The Next Battleground – Critical Infrastructure

Cyber threats have dramatically developed throughout the years. From simple worms to viruses, and finally to advanced Trojan horses and malware. But the forms of these threats are not the only things that have evolved. Attacks are targeting a wider range of platforms. They have moved from the PC to the Mobile world, and are beginning to target IoT connected devices and cars. The news has been filled recently with attacks on critical infrastructure, causing the blackout in Ukraine, and the manipulation of “Kemuri Water treatment Company“ water flow.

This threat can no longer be ignored. Critical infrastructure organizations such as power utility and water are critical, and ought to be protected accordingly. Certain governments are starting to realize that cyberattacks can, in fact, affect critical infrastructure. As a result, they have recently issued regulations to enhance their standard defenses.

The cyber threat world is big and extensive—to fully understand the scope of threats to nationwide critical infrastructures, here are a few insights and perspectives based on our vast and longstanding experience in the cyber world.

Top three critical infrastructure threat vectors

Industrial Control Systems (ICS) are vulnerable in three main areas:

1. IT network.
2. Insider threat (intentional or unintentional).
3. Equipment and software.

 

Attacking through the IT network

ICS usually operate on a separate network, called OT (Operational Technology). OT networks normally require a connection to the organization’s corporate network (IT) for operation and management. Attackers gain access to ICS networks by first infiltrating the organization’s IT systems (as seen in the Ukraine case), and use that “foot in the door” as a way into the OT network. The initial infection of the IT system is not different than any other cyberattack we witness on a daily basis. This can be achieved using a wide array of methods, such as spear phishing, malicious URLs, drive-by attacks and many more.

Once an attacker has successfully set foot in the IT network, they will turn their focus on lateral movement. Their main objective is to find a bridge that can provide access to the OT network and “hop” onto it. These bridges may not be properly secured in some networks, which can compromise the critical infrastructures they are connected to.

The threat within

Traditional insider threats exist in IT networks as well as in OT networks. Organizations have begun protecting themselves against such threats, especially after high profile attacks such as the Target hack or Home Depot (and the list is continuously growing). In OT however, the threat is increased. Similar to IT networks, insiders can intentionally breach OT networks with graver consequences. In addition to this “regular” threat, there is the unintentional insider threat. Unlike IT networks, OT networks are usually flat with little or no segmentation, and SCADA systems have outdated software versions that go unpatched regularly.

Unwitting users often inadvertently create security breaches, either to simplify technical procedures or by unknowingly changing crucial settings that disable security. The bottom line remains the same either way: the network that controls the critical infrastructure is left exposed to attacks. This is proven time and again as one can easily encounter networks that were connected to the internet by accident.

Meddling with critical components

The last avenue that endangers ICS is tampering with either the equipment or its software. There are several ways to execute such an operation:

• Intervening with the equipment’s production. An attacker can insert malicious code into the PLC (Programmable Logic Controller) or HMI (Human Machine Interface) which are the last logical links before the machine itself.
• Intercepting the equipment during its shipment and injecting malicious code into it.
• Tampering with the software updates of the equipment by initiating a Man in The Middle attack, for example.

So, how can we protect our Critical Infrastructure?

To fully protect any critical infrastructure, whether it is an oil refinery, nuclear reactor or an electric power plant, all three attack vectors must be addressed. It is not enough to secure the organization’s IT to ensure the security of the production floor. A multi-layered security strategy is needed to protect critical infrastructures against evolving threats and advanced attacks. Check Point offers not only a full worldview of the problems critical infrastructures are facing, but also a comprehensive solution to protect them.

 

Source: http://blog.checkpoint.com/2016/04/13/the-next-battleground-critical-infrastructure/

Critical (Outdoor) IoT Applications Need Robust Connectivity

It’s safe to assume that the majority of all Internet of Things (IoT) devices operate near large populations of people. Of course, right? This is where the action happens – smart devices, smart cars, smart infrastructure, smart cities, etc. Plus, the cost of getting “internet-connected” in these areas is relatively low – public access to Wi-Fi is becoming widely available, cellular coverage is blanketed over cities, etc.

