Risk Assessments/Management, Data Security, Breach, Security Architecture, Endpoint/Device Security, IoT, Governance, Risk and Compliance, Critical Infrastructure Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Infrastructure breaches show the importance of locking down IoT systems

A few years ago hackers entered an unnamed casino’s data network by exploiting IoT devices in a lobby fish tank. Today’s columnist, Ian Ferguson of Lynx Software Technologies, offers advice on how to lock down IoT systems.

The term “the internet of things” was coined by Kevin Ashton in 1999. Some people may argue that the benefits of connecting systems started a long time prior to the late 1990s. The promise of remotely managing systems and gaining quicker real-time insight into – and potentially adjusting the functionality of –equipment has been the subject of many investor pitches.

Of course, hackers can more easily access connected systems and cause mischief, destruction and extortion. As a James Bond fan, I can imagine a remake of the movie Thunderball that involves SPECTRE taking over important data networks as opposed to stealing nuclear bombs. The result could wind up significantly messier in terms of financial impact.

Nearly four years ago, it was reported that a casino’s records had been compromised by a hacker accessing the network via a connected fish tank. This was very impactful as the tank case -- plus the Mirai attack in late 2016 -- showed an attack wasn’t necessarily about messing up the breached device, but rather about what it could lead to in terms of finding troves of valuable network data or maliciously changing the behavior of the device.

The infiltration earlier this month of a water treatment plant in Florida has been the latest example. According to news reports, a plant operator noticed that someone outside the building had briefly accessed it, which he didn’t find unusual, as his supervisor regularly accessed the system remotely. Later, it was noticed that a remote actor had taken control of the system and directed the software to increase the amount of sodium hydroxide (lye) by about 100 times of normal levels. Fortunately, it was noticed and much has been made about the plant’s safety protocols working. But we have to acknowledge that many times systems are compromised and no one notices, at least right away.

Here's my list of what needs to happen:

  • Consider security a priority. If there’s a network connection, a company has to plan for a time when someone accesses it to do cause harm, steal data or extort the company. Prioritize safety and security over time-to-deployment. It’s better to hire some additional workers to read and control machinery than running a connected system that’s prone to attack.
  • Just because devices can connect, doesn't mean they should. Weigh the benefits of having a device connected versus any potential risks incurred if and when the network gets breached. What’s the risk of connecting an IoT device like a fish tank to a network and not changing default passwords? Plenty.
  • Bring the experts in. If the enterprise is a hospital, focus on keeping people alive and removing pain and suffering. Bring in people who just focus on IT security.
  • Hold top management accountable. Companies must get fined for the installation of substandard rollouts. Just like CFOs were held accountable once the Sarbanes-Oxley regulations came into place, imposing financial penalties for CEOs of companies who deploy and maintain IoT networks, particularly those that are associated with critical infrastructure will change behaviors
  • Keep everything locked down. “Lock all the doors, not just the front one,” Microsoft announced during its Azure Sphere initiative a few years ago, an analogy that has stuck with me. When we leave our homes, we lock the front door. In the world of IoT, we need to lock every door -- inside the house as well as those that connect outside. From a network perspective, if there’s a breach, the entrant only gains access to a subset of the valuable assets. Software and hardware have to partition systems to isolate functions.
  • Systems have to realize immediately when they have been compromised. In the case of the water treatment plant, the worker noticed that a system’s mouse had been taken over. The system needs to recognize when something unusual occurs and send a real-time alert. It’s one way AI can play a role in industrial IoT applications: recognizing out-of-the-norm behavior for that system, and alerting a user to then decide the correct course of action. Options would include to disconnect the system from the network, block a specific IP address, and disable certain system functions.
  • Plan on being hacked. There are no 100 percent foolproof systems. IoT systems need to continue to raise the bar over time in terms of the level of immunity from attack, but equally, the system must quickly recover to a known, safe state in the event it becomes compromised.
  • Look for solutions that’s a hardware-software partnership. The hardware OEMs cannot blame the software suppliers and vice versa. The more the software harnesses unable-to-modify, authenticated information in chips and platforms, the harder the task for the external hacker.

As more and more devices - including critical infrastructure - are connected to networks, cybersecurity must have equal importance as a facility’s physical security. While some of these proposed measures might seem excessive, that casino probably never imagined that the biggest leak out of the fish tank was data, not water.  

Ian Ferguson, vice president of sales and marketing, Lynx Software Technologies

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.