In the simplest terms, the Internet of Things (IoT) consists of a wide variety of devices/things, sensors, and hardware/firmware. IoT devices have a computer chip, software, and an Internet connection. A “thing” can be a car or a refrigerator, or it can encompass an entire house or a “smart city.” As many objects in the environment become connected to the Internet and to each other, IoT devices and their implementations are creating numerous vulnerabilities that can lead to cyberattacks and compromise the security, privacy, and safety of individuals, homes, vehicles, businesses, and industrial control systems (ICS).
By 2020, it is predicted that there will be more than 26 billion devices connected to the Internet. Despite the risks, the promises and benefits of IoT are enormous. A McKinsey Global Institute analysis predicted that IoT may improve performance and create value in a number of important areas (see fig. 1).2 The largest source of potential impact is improving operating efficiency. Referred to as operations optimization, this category includes:
- Inventory management: Tracking inventory and supplies in retail environments, factories, warehouses, and hospitals.
- Condition-based maintenance: Deploying sensor data to determine when maintenance is needed, reducing breakdowns and costs.
- Human productivity: Using IoT to teach skills, redesign work, and manage performance.
- Other optimizations: Remotely monitoring and tracking equipment, as well as automatically adjusting machinery based on IoT data.
Health management involves improving health and wellness using IoT monitoring data. Sales enablement exploits IoT usage data to generate new sales, and safety and security uses IoT sensors to mitigate safety and security risks. Other areas of potential impact include:
- Energy management: Using IoT sensors and smart meters to better manage energy.
- Environmental management: Improving stewardship of the environment using IoT technology, such as using sensor data to reduce air pollution.
- Product development: Employing IoT usage data for research and development.
- Autonomous vehicles: Adopting fully or partially self-driving cars, trucks, and public transportation vehicles.
In its 2015 strategic assessment of global threats, the Worldwide Threat Assessment concluded that while the likelihood of a catastrophic attack from any particular actor that debilitates the entire U.S. infrastructure was remote at the time, “[w]e foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”3
With the recent high-profile cyberattacks on the electric grid in western Ukraine that shut down electricity to 80,000 customers, and on Sony Pictures that disabled its financial and IT systems, among other widespread damage, executives and security experts are becoming alert to the significant risks cyberattacks pose, not only to data but also to physical assets. In its assessment of the Sony breach, the FBI said: “We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on [Sony] reaffirms that cyber threats pose one of the gravest national security dangers to the United States.”4
Previously criminals launched cyberattacks primarily for financial gain; now nation-states (including North Korea, Russia, Iran, and China) and organized criminal groups are attempting to damage, disrupt, or modify infected ICS and networks. The United States obtained indictments against seven Iranian hackers for launching a massive coordinated campaign of distributed denial of service attacks (DDoS) against 46 of the nation’s largest financial institutions. One of the hackers gained unauthorized remote access in 2013 to the supervisory control and data acquisition (SCADA) systems of the Bowman Avenue dam in Rye, New York, allowing him to obtain information about water levels and the status of the sluice gate, which is responsible for controlling water levels and flow rates.5 Justice Department officials assessed the situation by stating: “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime. . . . We now live in a world where devastating attacks on our financial system, our infrastructure, and our way of life can be launched from anywhere in the world, with a click of a mouse.”6
While everyone is familiar with the massive data breaches that have made headline news, less attention has been focused on cyberattacks that caused physical damage and bodily injury. Vulnerabilities in IoT devices create new attack vectors (i.e., entry points) for hackers. They increase the “surface area,” and interoperability expands the potential scope of breaches and the damage they can cause.
The convergence of information technology and physical operations creates security risks to the operations of major critical infrastructure systems. The U.S. critical infrastructure7 is often referred to as a “system of systems” because of the interdependencies that exist between its various industrial sectors, both physically and through a host of information and communications technologies. An incident in one infrastructure can affect other infrastructures through cascading and escalating failures.
