We now live in an age where the Internet of Things (IoT) is adding a new dynamic to the lives of enterprises worldwide. Smart, connected devices are delivering new experiences that a decade ago could not even have been imagined – such as in automotive, robotic manufacturing, medical equipment and industrial control systems – while at the same time lowering costs on a massive scale.
However, this growth in connected devices has also brought enormous security risks that threaten to undermine these gains.
Today’s attackers use security flaws to extract sensitive information from a system, and may even seize control of command & control (C&C) infrastructure to manipulate system behavior. Malicious software may be installed directly into the running memory of IoT systems in such a way that the malware disappears on re-boot, but does enormous damage between reboots.
Regardless of the initial infection vector, if not detected the first compromised device remains trusted – and then becomes the pathway for the rest of the network to be infected.
I spend a lot of time talking to organizations about how they can avoid their systems becoming compromised in this way and there are a number of fundamental questions they – and indeed any organization – need to be asking themselves:
- Are they using devices that will be directly accessible via a network or other digital means?
- Do their IoT devices have trusted identities and are their data transmissions encrypted? Can identities be updated over the air?
- Is the code running on each IoT device authorized for the device?
- Are these devices running operating system with known vulnerabilities?
- Are these devices and their applications expected to perform a repeatable set of functions?
- Do they have a view of all devices in the network and how they are interacting with each other?
To get a measure of how insidious and damaging such attacks may be, let’s look at a couple of examples of how these threats are manifesting themselves in a high-profile environment.
First, there is the government vision of every home having smart energy meters. There is nothing wrong with the concept itself. It will ensure that, with the next generation of gas and electricity meters, consumers have real-time information on their energy consumption to help them manage and control usage. For the energy companies, it will mean a huge reduction in expenses, as the need for monthly usage readings at each home is eradicated.
That’s the good news. However, can we ensure that the manufactured devices have not been tampered with? Could firmware upgrades introduce bad code? Equally importantly, how can the usage (KWh) information transmitted from the meter be properly protected?
The clear answer is to put into action a smart metering key infrastructure to solve such security challenges. By employing PKI (Public Key Infrastructure) within the meters themselves, organizations will ensure there is security right at the communication layer. This will then:
- Identify connected meters as being authentic
- Verify that meters are configured correctly
- Ensure meters haven’t been altered
- Validate the meters for network access.
Moreover, it creates bi-directional, secure communications between the meter and remote designated parties, such as energy suppliers, network operators and other authorized third parties.
Alternatively, let’s look at a situation where an industrial controller in a manufacturing plant becomes compromised – perhaps because someone has plugged in a suspect USB stick or via some remote mechanism. That controller might then send critical data back to a command or control server; or it could become a medium to launch attacks on other parts of the manufacturing plant, in order to shut it down. It’s a grim scenario, but it happens. The crucial thing is how to prevent this from occurring. An enterprise facing threats on this scale will need to:
- Secure the critical operating system resources in the controller
- Ensure the applications behave as expected
- See that all the memory regions in the device are protected.
In this way, many such attacks can be prevented.
The numerous opportunities that the IoT is now bringing are transforming how enterprises operate. Ultimately, it is for those enterprises to engage with their IoT teams to ensure they have the highest levels of security in place, in order to deliver the levels of protection that will keep them from falling prey to the many attackers now constantly probing for the slightest weakness in their defenses.