The advent of the Internet of Things (IoT) has brought with it unparalleled opportunity for businesses and facilities to monitor their assets and enact predictive maintenance that can extend an asset’s lifecycle. Although this technology brings new methods of caring for equipment that can lead to savings, it also may lead to increased exposure to cybersecurity challenges.
One of the most significant areas for attacks on businesses, hospitals, networks, utilities and other critical infrastructure is through IoT devices. These attacks range from denial-of-service attacks to ransomware and information theft to aggressive destruction of information and cyber-physical systems. The devices involved include security cameras, monitoring devices or control systems, to name just a few, that are either connected or considered “smart devices.”
In addition to privacy concerns and nuisance problems with valves or other connected devices, you may unwittingly become part of a more complex attack. Using malicious code, a hacker may use a number of IoT devices as part of a “botnet” to mask themselves and use the power of multiple systems to launch an attack. In effect, they weaponize your IoT devices.
At present there are no laws, impending legislation or other third-party requirements to include cybersecurity as part of an IoT device for private industry. In addition, few tradespeople, installers, vendors and original equipment manufacturer (OEM) salespeople are trained, or even aware, that once a device is connected it can be weaponized. As a result, a great many of the approximately 10-plus billion currently connected devices have either default passwords or are directly connected without security measures in place.
We often picture these hackers sitting at a computer directing software at an individual or business with the intent of making money or doing harm. However, it was identified by Cisco Systems in their 2018 Cybersecurity report that starting within the past few years, network-directed worms were seeking vulnerabilities and that new types of code and software were being found that would use machine learning and augmented intelligence to find vulnerabilities.
More sophisticated means for intrusion are being used to dig through systems, including some of the very software developed by the National Security Agency (NSA), which was obtained and distributed amongst hackers. You no longer have to open a malicious email or website; the act of closing or deleting may launch the code, which is a new method that hackers are using to bypass security screening methodology.
However, there are ways and means to protect yourself as you install IoT systems that are relatively simple and straightforward. For instance, there are several guides and frameworks provided by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST), as well as the Department of Homeland Security (DHS), that can provide guidance in the selection, protection and, most importantly, awareness of cybersecurity and cyberphysical (IoT) devices.
As a member of the Society for Maintenance & Reliability Professional (SMRP) Government Relations program, we have been directly involved in the development and dissemination of this information.
Awareness is a significant step. The results can be that employees and contractors understand what that they should not bypass security policies, open certain kinds of e-mails and not visit certain websites. One of the resources available to assist in developing awareness is the Stop. Think. Connect. campaign site. It provides information and educational resources related to cyber-awareness. This includes toolkits that are specific to types of industries, including the oil and gas and chemical industries, as well as personal protection and privacy. SMRP has been a partner since 2017.
How to Ensure Your IoT Devices are Secure
When selecting IoT devices, what steps do you take or questions do you ask in relation to security and software or firmware updates?
SMRP has been working with NTIA to develop Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, which addresses concerns around software and firmware security updates. Several key elements of the framework related to manufacturer communication to consumers include:
- Describing whether the device can receive security updates.
- How the device receives security updates. Are updates performed automatically and what action must the user perform to ensure correct and timely updates?
- When does the lifecycle of security update support end?
- How is the user notified about security updates?
- What happens when security update support ends?
- How the manufacturer secures updates and ensures that the process is reasonably secure.
The U.S. Department of Commerce through NTIA provides many additional green papers that provide framework and guidelines for securing and implementing IoT devices. One of these includes, Fostering the Advancement of the Internet of Things, which reviews the economic and quality-of-life benefits of IoT devices as well as addressing the surrounding issues, including cybersecurity, device trustworthiness and recovery.
The bleeding edge of the war on cyber intrusion is the NIST and the work under development in relation to infrastructure, smart grid, smart cities and cybersecurity. On April 16, 2018, the Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 was released. The framework relates to an overall strategy that is directly affected by IoT device application:
- Identify: Asset management, the business environment, governance, risk assessment and risk management strategy. One of the most significant parts of this section is the understanding that most companies do not know a fraction of their IoT assets and their position in the device life cycle.
- Protect: Access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technologies.
- Detect: Methods of detection of anomalies and events, security continuous monitoring, and detection processes.
- Response: Response planning, communications, analysis, mitigation and improvements.
- Recover: Recovery planning, improvements and communications. It was noted in virtually every meeting surrounding cybersecurity that it is not a question of if you will be impacted, but when. What are the recovery strategies that your organization has put in place?
While one of the most significant challenges we have had in the modern digital age is security, the benefits to the application of connected monitoring devices and remotely operated devices has very significant impact on business success and quick reaction times. Businesses need to avoid rushing forward to implement IoT device technology without planning due to hype and marketing. This will result in vulnerabilities that put businesses at risk to aggressive weaponization of these devices. Only through careful strategy, tactics, implementation and awareness can businesses reduce exposure to attacks and fully realize the benefits of connected devices such as valves and their control systems.