February 16, 2018

Cyber security in IoT - only one prick can pop the balloon

Without trust and security the Internet of Things will cease to exist.

From rough cave paintings to careful and detailed penmanship, right through the first printed text and ending with pixels on a screen - intangible, distant. The way we communicate and exchange data has greatly improved and deviated from the traditional way in a very limited amount of time and what awaits us in the future might just blow our minds. The crevices of the human brain are filled with ideas and the evolution of interpersonal relationships has come a long way. But even with all the changes throughout the centuries, one thing has remained sacred - trust. We simply don’t like it when people talk behind our backs.

And now this is no longer limited only to people. Now with the Internet of Things, things are now also starting to whisper. They might not be uttering intentionally malicious words, but the unmonitored, unprotected network can let a lot of vital information seep to the big wide world, fresh for the taking. And the predators have an acute sense of smell.

In order to protect their reputation as a provider of secure devices and service IoT companies need to take actions now to hide their solutions from cyberattacks, and safeguard customer and industrial process data

Without trust and security the Internet of Things will cease to exist. In order to protect their reputation as providers of secure devices and services, IoT companies need to take action now to shield their solutions from cyberattacks and safeguard customer data. Undocumented hardcoded passwords, bad UX on firmware updates, very old services, command injections, with weak or no encryption - and these are not the worst issues. The device-cloud-app sync is extremely vulnerable. There is port forwarding, poor input validation which enables command injection among other things. Most IoT security experts seem to focus on proximity attacks, although mass botnet attacks such as Mirai are what present the real threat.

The market has indeed recognized the security threats surrounding IoT development. GSMA IoT Security Guidelines & Assessment promote best practices for the secure design, development and deployment of IoT services, building on the extensive expertise of the mobile industry. The aim is to provide a mechanism and a set of design guidelines to the implementer of an IoT technology or service. For them to evaluate security measures to help create a secure IoT market with trusted and reliable services that can scale as the market grows. The US Department of Commerce (DoC) and Department of Homeland Security are through an extensive 38-page report titled ‘Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats’, trying to obtain support from the American government to fund a public awareness campaign on IoT security, as well as extend engineering degrees with compulsory cybersecurity classes.

“IoT devices now offer the most attractive target to malicious actors and are an increasingly large percentage of the devices in the ecosystem. These systems are often sorely lacking adequate security focused features”, the report states. The reality is that consumers are not directly affected by compromises of their devices. In fact, the consumer may never even know that the device is part of a botnet. From the consumer’s perspective, the webcam will still be streaming, or the refrigerator will still be chilling. For this reason, it is impractical to hold the owners responsible if their devices are used in a botnet. This lack of clear consequences of infection creates a challenge in motivating consumers to take steps to improve security, for example, to update those devices that could be updated. Remote exploits and mass hacks require more attention as that’s what the criminals are after. Educating users is crucial. Stimulating vendors to take vulnerabilities seriously and to apply appropriate incident responses and update mechanisms would drastically decrease the number of future attacks.

Industrial IoT and consumer IoT, in merge and collision

Consumer and industrial IoT are not separate. They will ultimately merge and collide, exposing their weak spots to those who wish to harm or to steal. Hackers have already sought and will continue to seek entrance through things like vending machines and fish tanks - human creativity is as endless as the universe. The real differences between consumer IoT and industrial IoT become apparent when it comes to security challenges. In order to maintain the usual flow of interoperability, scheduling, analysis and system integration, industrial operations require a much higher level of stability to execute and co-exist with a significant amount of legacy operations technology. Industrial networks are enormous and support thousands of sensors, devices and applications, including the non IoT machinery, meaning there can’t be any mistakes. High precision and accuracy are a must. The high speed automated manufacturing acts like a body of its own and it’s strictly synchronized, with the smallest variations setting off an immediate corrective response from an integrated solution. If the synchronization is broken, it will cost time and money, dragging down the overall efficiency and tugging on the edges of revenues. Precision is crucial and every second matters.

Scenarios laden with confusion and technical issues are supposed to be rare, but they are not nonexistent. Due to the continuing growth of IoT, industrial IoT security systems must be easily reprogrammable to include new features and information, and also remain sturdy, unyielding against foreign invasions. Easier said than done for devices that are supposed to work seamlessly for at least a decade in all kinds of environments. They must be able to withstand intensive high duty cycles, operate reliably and never shut down, unless it’s for maintenance. Backup systems exist to moderate damage of the eventual death of an IoT operated machine, but it will result in losses, one way or another.

New smart IoT solutions can truly revolutionise businesses allowing new products and solutions to access new commercial and industrial market segments. Complex industrial processes are brought online for remote monitoring and process management accessible from wherever but optimally not by whoever

Industrial IoT security is less accessible to the general public and is typically handled by experts and people who work in such operations. Investments in the industrial side of IoT will reach $600 billion within the next two years, with commercial IoT barely surpassing $200 billion. The possibilities are endless and IoT can truly revolutionize businesses in the big scale of things. Technologies such as eSIM is stepping in industrial and commercial IoT, offering easy equipment connectivity and enabling opportunities for new products to access new market segments. Mobile eSIM in IoT makes it possible to duplicate concepts internationally with same technology and with ever easy globally scalable local connectivity. New intelligent solutions are removing geographical boundaries of connectivity and process management. Complex industrial processes are brought online for remote monitoring accessible from wherever. The demand for securing these delicate networks and processes from the hungry predators is growing along the hype.

“The most significant cyber events in 2017 related to ICS networks came in the form of collateral damage”, says Galina Antonova, co-founder and Chief Business Development Officer at Claroty for SecurityWeek. “We warned in April of ‘17 that ransomware was coming for the shop-floor. In May and June, we saw those warnings turn into reality. Fortunately, neither of these ransomware campaigns were specifically targeted at ICS networks. Unfortunately, that didn’t matter. The fact that both of these campaigns were able to reach ICS networks proves a point we’ve been making for quite some time - IT and ICS networks are not widely segregated and air-gapped as many believe - and bridging from IT to ICS is, in many cases but not all, a relatively pedestrian exercise”, she elaborates.

How long will it take until an attack specifically designed for industrial control systems will take place?

Lesson learned: undertake extensive research before obtaining security services, do not assume that your network will slip under the radar - you won’t even know when they become pawns for another global botnet attack or a paralyzing ransomware. Identifying the perfect vendor is difficult, but incredibly valuable. Sometimes, what has been hacked, cannot be fixed and you would not want to start from zero. Secure not only yourself, but also the people who surround you - only one prick is needed to pop a balloon.