- Cyber-attacks on infrastructure services are on the rise, most recently the Colonial Pipeline hack in the US and the public health service attack in Ireland.
- Hackers are exploiting the use of Internet of Things (IoT) which creates millions of new vulnerability points in critical infrastructure.
- We need the public and private sectors to build greater consensus on IoT security standards and build trust in security across critical infrastructure.
We are in the midst of a “cyber pandemic”. In 2020, COVID-19 accelerated a transition towards remote working and the software being used for these attacks has become easier to execute, ransomware attacks have risen rapidly and continue to accelerate in 2021:
- Attacks in the US alone have increased 300% in the past nine months.
- More than 60% of ransomware attacks target industries with critical infrastructure, led by healthcare, utilities, and manufacturing.
- US utilities have been attacked 300 times every week with an increase of 50% in just two months.
A prime target for cybercriminals has been the Operational Technology (OT) networks which interconnect the Industrial Control Systems (ICS) that manage our critical infrastructure. As services like power grids, water treatment facilities, transport and healthcare systems increasingly integrate their operational technology systems with the internet of things – for example through remote sensors and monitoring – this creates a new frontier of risks where millions more vulnerability points and new vectors can be exploited by hackers.
These attacks have huge implications not only on businesses but also on communities, cities, states, and entire countries. The consequences can be dire. In April 2020, hackers targeted Israel’s water treatment facilities through their IoT system, which gave attackers the ability to change the water pressure, temperature, and chlorine levels of the water. If the attack had fully succeeded, this could have led to whole communities becoming sick from the water supply or triggering a failsafe which would have left thousands of people without water entirely.
How are hackers exploiting IoT systems?
IoT devices and connected systems can be a large security risk for critical infrastructure services when security best practices are not implemented, as they come with a few intrinsic flaws:
- Lack of standardization in cybersecurity practices across the supply chain leads to greater exposure.
- Vulnerable security protocols and designs, including weak passwords and patching practices.
- Obsolete and unsupported architecture, firmware and software.
- Attack surface that increases with the number of connected devices.
As a result, there are a number of ways for hackers to exploit these devices and either perpetrate attacks on bigger targets or move laterally to harm mission-critical systems and steal information of customers and employees, intellectual property, or other sensitive assets.
A new “botnet” attack called Mozi has been extremely active in the past 18 months, accounting for 90% of total IoT attacks in 2020 and controlling nearly 500,000 connected devices. Each compromised device is instructed to find more devices to infect, which enables cyber criminals to gain control over entire networks and its data and hold it for ransom.
In March 2021, Silicon Valley start-up Verkada suffered a massive IoT cyber-attack. The hackers were able to obtain administrative privileges to a large number of security surveillance cameras, meaning they could execute their own malicious code on the devices.
Once a hacker can breach a networked device, they can then use the device as a launching point for attacks laterally, exposing systems that are critical to operations. As industries further integrate IT and OT networks to gain new insights, these devices pose an even greater danger for operations that rely on industrial control systems. Without a greater push for security that addresses these connected devices, we are likely to continue seeing more attacks that target critical infrastructure industries.
What is being done at a national and global scale?
Critical infrastructure remains largely private-owned and will require a coordinated effort between the public and private sectors to deter ransomware and IoT threats. To address gaps in security protocols and standards within critical industries, governments are taking it upon themselves to introduce and expand on existing cyber security policies for IoT devices.
The European Union Agency for Cybersecurity (ENISA) published guidelines on security IoT supply chains in 2020 and is now developing specific security measures for IoT operators and critical infrastructure industries. Meanwhile, the IoT Cyber Security Improvement Act was enacted in late 2020, which requires US public sector users of IoT, including those used in critical infrastructure, to extend robust cyber defenses to their IoT deployments.
The standard for this has been developed by the National Institute for Standards in Technology (NIST), who has been central in developing approaches for improving cyber security across the US for several years. NIST has developed a number of guidance documents in consultation with stakeholders in government, industry and the private sector, and in coordination with other nations’ international standardization efforts. Given the size of the US government as a customer, the NIST standards adopted for the public sector could also act as a broader de-facto industry standard for all types of IoT devices in the US and beyond.
Looking beyond the IoT Cybersecurity Improvement Act which focuses on the US Federal Government market, Public Law 116-283 which passed at the end of 2020 called for an IoT Steering Committee made up of private sector stakeholders to advise a US Federal government-wide interagency group. The Steering Committee and Federal Working Group are tasked to identify the benefits of IoT, improve IoT regulation and remove barriers to adoption. In a parallel effort, the President’s May 2021 Executive Order on cybersecurity calls for the piloting of a labelling programme for consumer IoT products that identifies how they meet cybersecurity criteria, which will be operational by February 2022.
These efforts to establish security requirements for IoT devices goes beyond federal agencies and contractors to address the need for security in critical infrastructure. Industries that are most exposed to these attacks seek uniformity and efficiency, and thus look to these laws and policies as guidelines to adopt baseline security requirements.
What can the public and private sector do?
As cyberattacks rise in critical industries, governments and the private sectors have a shared responsibility to protect these systems. Adopters of IoT devices can work alongside policy-makers and cybersecurity suppliers to build greater consensus on IoT security standards while also developing trust in security across critical infrastructure.
1) Establish a consistent approach on IoT security globally by:
- Agreeing on a common global baseline standard on IoT security (differentiating consumer and industrial devices).
- Promoting shared security principles from industry alliances such as the Cyber Tech Accord, Charter of Trust or Paris Call for Trust and Security.
- Aligning regulations and baseline device security certification mechanisms.
- Developing common principles for digital security and international norms.
- Focus not only on the suppliers but also the consumers of IoT technology.
2) Building trust through better transparency and international cooperation:
- Clarifying the responsibility model across the supply and value chain.
- Fostering cross-sector and international collaboration.
- Promoting the use of international information-sharing frameworks and assurance best practices.
Jeremy Kaye, Head, Executive Briefing Center, Check Point Software Technologies
Mitch Muro, IoT Security Product Marketing Manager, Check Point Software Technologies
Katerina Megas, Program Manager for Cyber Security for IoT, National Institute of Standards and Technology (NIST)
The article was originally published in the World Economic Forum. You can view it here.