Industries and consumers are adopting Internet of Things (IoT) in an unprecedented rate. With increasing IoT usage and adoption, organisations face elevated cybersecurity risk profiles.
Cyber security-related risks for IoT devices can also be exacerbated by their long device lifespan, limited computing resources and low visibility. Failure to understand and to manage the risks appropriately will lead to severe or even disastrous consequence, as demonstrated in recent cyber attack cases against the Ukrainian electricity grid infrastructure. For any organisations, which have deployed or are going to deploy IoT devices, it is almost certain that cyber attacks against those devices will occur. It is only a matter of WHEN and HOW.
Recent cyber attacks in Ukraine have shed some lights about the threats. Sophisticated malwares attacked Ukrainian electricity grid network and substations in both December 2015 and December 2016, causing wide spread electricity blackouts and disruptions. The cyber attack techniques in the two incidents are different in strength and sophistication. However, they both exploited the similar vulnerabilities on Microsoft Windows platforms to gain required backdoor access through proxy server HTTP channels. Then the malware spawned itself within the network and launched attacks by issuing unauthorised Industry Control Systems (ICS) operations.
The malware used in the 2015 attack is called BLACKENERGY 3, which is an evolved malware from previously known BLACKENERGY 2. The malware gained access to the target corporate network, via Microsoft Windows vulnerabilities. It then pivoted into SCADA network after acquiring the SCADA network knowledge. More significantly, it used the acquired network knowledge to turn the SCADA units against each other with control functions. Unlike STUXNET malware, which was used to sabotage Iranian’s ICS units used in its nuclear program, it did not have any module to directly control ICS. Instead, It exploited SCADA Human Machine Interface (HMI) to operate its attacks. With these self-learning capabilities, the attack was very disruptive and slow to recover.
The malware used in the 2016 attack is called CRASH OVERRIDE. It evolved into an even more advanced malware with combined features and capabilities of BLACKENERGY 2 & 3, plus more sophistication in acquiring and understanding the SCADA network without being confined to specific vendor platforms. It has a modular architecture for attacking various well-known industry ICS protocols, including IEC101, IEC104, and IEC61850, and in multiple attack modes. Due to its modular nature, it can potentially evolve into various versions to attack different critical infrastructure beyond electricity transmission and distribution.
The above ICS protocols (IEC101, IEC104 & IEC61850) are mainly used outside United States. However, recent reports from Symantec indicated that a group of hackers under a name of Dragonfly 2.0 have infiltrated some US based electricity infrastructure networks to sniff out the infrastructure network topology. The group gained certain level of access to the US based power firms’ computer networks for operational access via HMI, before they were discovered and blocked. There was no reported damage to the infiltrated networks and power infrastructure. However, the attempts sound like textbook reconnaissance missions prior to a full scale attack. The attackers won’t give up the malicious intents and the threats will persist in different forms and time.
In order to manage IoT security risks systematically, organisations must adopt a holistic approach to measure their risk profiles, business priority and security sensitivity. The IoT security solution market is still in its embryonic stage with many emerging solutions with special capabilities. Organisations need to select and deploy IoT security solutions based on their business priority and security sensitivity across its IoT Security Stack. A typical IoT Security Stack can be defined in several layers as defined below:
- Device Endpoint Protection
- Network & Connectivity Security
- Device Identity & authentication
- Device Data Encryption
- Device Data Analytics and Monitoring
- Centralised IoT management platform
IoT Security management and measures can be applied to one or all the layers depending on selected solution. The current industry trends indicate that organisations focus in the following solution categories for their IoT Security Management:
Embedded Trust Solutions
These solutions focus on providing end-point device security functions in hardware, firmware and OS environments. The solutions’ capabilities vary from providing Trusted Execution Environment (TEE), lightweight cryptographic engine to secured OS kernel for embedded applications.
Device Identity and Key/Credential Management
These solutions focus on providing IoT device specific identity and access management, which also include IoT scaled federated device management and capabilities to generate, store and manage keys and digital certificates with appropriate encryption.
Realtime Visibility and Control
These solutions provide capabilities to scan and sniff IoT networks and every connected IoT device regardless of wired, wireless, radio frequency used, independent of their location, providing users with visibility into their IoT security postures. They can be used to monitor, track, detect and respond to specific IoT threats.