they are not confident that they know all the devices on their network.
According to ForeScout’s Jan Hof, “This lack of visibility is probably the most concerning finding of the survey. Companies need to know what is connected to their network, as you cannot protect what you can’t see.”
This strategy is particularly useful as a baseline to identify any changes “as additional devices are knowingly or unknowingly added or removed.”
Connect carefully and deliberately
- Make intentional connections. There are instances when it is in a utility’s interest not to connect directly to the Internet, but instead to a local network that can aggregate and evaluate critical information. See recommendations about the protection of industrial control systems at https:// ics-cert.us-cert.gov/recommended_practices.
- Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity. Depending on the purpose of the IoT device, providing the consumers with guidance and control over the end implementation can be a sound practice. MI
Image credit: www.ieee.org