Breach, IOT

Infrastructure breaches show the importance of locking down IoT systems

SC StaffFebruary 24, 2021
Some four years ago hackers entered an unnamed casino’s data network by exploiting IoT devices in a lobby fish tank. Today’s columnist, Ian Ferguson of Lynx Software Technologies, offers advice on how to lock down IoT systems. mrkathika CreativeCommons Credit: CC BY-SA 2.0
  • Consider security a priority. If there’s a network connection, a company has to plan for a time when someone accesses it to do cause harm, steal data or extort the company. Prioritize safety and security over time-to-deployment. It’s better to hire some additional workers to read and control machinery than running a connected system that’s prone to attack.
  • Just because devices can connect, doesn't mean they should. Weigh the benefits of having a device connected versus any potential risks incurred if and when the network gets breached. What’s the risk of connecting an IoT device like a fish tank to a network and not changing default passwords? Plenty.
  • Bring the experts in. If the enterprise is a hospital, focus on keeping people alive and removing pain and suffering. Bring in people who just focus on IT security.
  • Hold top management accountable. Companies must get fined for the installation of substandard rollouts. Just like CFOs were held accountable once the Sarbanes-Oxley regulations came into place, imposing financial penalties for CEOs of companies who deploy and maintain IoT networks, particularly those that are associated with critical infrastructure will change behaviors
  • Keep everything locked down. “Lock all the doors, not just the front one,” Microsoft announced during its Azure Sphere initiative a few years ago, an analogy that has stuck with me. When we leave our homes, we lock the front door. In the world of IoT, we need to lock every door -- inside the house as well as those that connect outside. From a network perspective, if there’s a breach, the entrant only gains access to a subset of the valuable assets. Software and hardware have to partition systems to isolate functions.
  • Systems have to realize immediately when they have been compromised. In the case of the water treatment plant, the worker noticed that a system’s mouse had been taken over. The system needs to recognize when something unusual occurs and send a real-time alert. It’s one way AI can play a role in industrial IoT applications: recognizing out-of-the-norm behavior for that system, and alerting a user to then decide the correct course of action. Options would include to disconnect the system from the network, block a specific IP address, and disable certain system functions.
  • Plan on being hacked. There are no 100 percent foolproof systems. IoT systems need to continue to raise the bar over time in terms of the level of immunity from attack, but equally, the system must quickly recover to a known, safe state in the event it becomes compromised.
  • Look for solutions that’s a hardware-software partnership. The hardware OEMs cannot blame the software suppliers and vice versa. The more the software harnesses unable-to-modify, authenticated information in chips and platforms, the harder the task for the external hacker.