By Emily Newton, Editor-in-Chief at Revolutionized Magazine
Smart devices can offer significant benefits for facilities ranging from manufacturing plants to warehouses to offices. However, the adoption of networked items — like intelligent sensors and IIoT trackers — may also have security implications.
These devices can remain challenging to keep secure, despite significant strides in IoT and security. They could threaten end-users networks if left vulnerable — including businesses responsible for maintaining critical infrastructure, like pipelines or water treatment plants.
Without well-established best practices for smart device design and operation, the business world as a whole could become much more vulnerable to cyber attacks within the next few years.
Smart devices are increasingly common in industrial settings. Industrial IoT (IIoT) technology may play various roles, like gathering data on critical site processes, monitoring machinery or helping managers track critical assets. Data from IoT devices can lay the foundation for new systems, like predictive maintenance solutions.
The networking of legacy operational technology (OT) is also becoming more common, typically for the same reasons that IIoT devices are growing in popularity. Connecting OT systems to the web can provide a business with key information on system operations and offer remote access.
Smart devices and IP-connected OT systems may also rely on technology with well-known security vulnerabilities. In a December 2020 report, Forescout Research Labs identified 33 new vulnerabilities in open source TCP/IP stacks. These are essential for IoT technology as they enable vendors to implement basic network communication for devices and similar IP-connected hardware, like IT and networked OT systems. The stacks cited in the report are used by millions of smart devices worldwide.
An August 2021 report from the same company identified an additional 14 vulnerabilities in the NicheStack TCP/IP stack. These included remote code execution, denial of service, information leak, TCP spoofing or DNS cache poisoning. NicheStack is implemented in various OT devices commonly used in critical infrastructure sectors, including wastewater treatment, manufacturing and power generation.
There may be additional significant vulnerabilities not yet identified in TCP/IP stacks widely used in critical infrastructure and important industries.
Attacks on critical infrastructure are becoming more common worldwide. However, many end-users are unaware of the threat hackers pose. One July 2021 report found that 21% of respondents had not even heard of the Colonial Pipeline hack, which shut down one of the largest pipelines in the U.S. and threatened much of the East Coast’s oil supply.
Critical infrastructure, business and manufacturing sectors face mounting cybersecurity threats, like a rise in ransomware targeting local water and wastewater treatment plants. Threat actors often use spear-phishing to gain network access, but federal agencies also reported that hackers were targeting outdated IT and OT systems with known vulnerabilities.
Smart devices are becoming more commonplace in the wastewater sector. They may be used to provide real-time monitoring capabilities or remote access to essential systems. Their benefits can be substantial, but adopting smart devices may further expose site networks and connect previously air-gapped OT systems to the internet.
A smart device that isn’t properly maintained could be vulnerable to hackers, putting the end-user’s network and essential wastewater treatment operations at risk.
Vulnerabilities in TCP/IP stacks can be patched, but unpatched devices will continue to be at risk until end-users update them. Without a security policy that prioritizes updates, a business’s fleet of smart items may be vulnerable to existing and well-known exploits in TCP/IP software.
The adoption of smart devices isn’t likely to slow down. Growing demand for automation and data-collection solutions has made IoT more important than ever, and almost every industry stands to benefit from smart technology. The rise of IoT components like intelligent semiconductors could also mean the number of networked devices could be about to explode.
As a result, cybersecurity experts face a growing security threat. Without quick action from businesses and security professionals, companies could connect tens of thousands of insecure devices to their networks over the next few years. Some of them may directly impact critical infrastructure’s safety.
Promoting the use of basic best security practices can help companies deter attackers. For example, a June 2021 SANS Institute survey found just 29% of organizations have automated most of their security testing. Doing this can provide significant protections that businesses may not currently have.
Sound governance, risk and compliance (GRC) strategies can help businesses more effectively identify, mitigate or respond to IT/OT and IoT security threats. These strategies can also help companies implement best practices for IoT devices effectively and consistently.
Encouraging industrywide communication and transparency on smart device security, vulnerabilities and threats could help IT professionals stay aware of the latest developments for IoT security. Conversations on smart device safety will be essential as these items become more important and a target for attackers.
New security frameworks for IoT and smart devices could also guide end-users and manufacturers, helping ensure secure operation.
Smart devices — notoriously difficult to secure and vulnerable to TCP/IP stacks exploits — present security risks for end-users. The right policies can help mitigate these risks, allowing businesses to take advantage of the benefits that the devices offer safely.
However, current security frameworks and practices may not be enough to protect businesses. Over the next few years, the cybersecurity community will need to defend IoT devices, educate end-users, and communicate on new and emerging threats to smart technology.
Emily Newton is the Editor-in-Chief at Revolutionized Magazine. A regular contributor to Brilliance Security Magazine, she has over four years of experience writing articles in the industrial sector.