IoT architecture represents the cyber-physical convergence that is seen in major ICS. Control systems are vulnerable to cyberattack from inside and outside the control system network.8 Internet-based technologies were introduced into ICS designs in the late 1990s, exposing them to new types of threats. Now ICS include protocols and technologies with:
- known vulnerabilities;
- open standards that are published widely, providing a roadmap into systems; and
- insecure and rogue ICS connections (e.g., modems) that hackers can use to bypass security controls, creating significant risk.
Many low power IoT devices are inherently insecure. Because low cost and speed to market are often priorities, security is not built into the IoT design and it may be minimal. Vulnerabilities are not eliminated and software is not updated regularly. When these devices hit the market, they do not have the ability to respond to the complex evolving threat landscape. Home security systems and household appliances, for example, whose device lifecycle is much longer (>10 years) than the software on the devices (~two years) may introduce risk for years to come when vendors fail to provide patching or support the software in the future.
IoT devices are being used in ways they were not designed for, particularly medical devices that were originally intended to be stand-alone. With minimal or no security and now connected to hospital networks, they are creating insecurities throughout the entire healthcare computing environment. The FDA has documented the risks and issued security guidance to address these problems.9
Each critical sector has varying levels of potential risk and impact. IoT security breaches may pose life-and-death risks, the inappropriate use of personal data, or theft and fraud. A hacker attack on a smart grid system could potentially turn off power to millions of households and businesses, creating massive economic harm and threats to health and safety. Other potential consequences of an ICS incident can range from disruption of operations and services (damaging equipment, reduction or loss of production at one site or multiple sites simultaneously) to catastrophic—jeopardizing national security or public safety (terrorist attack; release, diversion, or theft of hazardous materials; product contamination; or environmental damage).10
Incidents Involving Critical Infrastructures
Critical infrastructure owners and operators continue to experience increasingly sophisticated cyber intrusions11 that provide malicious actors the ability to disrupt the delivery of essential services (e.g., healthcare and emergency services, food, transportation, energy and power, and water supply and waste management), cause physical damage to critical infrastructure assets, and potentially produce severe cascading effects.12
In fiscal year 2015, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cyber incidents impacting U.S. critical infrastructures. Reported incidents in the Critical Manufacturing sector nearly doubled from last year, overtaking Energy as the leading sector (see fig. 2).13
Of the various techniques used in the intrusion attempts for the incidents reported, spear phishing represented the “infection vector” in 37 percent of the total incidents (see fig. 3). While sophisticated intrusions against asset owners persist, ICS-CERT reported that it responded to a significant number of incidents enabled by insufficiently architected networks, such as ICS networks being directly connected to the Internet or to corporate networks where a spear phishing attack can enable unauthorized access. FBI data show that ransomware15 is currently one of the most serious cyber threats. It is a global threat to the computer systems that control ICS and IoT in all industry sectors.16
Attack methodologies used to both steal data and cause damage to ICS and IoT devices are remarkably similar. Thus, the indictment of a Russian national charged in the largest known data breach prosecution is instructive; the case provides details of attack methodology used in several of the major data breaches and will also shed light on how an ICS/IoT attack may unfold.14
Addressing IoT Security Challenges
IoT presents daunting security challenges that must be addressed in the coming years. Conducting a risk assessment is essential for organizations to determine how much risk is being introduced and what can be done to mitigate it.17 Every information system is different, and risk assessments must be tailored to the data, design and architecture, hardware and software, and technology implementations of the system or network.
The NIST Framework for Improving Critical Infrastructure Cybersecurity provides an excellent roadmap for organizations to use in assessing security risks and a framework for determining the maturity of their cybersecurity program.18 Implementing technology and using IoT devices with known vulnerabilities is not “reasonable security.” Many IoT breaches and ICS incidents involve exploitation of devices with little or no security, known vulnerabilities, and violations of well-accepted security practices. With publication of the assessments of the threats, risks, and vulnerabilities of IoT, big data, cloud computing, and ICS, as well as best practices for addressing cyber risks, standards of care are beginning to emerge.
