IoT for critical infrastructure raises the security stakes

January 7, 2016

Posted by: George Malim

Tobias Zillner, Cognosec

By connecting everything to the internet, the Internet of Things (IoT) promises to revolutionise the way we live, writes Tobias Zillner, the snior IS Auditor at Cognosec. The temptation to bring the latest technological advances to critical infrastructure is understandable – indeed, the optimisation of infrastructure is perhaps where the IoT has the most revolutionary potential.

The implications go far beyond smart lightbulbs and other consumer devices we are currently seeing hitting the market, the distribution of national resources from travel to energy could become smart. However, while the potential benefits are great, the IoT brings with it a great security risk. It is vital that this risk is mitigated before it is applied to critical infrastructure.

Unfortunately, IoT devices are being built with convenience in mind, rather than security. With the energy and transport sectors increasingly looking to automate processes through IoT, the risk of a serious incident is extremely high.

The most obvious risk for critical infrastructure lies in the evolution from closed to open systems. Historically, Industry Control Systems (ICS) were designed to be reliant on network isolation to protect the system from all security threats. Since the publication of the details on Stuxnet, network isolation has proven to be a weak security concept and, nowadays, has to be supported with a variety of other security measures – yet, it does provide an initial buffer zone against cyber attacks.

By adopting the IoT, infrastructure moves isolated systems within a specific location – and the protection isolation provided – to open connected systems that communicate over the internet and form huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and very serious increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches. While having a smart lightbulb hacked doesn’t sound disastrous, each one of these devices is a potential door into a network. Therefore, every single device connected to critical infrastructure systems, no matter how seemingly inconsequential, will have to receive the same security attention as the most vulnerable point of the system.

As with the development of critical infrastructure of the 1970s, the greatest risk with the IoT is that a lack of decent security measures in the initial phase of the technology will result in the networked future being built upon a poor foundation. As the technology becomes more widely distributed, the vulnerabilities are sure to be exploited – a big enough issue for home networks, but considerably worse if smart city networks are broken.

Given the increasing complexity of our critical infrastructure and geo-political landscape today, cyber crime is a very real threat. Targeted espionage, intellectual property theft and DDOS attacks are the most common risks in this area. Already there have been examples – the NSA was accused of spying on a Brazilian oil company in 2013, or just think of STUXNET back in 2008. DDOS attacks carried out by criminal groups are a serious threat to availability in connected manufacturing, and crimes such as blackmail and holding organisations ransom under the threat of attack have unfortunately become a quite common scenario in the last few years.

So how can IoT be made a viable option for critical infrastructure? The first step in protecting something is always to be aware of the risks. To adopt IoT there is a requirement for new security methods to protect systems. No longer operating in closed environments, suppliers have to build security into the systems, proactively conduct security tests, and provide regular update mechanisms.

Unfortunately, there is no simple solution out there that solves all security problems and protects against all threats. It is not possible to be 100 percent secure. Therefore, with critical infrastructure we need to know for the worst case and conduct regular training exercises to prepare for this event. This will help reduce the impact of a successful attack and protect from unnecessary damage.

However, before the systems are developed, and people are educated about the risks, there needs to be a secure foundation to build up from. The fundamental standards, which IoT devices have to comply to, have to be secure so that no one device can be an entry point for the whole system. Currently, this is not the case – there are a number of IoT standards, but implementation and compliance to these standards is patchy, resulting in vulnerabilities that criminals can exploit. Even when standards are implemented and followed, this does not guarantee that the system is safe. These requirements should be seen as the base line of security – suppliers need to go above and beyond to truly minimise the risk to the entire network. Therefore, in the immediate future it is crucial for those implementing the IoT in critical infrastructure to carefully choose based on the implied business risk and the security requirements. While the benefits of the IoT are great, and should be explored, it is simply unwise for critical applications to follow the early adopter path.