IoT devices threaten the health of industrial cont…
- IoT devices threaten the health of industrial control systems
- Malware can infect an industrial control system in a power plant.
- Even if industrial control systems themselves aren’t connected to the outside world, the IoT devices on the same network are, and it’s usually possible to hop back and forth between them.
- Come in through the IoT device, jump onto industrial control systems, and it’s game over.
- IoT devices threaten the health of industrial cont…
Hewlett Packard Enterprise (HPE) Community offers worldwide IT, technology, and enterprise forum support and solutions.
@HPE_BigData: Learn how to balance the benefits of #IoT devices with the potential risks: #BigData
What happens in cyberspace doesn’t always stay in cyberspace. Malware can infect an industrial control system in a power plant. Hospital employees can get locked out of patient records because someone mistakenly clicked on a link in a malicious email.
Let’s not forget how interconnected we are today. The Internet of Things (IoT) affects countless devices in our work and personal lives because nearly everything is network-capable. It’s not just our phones and computers at home and work; it’s also the industrial control systems powering our critical infrastructure.
Home automation systems such as Nest are among the first wave of IoT products hitting the consumer market. They make it possible for us to track and control our electricity consumption, run cameras to monitor what’s happening in our homes and offices, and even open our garage doors from a mobile app. They make things better, but they also make us vulnerable.
Hospitals are looking at diagnostic devices that hook into their networks to access patient records. Electric utilities rely on special sensors to control energy consumption, and manufacturing plants need ways to increase efficiency. Our cars are increasingly controlled by computers. Because these elements are all now connected to the Internet, our physical infrastructure is vulnerable to attack.
Sergey Lozhkin, a researcher at Kaspersky Lab discovered just how vulnerable medical technology in hospitals is to attacks from the web. Lozhkin searched the web for Internet-connected medical equipment and came across a web application for a Siemens controller that let people log in to see data stored on various devices connected to the controller, and even configure them. Lozhkin was able to log in using the default passwords available in the Siemens manual. He also cracked the hospital’s poorly configured Wi-Fi network and accessed an MRI machine to view patient information. Even more concerning, he was able to modify the MRI machine’s configuration settings, a capability that even doctors shouldn’t have.
We’ve seen first-hand that there are ways to take down the power grid. The BlackEnergy malware attack against a Ukranian power plant made its way on to critical systems through a spear phishing attack. Security researchers recently demonstrated how they could manipulate remote shut-off devices on home and office air conditioners to create a surge, which could be potentially used to create blackouts. The shut-off devices let utility companies remotely turn off air conditioners and conserve energy during peak periods. This way, utility companies can monitor usage and use the data collected to make sure they’re providing optimal service for customers.
Operators at regional power centers send a command via radio frequency to reach these devices to shut down air conditioners. However, the systems reviewed by Vasilios Hioureas of Kaspersky Lab and Thomas Kinsey of Exigent Systems neither encrypted the command being sent nor used any authentication controls to prevent unauthorized parties from piggy-backing on that signal. They found that anyone who can emit a stronger signal can also use the same frequency to manipulate the devices. Its one thing to shut down air conditioners during a heatwave, a potentially fatal act, but it’s another to turn on air conditioners when the utility is already struggling to keep up with demand, which could result in a surge that creates a widespread blackout. It’s also possible to turn air conditioners on and off repeatedly, disrupting the grid enough to trip the breakers and create an even more widespread blackout.
According to Hioureas and Kinsey, performing this attack doesn’t require a lot of skill. The attacker only needs to be on the same radio frequency to sniff out which commands are being sent. Because the commands aren’t encrypted, they’re easy to discover, and they can be used on other devices to turn them on or off.
There have been plenty of attacks against IoT devices. Remember the story of the new parents who overheard a hacker talking to their baby through a baby monitor? In another incident, researchers tapped into the video feed of a Las Vegas casino through the facility’s IP cameras.
As these devices become more ubiquitous, they provide attackers with full-time access to networks without having to first infect an employee laptop or company server. Compromise the camera or networking gear, install a persistent backdoor, and the attacker is on the network. That’s exactly what the Vectra Threat Labs team recently did with a $30 D-Link Wi-Fi webcam. The team cracked it open and installed a backdoor that let them into the network, enabling them to look for other systems to breach.
IoT devices pose a real threat to the networks they connect with, as they increase the attack surface significantly. It’s not hard to compromise these devices; researchers have shown time and again that few IoT devices have any kind of security controls to prevent unauthorized access. Barriers to hacking IoT devices are relatively low, and even the most basic device can be used as a persistent command-and-control channel.
Even if industrial control systems themselves aren’t connected to the outside world, the IoT devices on the same network are, and it’s usually possible to hop back and forth between them. Come in through the IoT device, jump onto industrial control systems, and it’s game over.
Whether we’re talking about electric grids, manufacturing plants, life-saving equipment at hospitals, or even the financial systems that drive our economy, we need to consider how we can balance the convenience of IoT devices with the vulnerabilities they create.
Read the Connectivity to business outcomes to learn more about becoming a data-driven organization with the Internet of Things.