The opportunities available through the Internet of Things are well known – remote control of a variety of devices, enhanced data insights and increased comfort and convenience for consumers.
Yet, a concern which is increasingly raising its head is that of IoT security. It’s very much top of mind following the vast attack on US and European internet structures in October this year, which saw DVD players and webcams along with other unsecured internet-connected digital devices, such as home routers and surveillance cameras, being used to form a botnet.
Security risks and implications for IoT devices can take many forms including hacking sensors and/or abusing devices in general and actuators in particular.
The first type of risk entails a sensor being hacked and fooled into behaving in a certain way.
At a Black Hat security conference in 2013, demonstrations showed how sensors could be fooled into spraying the audience with water when a replica water plant component was forced to over pressurise. Another showed how wireless sensors commonly used to monitor temperatures and pressure in pipelines and other industrial equipment could give false readings, tricking automatic controllers or even human operators into taking damaging action. A third showed how flaws in the wireless technology used in 50 million energy meters across Europe made it possible to spy on energy use and even cause blackouts.
More recently, it was demonstrated (albeit sporadically) that hackers could fool Tesla’s autopilot system. By using off- the shelf radio sound and light emitting tools, researchers were able to deceive Tesla’s autopilot sensors, causing the car’s computers to ‘see’ an object where there was none, or even worse, miss a real object in the Tesla’s path.
The second challenge is potentially one of the scariest: abusing actuators and other “things.”
If we go back to the example of self-driving cars, where multiple parts are controlled by the car’s central computer, some of the risks include:
While these are extreme cases with the objective being to cause harm, milder interventions could cause false alerts or cause machinery to operate outside of normal operating parameters, putting it and the people in the vicinity in danger.
The Department of Homeland Security recently published Strategic principles for securing the Internet of Things, which sets out key considerations for IoT security.
Of specific interest to utilities are the following best practice guidelines:
Enable security by default through unique, hard to crack default user names and passwords.
Participate in information sharing platforms to report vulnerabilities and receive critical information about current cyber threats and vulnerabilities. Information sharing is a critical tool in ensuring stakeholders are aware of threats as they arise.
According to ForeScout’s Jan Hof, “This lack of visibility is probably the most concerning finding of the survey. Companies need to know what is connected to their network, as you cannot protect what you can’t see.”
This strategy is particularly useful as a baseline to identify any changes “as additional devices are knowingly or unknowingly added or removed.”
Image credit: www.ieee.org