The world is at the cusp of 4th Industrial revolution which will be empowered by Internet of Things (IoT). This is where everything is connected to everything else using a digital network. Refrigerators, alarm clocks, air conditioners, etc. shall be connected to the Internet and be accessible over mobile phones. In the Industrial world, it is known as Industrial Internet of Things (IIoT). Industries will use a large number of sensors in their processes and gather humongous amounts of data that will be used to improve efficiency, productivity, and quality. Both IoT and IIoT have significant challenges from the perspective of security.
What is the threat to connected things?
An IoT system by its very nature is spread across a large area. For example, if your refrigerator places an order for groceries on Amazon or Wholefoods, it connects via a home router, the ISP switch, the Internet, to the retailer’s servers. Similarly, for an oil pipeline, the sensors would be located along the pipeline that runs for hundreds of kilometers. The data is collected at sub stations that feed into a database located on the cloud which is accessed by the operations department at field offices and the technology office in another location. Both these setups provide multiple intrusion points that can be used as a gateway into the private network and onto every device on that network. It could be a smart TV, a smart fridge or a valve actuator controlling the pressure in the pipe. This makes IoT systems vulnerable to cyber attacks.
Impact of the cyber attack on IIoT
Each intrusion point in any IoT system can be used to inject malicious code to produce dangerous results that can have devastating impacts. Stuxnet malware attack on Iran’s Nuclear facility is case in point. It destroyed 1000 centrifuge machines and crippled the plant. In 2000, an attack on Australia’s Sewage treatment plant caused millions of liters of sewage to spill out into local parks and grounds of a top hotel. Locally, imagine if someone can access your smart fridge or smart TV, he could steal your credit card information and order tons of food or order most expensive TV flicks simply to create a menace. In IoT based attacks, there can be a real and direct threat to life and property.
What can be done for the protection of connected systems?
There is a lot of work being done around security of IoT. The government of Japan is working on creating a standard general framework for secured IoT systems. It is working on creating the standards for different layers of connected devices to understand the risks at each layer and address them appropriately. These are:
- Device layer – Sensors, actuators, chips which make up the device.
- Network layer – Wired or wireless network (including private and commercial networks).
- Platform layer – The data aggregator layer that provides the valuable information for providing the actual service.
- Service layer – The services realized by use of other three lower layers.
Some key steps need to be taken to reduce the possibility and impact of attacks on IIoT. Few are mentioned below:
1. Understand the concerns: IoT devices come with minimal security controls. Knowing the limitations of the devices is the first step to understand their security requirements.
2. Evaluate the risks: Evaluate the risks associated with blending IT and other devices. What kind of attacks are possible?Who can possibly gain from attacks? What could be the possible objective of an attack? Which areas need to be secured on priority? Such questions help define the risks that are required to design the security system.
3. Consider the devices: When working with IoT devices consider the security features like authentication, encryption, data integrity and manufacturers patch management systems.
4. Consider the gateway: Securing the network, real time data stream monitoring and intelligent system behavior analytics are crucial to identify and stop a potential attack. Whether at home or in an industry, smart gateways that can detect and analyze the data flowing in each direction should be implemented.
5. Secure access: Industry standards must be used for authentication and authorization for access to the IoT In an industrial setup, secure keys and access token should be used to ensure that only genuinely authorized personnel is accessing the system.
IoT has the potential to take the quality of life and productivity to the next level. However, it comes with its own pitfalls. Unlike older mechanical devices, IoT devices need careful consideration for security.