By: Andy Thurai
Recently,
I had the privilege to present on IoT security, alongside Michael Curry of IBM,
at the MassTLC “Value of Things” conference. You can see the slides here http://www.slideshare.net/MassTLC/andy-thurai-iot-security.
I had the privilege to present on IoT security, alongside Michael Curry of IBM,
at the MassTLC “Value of Things” conference. You can see the slides here http://www.slideshare.net/MassTLC/andy-thurai-iot-security.
One of
topics that I discussed, which resonated well with the crowd, was about IoTs
(Internet of Things) doing both data collection and process control on the same
device — Not only on the same device, but also on the same plane most times.
This means if someone has access to those data collection mechanisms they also
get to control the processes as well, which could be dangerous in wrong hands.
topics that I discussed, which resonated well with the crowd, was about IoTs
(Internet of Things) doing both data collection and process control on the same
device — Not only on the same device, but also on the same plane most times.
This means if someone has access to those data collection mechanisms they also
get to control the processes as well, which could be dangerous in wrong hands.
Very
often I see customers use the same device to both collect the data and control
the systems. This is especially true in the so-called “industrial automation,”
such as manufacturing, power grids, and other “smart” systems. Though these
systems were put in place long before the IoT, they are getting Internet
enabled now, which is a little scary. This is because security for these networks
was not of prime importance as most of these controllers were on private, and
most times completely isolated networks. Now putting these devices, and their
associated isolated networks, on the Internet, without beefing up the security,
is asking for disaster.
often I see customers use the same device to both collect the data and control
the systems. This is especially true in the so-called “industrial automation,”
such as manufacturing, power grids, and other “smart” systems. Though these
systems were put in place long before the IoT, they are getting Internet
enabled now, which is a little scary. This is because security for these networks
was not of prime importance as most of these controllers were on private, and
most times completely isolated networks. Now putting these devices, and their
associated isolated networks, on the Internet, without beefing up the security,
is asking for disaster.
The
SCADA systems (Supervisory Control And Data Acquisition systems) and the larger
ICS (Industrial Control Systems) all fall in this category. They were all built
before the current IOT infestation (and I am one of those guys who started his
career with working on those systems waaay back when) so you can’t really blame
the way it was built. For the time it was built, for the purpose it was built,
and for the network it was built, I think it was a solid design. But you need
to be very careful when you put them on the Internet.
SCADA systems (Supervisory Control And Data Acquisition systems) and the larger
ICS (Industrial Control Systems) all fall in this category. They were all built
before the current IOT infestation (and I am one of those guys who started his
career with working on those systems waaay back when) so you can’t really blame
the way it was built. For the time it was built, for the purpose it was built,
and for the network it was built, I think it was a solid design. But you need
to be very careful when you put them on the Internet.
This
could be a problem because if the hackers get access to your network to steal
data for monetization purposes they can also control your network to cause
chaos. Generally, the hackers try to
break into your system for one of two reasons. Either they want to steal your
data so they can monetize it (cc, finance data, etc.) or they want to disrupt
your system to cause chaos (power grid interruption, supply chain failure,
etc.). If, and in some cases it is just a matter of when, the bad guys break
into your systems for one of the above reasons, giving them opportunity to do
the other is the worst case scenario which could lead to very disastrous
results.
could be a problem because if the hackers get access to your network to steal
data for monetization purposes they can also control your network to cause
chaos. Generally, the hackers try to
break into your system for one of two reasons. Either they want to steal your
data so they can monetize it (cc, finance data, etc.) or they want to disrupt
your system to cause chaos (power grid interruption, supply chain failure,
etc.). If, and in some cases it is just a matter of when, the bad guys break
into your systems for one of the above reasons, giving them opportunity to do
the other is the worst case scenario which could lead to very disastrous
results.
To begin with, this
is a clear violation of separation of duties/responsibilities by mixing and
matching. This is not even counting data collection mixing with control
signals. The reason why this is so important is the fact is that if one of them
is compromised then the other will be too.
is a clear violation of separation of duties/responsibilities by mixing and
matching. This is not even counting data collection mixing with control
signals. The reason why this is so important is the fact is that if one of them
is compromised then the other will be too.
Granted this is a
more difficult problem to solve because the device footprints are generally
tiny. You can’t have parallel devices doing multiple things. But before you put
these things on the Internet you will be better off doing a process and
security architecture review of these things. It might save you a lot of
headaches.
more difficult problem to solve because the device footprints are generally
tiny. You can’t have parallel devices doing multiple things. But before you put
these things on the Internet you will be better off doing a process and
security architecture review of these things. It might save you a lot of
headaches.
