The Internet of Things (IoT) and the Industrial Internet of Things (IIOT) usher in new levels of convenience for consumers and industry alike. But these come with hidden dangers. Smart home devices like door locks, porch-cams, and smart thermostats make life a little easier and safer on the home front, while cloud-based devices for industry, save time and increase productivity for workers around the world.
Their sheer usefulness comes from the fact that these devices and tools are connected to the internet, either directly or through routers or other devices. This means all these things are inextricably connected to each other.
Kaushal Kafle, a researcher and computer scientist at the College of William and Mary in Williamsburg, Virginia, points out a key weakness, in a recent interview with Quartz.
“Many smart home devices are controlled using a central app, like Google’s Nest app or Samsung SmartThings. Changing a setting from one smart device might tell that platform to change the behavior of other smart devices. For instance, imagine you’ve programmed your smart lightbulbs to turn on once you arrive home. You may also have other smart devices that are programmed to do something while you’re home versus away; perhaps your smart alarm system is set to be disabled if you’re at home. If a hacker can access your smart lightbulb and toggle its setting to “at home,” they might also be able to control that alarm system, making it possible to disable an alarm to slip into your home undetected, just by messing with your smart bulb settings.”1
It is this connectedness that people tend to forget about, in consumer and commercial scenarios. An employee working in an office, on a factory floor, in the cab of a truck, or in a WiFi-enabled coffee shop, feels pressure to get work done. It is extremely easy to activate an app that asks for permission to access contacts or a microphone, and then move on to other work, forgetting that the app still has permission to access these features.
Myriad connection points make it impossible to anticipate just how and where such information might be used. When the next major data breach is announced, it hits the news cycle briefly, but seldom does anyone have the time to even consider where and how the malware found its way to the heart of an organization. The infinite interconnectedness of things, paired with the relentless dedication of bad actors, keeps InfoSec professionals constantly straining to preserve their organizations’ safety.
IIoT is Already Everywhere
As ESET expert Tony Anscombe points out, part of the issue is the lack of stringent definitions as to what fits inside the scope of IoT and IIoT. Does IIoT include the “meta” concepts like smart buildings, smart cities, and smart traffic? These are collectives built out of thousands of individual smart components.
In comparing IoT to IIoT it is easy, he says, to recognize that IIoT has been around a lot longer in the form of sensors, robots and predictive technology in manufacturing, oil and gas, utilities and other large swaths of industry. Analysts predict that by 2020, IIoT will be double the size of IoT.
Examples of successful IIoT deployment are too numerous to mention. Two typical examples are:
- A hotel that uses its smart building technologies, including air quality sensors and people movement sensors, to only activate air conditioning and lighting in the zones where people are detected, saving millions of dollars per year.
- Aerospace manufacturer Airbus, that uses IIoT devices to increase safety and productivity through predictive maintenance; anticipating and avoiding robotics failures before they happen – and the use of wearable tech; IIoT connected glasses that allow supervisors to see what the technicians see as they work on assembly or repairs.
Any Connected Network Becomes a Danger Zone
Such rapid growth of IIoT technologies should naturally set off alarm bells for anyone concerned for the security of their company. Two chilling reminders come immediately to mind:
- The Target breach that we discussed in our January 30, 2019 post, Why Data Breaches Continue to Happen, happened as a result of hackers gaining access to the company’s HVAC system, which facilitated a connection through to the chain stores’ point-of-sale (POS) software.
- A recent hack on the email provider VFEMail wiped out not only the company’s email servers, but all of its backups as well, destroying the company completely. Read the story here.
There is an assumption that because enterprise organizations store their data on their own networks and behind their own firewalls, that data is safer than perhaps an individual at home who relies on the public Internet and who is not up to speed on computer and router security. But as Tony points out, “any computing device runs on software, even when it’s not obvious, and all software has vulnerabilities.” It’s a continual game of updating it to make sure vulnerabilities are found, bugs are fixed, and ongoing security mechanisms are placed into the devices.
Another warning comes in the form of siegeware, a term used by ESET specialist Stephen Cobb2 to describe how smart-Building IIoT technology could be used to turn up the heating or air-conditioning systems to temperatures beyond human comfort and safety. Although that might sound like a mere inconvenience at first glance, unbearable heat in a facility like a hospital would demand large scale evacuation, bringing all hospital activities to a halt.
Recommendations for IT and C-Suite Alike
We asked Tony what recommendations or warnings he would want to pass along to IT specialists and senior management. He replied:
- First make full use of data to look for and identify anomalies or unusual patterns of activity, such as a specific device contacting an external source an unusual number of times. Only in the past five years has data storage become low-cost enough for companies to do this.
- Remain aware that much of the technology we use was not built with security in mind. A coffee machine or photocopier that automatically orders supplies or maintenance might be a convenient example of IoT in action, but does it have sufficient security in place? Who is it connected to – and how might a Target-style attack reach other computers or devices in the building? “Stay aware of ‘what is connected to what’ in the network,” he says3.
- Question whether all the features of a device need to be activated. The more features turned on, the more points of weakness, entry, and exploitation.
In closing, Tony illustrates how we are now on a cusp of a change in the way humans think and operate. As more “things” join the IIoT, the scope of awareness will become larger as smart cities and smart buildings play a larger role. Individual consumers might choose to visit a restaurant or coffee shop as much for the air quality (detected by IIoT sensors) as the quality of the food. And large companies may choose to set up their offices in places where the quality of the smart city and the mobility and digital literacy of its population may be greater influencers than property values and tax breaks.
We are facing a future in which sensors are everywhere, and although this may be a blessing in many ways, it comes with a significant need for vigilance.
Steve Prentice specializes in the place where human and technology meet. With a background in organizational psychology and project management, he works with IT industry leaders like SAP, CA Technologies and Cisco, as well as with their customers. He consults, manages projects, delivers keynotes, and teaches at a Toronto-area university (UOIT).
- Hu, Jane. (December, 2018). “How one lightbulb could allow hackers to burgle your home,” Quartz.com, Retrieved from: https://qz.com/1493748/how-one-lightbulb-could-allow-hackers-to-burgle-your-home/
- Cobb, Stephen. (February, 2019). “Siegeware: When criminals take over your smart building,” We Live Security, Retrieved from: https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your-smart-building/
- Anscombe, Tony. (February, 2019). “EndpointSecurity.ca Podcast Episode 4: The Security of Things: Effects of IoT and IIoT on Business Security,” Positive E Solutions Inc., Retrieved from: https://blog.endpointsecurity.ca/2019/02/21/episode-4-security-of-things-effects-of-iot-and-iiot-on-business-security/