The rise of the Internet of Things correspondingly brings with it an exponential increase in the number of potential targets for cyber criminals. It isn’t just video cameras, for example, that may be exploited by cyber criminals, the list includes medical devices and even smart houses themselves. More worrisome is that steps need to be taken to safeguard cars, industrial facilities and even power grids and utilities.
Much has already been made of an incident last summer when two ethical hackers demonstrated the ability to remotely gain access to a moving Jeep Cherokee using a laptop to exploit loopholes in the vehicle’s audio system. The men were able to change the moving vehicle’s speed and braking capability, and also manipulate the radio and windshield wipers, before disabling the SUV. The incident led to the recall of 1.4 million vehicles made by FCA, including Jeep Cherokees, to patch software holes, and prompted other automotive companies to more closely scrutinize cyber security vulnerabilities in their cars.
“The situation is made worse because many engineers tasked with designing and building systems are not experts in network protocols and are even less versed in network security,” Cesare Garlati, chief security strategist at prpl Foundation, says in an article this week on iot (Internet of Things Institute). “They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. While it’s unfair to expect mechanical and electrical engineers to shoulder this burden, the lack of subject matter expertise is leaving systems wide open to attack, something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.”
Industrial facilities and manufacturing plants are at risk as well. As the iot article notes, there already is an account of a German steel mill being hacked, which led to massive damage to the facility. Criminals used a combination of spear phishing and social engineering to gain access to the steel mill’s office network. From there, the hackers gained access to the production system and took over industrial control components in the plant.
Finally, the Ukraine has accused Russian hackers of shutting down almost a quarter of its power infrastructure, knocking out at least 30 of its 135 power substations. Cyber security experts have been warning of the risk of hackers breaching the power grid and natural gas pipelines for years, so the attack does lend an urgency to the threat.
“The attack on Ukraine’s power grid was a very frightening example,” says Garlati in the iot article. “At its core, it involved connected devices used in industrial control and automation: attackers wrote malicious firmware to replace the legitimate firmware on serial-to-Ethernet converters at more than a dozen substations—the converters are used to process commands sent from the SCADA network to the substation control systems. Taking out the converters prevented operators from sending remote commands to re-open breakers once a blackout occurred.”
Thomas Pore, director of IT and services at security analytics company Plixer International, says in the iot article that there are a number of steps all organizations should take to increase cyber security—beginning with providing on-going training so employees know how to identify phishing attacks and how to avoid being a victim of social engineering. For starters, users need to be trained not to click on links in emails.
“When a phishing attempt is identified, an announcement should be made to employees as an example of how to identify such attempts. Authentication and privilege should be configured under the principle of least privilege as well as implementing software restriction policies to help prevent an actor from gaining access to critical resources, should a breach occur,” Pore says. “At this stage in the game, we need to operate our networks as though a breach will occur.”
What are your thoughts on cyber risk that comes with increased use of the Internet of Things? Does your company have an on-going training program to educate employees about phishing attacks and how to avoid social engineering?