Cover Feature
SMART DEVICES
NETWORK CONNECTED DEVICES
INFRASTRUCTURE DEVICES
Without security the Internet of Things is doomed and could kill millions!
A
By Chris Cubbage Executive Editor
36 | Australian Chief IT Security Magazine
re we setting up the Internet of Things to fail, and potentially with a massive and catastrophic consequences? Cybersecurity researchers Charlie Miller and Chris Valasek caused the recall of 1.4 million vehicles after hijacking the Chrysler Jeep’s digital systems over the Internet. The pair remotely hacked into the car and paralysed it on a highway whilst in traffic. They were able to disable the brakes, cause unintended acceleration and turn the vehicle’s steering wheel at any speed. Other vulnerabilities have been discovered in Tesla vehicles and more is reportedly yet to come. In late September 2016, Pharmaceutical firm Johnson & Johnson wrote to diabetic patients using one its insulin pumps advising that it was at risk of being hacked, after Jay Radcliffe, a researcher (and diabetic) with cybersecurity firm Rapid7 discovered he could access the communications between the pump and the RF frequency remote – in theory allowing a hacker to administer unauthorised injections. This follows rising concern on connected medical devices, with Kaspersky Labs revealing in February it had hacked into a hospital’s IT infrastructure and was able to access a MRI device. These selective examples in the automotive and healthcare sectors highlight the biggest focus areas in Information Technology (IT) coming together with Operational Technology (OT) and how security will remain the key to enabling or disabling the industrial tsunami unfolding in the form of the Internet of Things (IoT). When you consider the IT space, a majority of hacks are often abstract in their affect, such as lost or compromised data. But like the examples above, when you consider the type of industrial assets that you see in the OT space, they will invariably have a physical impact were they to be hacked. The impact of attacks against connected OT equipment
has the potential to impact on human safety, environmental damage and cause massive disruption in a way that we aren’t necessarily seeing on the IT side. OT security has a much different priority when you look at what we need to safeguard, as opposed to IT. According to Tom Le from GE Digital WurldTech, speaking at Structure Security in San Francisco, we can look at the entire universe of connected devices in the form of a pyramid. At the top of the pyramid is the typical end point devices that we all use, such as laptops, smart phones, with the security on these devices being ‘pretty good’, as long as the operating systems are regularly patched. In the middle of the pyramid we have the devices we may only use occasionally, such as the HVAC (heating, ventilation, air conditioning), smart lighting in the home, increasingly smart refrigerators and televisions, and connected cars. Then beneath these two layers, we have a wide array of devices that we don’t even notice but are everywhere because we tend not to interact with them, such as CCTV cameras, transport system nodes, power generation stations and manufacturing equipment. At this lower level, although we don’t see them, they will impact us should they be successfully attacked or compromised. The primary concern is that the devices at the top of the pyramid has good security but the other two areas have much less integrated security and as of today, the integrated security design reduces as you move down the pyramid. Air gapping between the operating system and the Internet has been touted as a workable solution but as Tom Le asserted, “this is potentially a myth and is certainly not the ‘holy-grail’ solution.” There have been reports that aviation Wi-Fi systems could be hacked via the entertainment Wi-Fi systems and the FBI has begun investigating these claims. Any industrial facility, be it a power plant, manufacturing