But what about the devices out in the middle of nowhere? The industrial technology that integrates and communicates with heavy machinery that isn’t always “IP connected,” operating in locations not only hard to reach, but often exposed harsh weather. The fact remains, this is where IoT connectivity is potentially most challenging to enable, but also perhaps the most important to have. Why? Because these numerous assets help deliver the lifeblood for our critical infrastructures – electricity, water, energy, etc. Without these legacy and geographically dispersed machines, a smart world may never exist.

But let’s back up for a second and squash any misconceptions about the “industrial” connectivity picture we’re painting above. Take this excerpt from Varun Nagaraj in a past O’Reilly Radar article:

“… unlike most consumer IoT scenarios, which involve digital devices that already have IP support built in or that can be IP enabled easily, typical IIoT scenarios involve pre-IP legacy devices. And unfortunately, IP enablement isn’t free. Industrial device owners need a direct economic benefit to justify IP enabling their non-IP devices. Alternatively, they need a way to gain the benefits of IP without giving up their investments in their existing industrial devices – that is, without stranding these valuable industrial assets.

Rather than seeing industrial device owners as barriers to progress, we should be looking for ways to help industrial devices become as connected as appropriate – for example, for improved peer-to-peer operation and to contribute their important small data to the larger big-data picture of the IoT.”

It sounds like the opportunity ahead for the industrial IoT is to  provide industrial devices and machines with an easy migration path to internet connectivity by creatively addressing its constraints (outdated protocols, legacy equipment, the need for both wired and wireless connections, etc.) and enabling new abilities for the organization.

Let’s look at an example of how this industrial IoT transformation is happening.

Voice, Video, Data & Sensors
Imagine you are a technician from a power plant in an developing part of the world with lots of desert terrain. The company you work for provides power to an entire region of people, which is difficult considering the power plant location is in an extremely remote location facing constant sand blasts and extreme temperatures. The reliance your company places on the industrial devices being used to monitor and control all facets of the power plant itself is paramount. If they fail, the plant fails and your customers are without power. This is where reliable, outdoor IoT connectivity is a must:

• With a plethora of machinery and personnel onsite, you need a self-healing Wi-Fi mesh network over the entire power plant so that internet connections aren’t lost mid-operation.
• Because the traditional phone-line system doesn’t extend to the remote location of the power plant, and cell coverage is weak, the company requires Voice over IP (VoIP) communications. Also, because there’s no physical hardware involved, personnel never needs to worry about maintenance, repairs or upgrades.
• The company wants to ensure no malfeasance takes place onsite, especially due to the mission-critical nature of the power plant. Therefore, security camera control and video transport is required back to a central monitoring center.
• Power plants require cooling applications to ensure the integrity and safety of the power generation taking place. The company requires Supervisory Control and Data Acquisition (SCADA) networking for monitoring the quality of the inbound water being used to cool the equipment.
• The company wants to provide visibility to its customers in how much energy they are consuming. This requires Advanced Metering Infrastructure (AMI) backhaul networking to help manage the energy consumption taking place within the smart grid.
• Since the power plant is in a remote location, there is only one tiny village nearby being used by the families and workers at the power plant. The company wants to provide a Wi-Fi hotspot for the residents.

From the outline above, it sounds like a lot of different IoT networking devices will need to be used to address all of these applications at the power plant. If the opportunity ahead for the industrial IoT is to  provide industrial devices and machines with an easy migration path to IP connectivity, what solutions are available to make this a reality for the power plant situation above? Not just that, but a solution with proven reliability in extreme environmental conditions? We might know one…

Source: http://bigdata.sys-con.com/node/3766382

Devil is the details: Dirty little secrets of the Internet of Things

Is harvesting your data and turning it into a new revenue stream the only sustainable business model for Internet of Things device makers?

Credit: Thinkstock

Where is IoT going in the long run?… To cash in on the treasure trove of “everything it knows about you,” data collected over the long term, at least it is according to a post on Medium about the “dirty little secret” of the Internet of Things.

A company can only sell so many devices, but still needs to make money, so the article suggests the “sinister” reason why companies “want to internet-connect your entire house” is to collect every little bit of data about you and turn it into profit. Although the post was likely inspired in part by the continued fallout of Nest’s decision to brick Revolv hubs, there could a IoT company eventually looking for a way to monetize on “if you listen to music while having sex.”

