The Internet of Things – Is This the Back Door You Forgot to Lock?

internet-securityThe Internet of Things (IoT) is exciting. Appliances, machines and objects with electronics embedded in their DNA meaning that fridges can keep themselves stocked, production lines can be managed remotely and hostile dangerous environments can be safely monitored and controlled from a far. It’s a game changer.

It is also game changing in the way that your organisation has to think about IT security.

Ponemon Institute/Unisys surveyed 599 IT security executives from utility, oil and gas, alternative energy and manufacturing organisations in 13 countries, only 17% thought that their organisation had a “mature” level of cyber security. This is a worryingly low percentage, given that these are vulnerable sectors – 7 in 10 reported at least one security breach leading to loss of confidential information in the past year. Ask most IT security experts and they’ll probably tell you they expect to suffer a hacking attempt in the next two years.

Prior to IoT, the BYOD (Bring Your Own Device) revolution was probably the event that shook up internet security the most since those brothers in Lahore launched their BRAIN virus in 1986. With staff bringing in their own tablets and smartphones and connecting them to your network, IT security had to step up a gear. Your staff were using the device with which they access social media and whatever else they get up to online at home to access your company data. This was a potential minefield and most organisations reacted accordingly.

Before this it would have seemed inconceivable to allow your people to access the net from their desktop PC without appropriate protection, it followed naturally that when they brought in their own device it should be subject to the same robust protection. Somehow though, the “things” got overlooked.

Perhaps the Internet Of Things is a year or two ahead of its time, maybe you don’t think of things – your fridge, your oil-field equipment or your traffic lights – as vulnerable to attack. Whatever the reason across the planet right now key objects, systems and networks some of huge importance are accessing the net without adequate protection.

And for the hackers finding them is easier than ever.

In the last two years CNN Money, Forbes and CSO Online have all run editorial content on the web about search engine SHODAN which allows users to locate systems from traffic lights to security cameras, home heating systems to water park control systems, petrol stations, power grids and even nuclear power plants.

The only software many need to access them is a web browser and a worryingly large number of them are ranked as very vulnerable to attack – we’re talking usernames like “admin” and passwords like “password” or “1234” – makes you think twice about racing towards a green light next time you’re out for a drive doesn’t it?

Of course the main users of SHODAN are legitimate cybersecurity professionals, researchers and law enforcement officials but cybercriminals can also access the site and when you add those who do to the numbers of hackers who are using botnets to compromise systems without detection you start to get a picture for what the Internet of Things is up against.

In December 2014, The German Office for Information Security (BSI) reported a blast furnace at a German steel mill suffered “massive damage” after a cyber attack targeted the plant’s network. Attackers used spear-phishing emails – a campaign aimed at specific individuals in the company to trick them into opening messages – to steal logins giving them access to the mill’s control systems and once inside the system they were able to prevent a blast furnace shutting down as normal.

The most widely known example of an attack of this nature involved the Stuxnet worm, it damaged centrifuges being used by Iran in its programme for nuclear enrichment.

Steel mills, nuclear power plants. Online and hackable. Sobering!

Of course it makes sense that they’re computerised and remotely accessible, it allows you to streamline operations, maximise production and therefore profitability and you can process and analyse data in real time even automating response to problems. BUT in the same way that your physical nuclear power plant should have some kind of fence around it, your IoT connected networks have to be similarly protected against attack.

Insurers like Brit Insurance and Coalfire have started to offer policies that protect you from the consequences and business pain of a hack, but as always prevention is your best form of defence.

Your exposure may not be at the level of a nuclear power plant, but increasingly the trend is towards things in the physical dimension merging with the virtual and the benefits of IoT will be massive.

Now would be a good time to assess your protection and prepare your organisation, speak to your internet security provider today – before you end up on SHODAN.

No Comments

Leave a Comment

Show Buttons
Hide Buttons