June 29, 2014 Leave a comment
Recently, I had the privilege to present on IoT security, alongside Michael Curry of IBM, at the MassTLC “Value of Things” conference. You can see the slides here http://www.slideshare.net/MassTLC/andy-thurai-iot-security. I will post the video once it is published.
One of topics that I discussed, which resonated well with the crowd, was about IoTs (Internet of Things) doing both data collection and process control on the same device — Not only on the same device, but also on the same plane most times. This means if someone has access to those data collection mechanisms they also get to control the processes as well, which could be dangerous in wrong hands.
Very often I see customers use the same device to both collect the data and control the systems. This is especially true in the so-called “industrial automation,” such as manufacturing, power grids, and other “smart” systems. Though these systems were put in place long before the IoT, they are getting Internet enabled now, which is a little scary. This is because security for these networks was not of prime importance as most of these controllers were on private, and most times completely isolated networks. Now putting these devices, and their associated isolated networks, on the Internet, without beefing up the security, is asking for disaster.
The SCADA systems (Supervisory Control And Data Acquisition systems) and the larger ICS (Industrial Control Systems) all fall in this category. They were all built before the current IOT infestation (and I am one of those guys who started his career with working on those systems waaay back when) so you can’t really blame the way it was built. For the time it was built, for the purpose it was built, and for the network it was built, I think it was a solid design. But you need to be very careful when you put them on the Internet.
This could be a problem because if the hackers get access to your network to steal data for monetization purposes they can also control your network to cause chaos. Generally, the hackers try to break into your system for one of two reasons. Either they want to steal your data so they can monetize it (cc, finance data, etc.) or they want to disrupt your system to cause chaos (power grid interruption, supply chain failure, etc.). If, and in some cases it is just a matter of when, the bad guys break into your systems for one of the above reasons, giving them opportunity to do the other is the worst case scenario which could lead to very disastrous results.
To begin with, this is a clear violation of separation of duties/responsibilities by mixing and matching. This is not even counting data collection mixing with control signals. The reason why this is so important is the fact is that if one of them is compromised then the other will be too.
Granted this is a more difficult problem to solve because the device footprints are generally tiny. You can’t have parallel devices doing multiple things. But before you put these things on the Internet you will be better off doing a process and security architecture review of these things. It might save you a lot of headaches.