Are we setting up the Internet of Things to fail, and potentially with massive and catastrophic consequences?
Cybersecurity researchers Charlie Miller and Chris Valasek caused the recall of 1.4 million vehicles after hijacking the Chrysler Jeep’s digital systems over the Internet. The pair remotely hacked into the car and paralysed it on a highway whilst in traffic. They were able to disable the brakes, cause unintended acceleration and turn the vehicle’s steering wheel at any speed. Other vulnerabilities have been discovered in Tesla vehicles and more is reportedly yet to come. In late September 2016, Pharmaceutical firm Johnson & Johnson wrote to diabetic patients using one of its insulin pumps advising that it was at risk of being hacked, after Jay Radcliffe, a researcher (and diabetic) with cybersecurity firm Rapid7 discovered he could access the communications between the pump and the RF frequency remote – in theory allowing a hacker to administer unauthorised injections. This follows rising concern on connected medical devices, with Kaspersky Labs revealing in February it had hacked into a hospital’s IT infrastructure and was able to access a MRI device. These selective examples in the automotive and healthcare sectors highlight the biggest focus areas in Information Technology (IT) coming together with Operational Technology (OT) and how security will remain the key to enabling or disabling the industrial tsunami unfolding in the form of the Internet of Things (IoT).
When you consider the IT space, a majority of hacks are often abstract in their affect, such as lost or compromised data. But like the examples above, when you consider the type of industrial assets that you see in the OT space, they will invariably have a physical impact were they to be hacked. The impact of attacks against connected OT equipment has the potential to impact on human safety, environmental damage and cause massive disruption in a way that we aren’t necessarily seeing on the IT side. OT security has a much different priority when you look at what we need to safeguard, as opposed to IT.
According to Tom Le from GE Digital WurldTech, speaking last week at Structure Security in San Francisco, we can look at the entire universe of connected devices in the form of a pyramid. At the top of the pyramid is the typical end point devices that we all use, such as laptops, smart phones, with the security on these devices being ‘pretty good’, as long as the operating systems are regularly patched. In the middle of the pyramid we have the devices we may only use occasionally, such as the HVAC (heating, ventilation, air conditioning), smart lighting in the home, increasingly smart refrigerators and televisions, and connected cars. Then beneath these two layers, we have a wide array of devices that we don’t even notice but are everywhere because we tend not to interact with them, such as transport system nodes, power generation stations, city management systems and manufacturing equipment. At this lower level, although we don’t see them, they will impact us should they be successfully attacked or compromised. The primary concern is that the devices at the top of the pyramid has good security but the other two areas have much less integrated security and as of today, the integrated security design reduces as you move down the pyramid.
Air gapping between the operating system and the Internet has been touted as a workable solution but as Tom Le asserted, “this is potentially a myth and is certainly not the ‘holy-grail’ solution.” There have been reports that aviation Wi-Fi systems could be hacked via the entertainment Wi-Fi systems and the FBI has begun investigating these claims. Any industrial facility, be it a power plant, manufacturing facility or city management system, even if it was to ‘air-gap’ them off and say none of these assets are going to be allowed to be connected to the Internet, there will still be indirect connections. There are contractors coming in to the facility with transient assets such as their own mobile devices, laptops and a common vulnerability is a USB key, now a common attack vector. A recent highlight of this is Victoria Police are investigating malware infected USB devices being left in residential letterboxes.
So even if we have assets that we don’t believe are connected to the Internet, they are very likely to remain exposed because of the indirect connectivity. Taking it one step further, the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet. Now we’re saying that even if you’re not currently connected or indirectly connected, the Internet of Things is going to seek to bring many millions of these industrial OT assets online so we can experience the benefits of innovation, efficiencies and analytic tools – but that’s a huge swing from where operators think they’re safe today to approaching the reality of the short-term future where we are going to see more and more connected assets that are being brought online.
Even after 20 to 30 years of IT security, we are still trying to get it right and are still experiencing breaches on a regular basis. There is something in the news every day, every week and the breaches aren’t getting any smaller, from the Sony hacks (2011, 2014, 2016) to the Yahoo hack discovered last week, with up to 500 million accounts compromised – since as far back as 2012! We are still not getting it right.
Ducks & Swans: IT Security does not apply to OT Security
There are significant and fundamental differences between IT and OT assets, with the IT assets tending to have a very short life span, be it like the iPhone where every couple of years you change and get a new one. Or your laptop computer than needs software patches or even a whole new OS installed and upgraded. We’re willing to disrupt these small device operations and go through a full system reboot, patching process or a complete OS upgrade, including multiple system reboots and take the risk of experiencing annoying system bugs, yet to be fully ironed out.
In stark contrast, OT assets have much greater operational life cycles, many around 15-20 years, with some traditional systems even being as long as 40 years. Likewise, the maintenance and upgrade times is not just a matter of minutes, hours or even days, sometimes it will be a four to five year process. So the concept of applying an IT security patch system or end point security applications to the OT asset infrastructure environment is very difficult to apply, if not completely irrelevant and misleading.
The other critical aspect is that some of the systems in operation within our critical infrastructure, particularly for our power generation and transport systems are no longer able to be updated and a majority are obsolete. As an example, thousands of industrial facilities still operate on Windows XP hosts that are the basis of software management systems for these facilities and it has been sometime now that Windows XP is even being supported. Patches are needed to be paid for out of the normal band and subject to individual commercial agreements. Some companies may choose not to pay. Many of these systems are now starting to experience malware type attacks that have been eradicated some time ago on the IT side but are being re-propagated on the OT side. And even amongst the many factories and plants that are in operation, it isn’t possible to apply many of the patches that are potentially available because the threat of system change is greater than the threat of a cyber-attack, in that any change or upgrading patch may not actually work and could bring down or compromise that critical asset or piece of critical infrastructure.
So the strategy around the OT side needs to be around the containment and mitigation more so than remediation. It becomes that operational safety is of paramount importance and human safety and operational availability are the two primary missions on the industrial side. The challenge is now that it’s not just about cyber-attacks, in fact nearly 80 per cent of the issues caused in the industrial assets are misconfigurations more so than a targeted attack. Thereby the priorities that we are accustomed to on the IT side, like confidentiality, integrity and availability are completely different on the OT side.
The question is not if and how the two technical disciplines of IT and OT are to be melded, the reality is when will this actually occur. These two areas continue to converge and already we have 6.5 billion to 8 billion devices connected to the Internet, and a majority of these are the higher end of the pyramid. But the fastest growing area of connecting devices will be the industrial assets. A recent study out of Princeton university, cited by Le, identified 13 per cent of imbedded devices that were directly connected to the Internet had retained the default root password, so that number was calculated to be 540,000 devices across 144 countries. The study had focused on only subsets of devices across subsets of the entire Internet’s connected devices connected today. To scale this up to the predictions of between 20 – 50 billion devices by 2020, if we remain anywhere close to 10 – 13 per cent of default accessibility to the devices then just this one vulnerability alone, let alone the wide ranging of other configurable or inherent vulnerabilities will inevitably exist. We are going to be a long way away from a safely converged IT and OT environment. In a follow-up study, it was found as much as 60 percent of Internet connected imbedded devices that had any kind of user interface were vulnerable to attack – in simple terms, sixty per cent of these devices would fail a routine penetration test.
When we appreciate the scale of vulnerabilities today, then scale this up between 2 to 3 times by 2020 – 2025, we are literally setting up the Internet of Things to fail, and potentially with massive and catastrophic consequences.
Chris Cubbage, Executive Editor