The post is by the same guy running the “Internet of Sh*t” Twitter account; he works as a developer for a software company in Europe. You’ve surely seen IoT gadgets that seem like a joke, that make you wonder why in the world anyone thought it was a good enough idea to make it. While not every product tweeted by Internet of Sh*t is a real thing, the tweets are funny and have the scary potential to be real. Here are a couple of my favorites:

A smart device which alerts you to water your plants could also be considered to now give your plants an attack vector. Another would be an IoT gadget in your “smart home” that could lead to in-app purchase blackmail such as the tweeted joke about paying to delete footage of something an app “saw.”

On Medium, “Internet of Sh*t” explained that there are indeed plenty of IoT devices that you would use over the very long term such as “household appliances you won’t replace for a decade. We’re talking about a thermostat, fridge, washing machine, kettle, TV or light — long term, there’s just no other way to be sustainable for the creators of these devices.” Those devices present “delicious” opportunities “for bloated internet companies.”

“The problem with the Internet of Things is that the hardware is only one aspect,” he pointed out. “The makers need to keep servers running to support them, keep APIs up to date, keep security up to date and, well, pay employees.” Over time, those costs will be more than what you paid for the device so the “sustainable” model is to keep collecting every little piece of data about you and then finding a way to profit from it.

For example, he quoted Nest CEO Tony Fadell who previously said, “We’ll get more and more services revenue because the hardware sits on the wall for a decade.”

If Nest wanted to increase profits it could sell your home’s environment data to advertisers. Too cold? Amazon ads for blankets. Too hot? A banner ad for an air conditioner. Too humid? Dehumidifiers up in your Facebook.

Nest may not be doing that right now, but “the future of your most intimate data being sold to the highest bidder isn’t dystopian. It’s happening now.” One example included Bud Light’s “Bud-E Fridge” as the makers called real-time data about how much beer is stocked “a wealth of knowledge” that will pay off in a couple years even if the fridge doesn’t make a ton of money. Brands are going to look at the data collected by their IoT devices as a new source of revenue stream.

If you think it is unlikely that your IoT devices will start cashing in on data it collects about you, then you might also believe it is a conspiracy theory that apps which request permission to access your microphone are “listening in” to serve up relevant ads. In some cases, it might be a coincidence if you suddenly start seeing ads about a topic that you recently discussed, but not always.

For example, your phone can be “listening” for what you watch on TV. Last month the FTC sent a warning letter (pdf) to unnamed app developers using Silverpush code that “can monitor a device’s microphone to listen for audio signals that are embedded in television advertisements.” Basically the apps can secretly listen to everything that happens in the background; Forbes explained how Silverpush uses a unique inaudible sound in TV commercials that you might not notice, but an app on your phone could. Once it hears that sound, the app knows what you are watching.

It’s important to note that Silverpush claims ads in the USA are currently not using audio beacons, but the FTC still said app developers need to notify users why their apps ask to use a phone’s mic. The FTC’s letter adds that “nowhere do the apps in question provide notice that the app could monitor television-viewing habits, even if the app is not in use.”

For the curious, here’s a list of Android apps which use SilverPush.

While some privacy advocates may care, sadly there are a plethora of people who don’t know or care what their apps or IoT devices are monitoring and collecting. How else do you explain the success of major TV brand makers even after smart TVs were labeled the ‘perfect target’ for spying on you? Since then, smart TVs were caught “eavesdropping,” tracking viewing habits, or snarfing up personal files such as those connected via a USB.

The post on Medium advises you to ponder what data you are giving away, where does it go, and if you even own the IoT device at all before you buy smart devices. A differentpost on Medium by Stephanie Rieger advises you to consider similar topics before you rent a house or apartment that comes equipped with “smart” features.

“Rarely does this process currently involve discussions about hardware versions, operating systems, apps, firmware, connection ports (barring cable/TV/phone) and who has the right or indeed responsibility and sufficient access privileges to install updates, pay monthly or annual subscriptions, or introduce new software into the system,” Rieger wrote. Since some of those smart devices can be collecting your data, be vulnerable to attack, or end up costing you a subscription to a service you don’t even want, then those are important answers you should demand.

We should demand answers about our collected data from the makers of our IoT devices as well, but as Internet of Sh*t pointed out, “Nobody really knows the answer because they don’t want to tell you.” The manufacturers probably believe “it’s better if you don’t know.”

Source: http://www.networkworld.com/article/3054011/security/devil-is-the-details-dirty-little-secrets-of-the-internet-of-things.html