At a minimum, company and government executives should follow these principles:
- To properly support an organization’s risk management framework, security must be incorporated into the architecture and design of the organization’s information systems and supporting information technology (IT) assets.
- An organization should employ a defense-in-depth strategy.
- Do not implement devices, software, or systems with known vulnerabilities. Work and contract with vendors and business partners who provide products and services with appropriate security. u
1. Worldwide Threats: Hearing before the S. Comm. on Armed Servs., 114th Cong. (Feb. 9, 2016) (statement of James R. Clapper, Director of National Intelligence), available at http://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf. (“‘Smart’ devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”)
2. James Manyika et al., McKinsey Global Inst., The Internet of Things: Mapping the Value Beyond the Hype 111 (2015).
3. Worldwide Threats: Hearing before the S. Comm. on Armed Servs., 114th Cong. (Feb. 26, 2015) (statement of James R. Clapper, Director of National Intelligence), available at http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf.
4. Press Release, FBI, Update on Sony Investigation (Dec. 19, 2014), https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
5. See United States v. Fathi, No. 16-cr-48 (S.D.N.Y. Mar. 24, 2016).
6. Press Release, DOJ, Manhattan U.S. Attorney Announces Charges against Seven Iranians for Conducting Coordinated Campaign of Cyber Attacks against U.S. Financial Sector on Behalf of Islamic Revolutionary Guard Corps–Sponsored Entities (Mar. 24, 2016), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-against-seven-iranians-conducting- coordinated.
7. The private sector owns and operates the vast majority of the nation’s critical infrastructure and key resources—approximately 85–90 percent. Homeland Security Presidential Directive 7 designated 16 government and private industry sectors as critical infrastructure, see http://www.dhs.gov/homeland-security-presidential-directive-7.
8. Overview of Cyber Vulnerabilities, ICS-CERT, https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities#under (last visited July 18, 2016).
9. Cybersecurity, FDA, http://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm (last visited July 18, 2016). The FDA is collaborating with the National Health Information Sharing and Analysis Center (NH-ISAC) to disseminate cybersecurity information and coordinate incident response.
10. Keith Stouffer et al., Nat’l Inst. of Standards & Tech., NIST Special Pub. 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security § 4.1.2, at 4-3 (2015).
11. Incidents involving critical infrastructures have been collected over the years and can be found in the Repository of Industrial Security Incidents (RISI), available at http://www.risidata.com/.
12. DHS, The 2014 Quadrennial Homeland Security Review 23 (2014), available at http://www.dhs.gov/sites/default/files/ publications/qhsr/2014-QHSR.pdf.
13. ICS-CERT Fiscal Year 2015: Final Incident Response Statistics, ICS-CERT Monitor, Nov./Dec. 2015, at 4, available at https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2015_S508C.pdf.
14. Ransomware is a type of malware (or malicious software) that blocks access to a computer system or files until a monetary amount is paid.
15. FBI, Criminals Continue to Defraud and Extort Funds from Victims Using CryptoWall Ransomware Schemes, Alert No. 1-062315-PSA (June 23, 2015), http://www.ic3.gov/media/2015/150623.aspx.
16. United States v. Drinkman, No. 09-626 (JBS) (S-2) (D.N.J. Feb. 18, 2015), available at http://www.justice.gov/sites/default/files/opa/press-releases/attachments/2015/02/18/drinkman_vladimir_et_al_indictment_comp.pdf (second superseding indictment); Press Release, U.S. Dep’t of Justice, Russian National Charged in Largest Known Data Breach Prosecution Extradited to United States (Feb. 17, 2015), http://www.justice.gov/opa/pr/russian-national-charged- largest-known-data-breach-prosecution-extradited-united-states.
17. See Lucy L. Thomson & Dr. Robert Thibadeau, Security Challenges of the Big Data Ecosystem Require a Laser-Like Focus on Risk, 12 SciTech Law., no. 2, Winter 2016, at 6.
18. NIST, Framework for Improving Critical Infrastructure Cybersecurity (2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214- final.pdf.