In 2000, the Maroochy Shire incident took place when a hacker remotely seized control of an Australian wastewater facility on a number of occasions and spilled 264,000 gallons of sewage into rivers. The facility’s system comprised of a SCADA that controlled the pumps and used a private two-way radio system to communicate between the pumping stations and the central control centre. The hacker, using just a laptop and radio, managed to falsify network addresses and issue erroneous commands to valve sensors. This was due to the fact that the system used an insecure remote access control protocol with no key authentication. This allowed the hacker to hijack the process control system and push parameters to unsafe levels.
Another example of how security vulnerabilities can escalate into physical disasters is the explosion of the Baku-Tbilisi-Ceyhan pipeline in 2008. According to the Wikipedia article on this accident,” A major explosion and fire in Refahiye closed the pipeline. There is circumstantial evidence that it was a sophisticated cyberattack on line control and safety system sensors that led to increased pressure and explosion.”
The WannaCry ransomware forced car manufacturers Renault, Nissan and Honda to shut down their production facilities as the malware disrupted the operations of IoT devices and gained unauthorized access to production systems and corporate systems. The attack made use of an exploit called EternalBlue, believed to have been be developed by the NSA to break through Microsoft’s Windows security.
My opinion is that we need to embrace the era of IoT as it is on the increase. Therefore, I believe that organizations will need to have mitigating strategies to counter the security threats. These strategies include:
Proactive awareness and understanding of the Risks – organizations need to proactively understand the risk profile of their system architecture in regards to connectivity of their industrial control systems and IT systems.
Pushing Secure Coding practices for IoT – Data access privileges to be given only on a need to know basis. Encryption to be used in the transportation of data between devices.
Cyber insurance – Reduce insurance premiums as an incentive for more secure IoT devices.
More Advanced R&D – Assess technologies such as blockchain to increase security as data can be transferred in a transparent and safe manner.
Government Regulation – Electronic devices that can injure or kill humans needs some form of government regulation and testing.
With the ubiquitous proliferation of IoT devices over the last few years, the potential for threats and damage to systems and devices has significantly increased. However if the above mentioned strategies are adhered to, cyber-attacks can be greatly curtailed. IoT is growing exponentially and we need to embrace its risks rather than abandon its usage.
Cutter Business Journal: Vol 30, No.7, 2017: Cyber Security Risks and challenges for the Industrial Internet of Things