From a consumer standpoint, the biggest IoT security worries are privacy-related. A family may fret their security cameras could give a stranger a glimpse into their home. Or that the data their smart speakers collect is vulnerable.
While those worries are legitimate, they don’t fit the most common threat models or represent the most significant IoT security risks. An attacker targeting IoT devices is more likely to view those devices as a means to an end. Perhaps they could harness scores of them in a distributed-denial-of-service attack. Or use them as a pivot point to reach more valuable targets on the network.
In a recent talk at DEFCON in Las Vegas, Bryson Bort, the chief executive officer of Scythe, chairman of GRIMM and advisor to the Army Cyber Institute at West Point shed light on some of the most meaningful trends in the field of cybersecurity-related to IoT and industrial control systems in the past year.
1. Nation-State Attribution Is Growing More Common
Not long ago, organized crime groups seemed to be behind the vast majority of cyberattacks. But now, nation-state actors are upping their game — sometimes recruiting talent from the cyber underworld.
The most recent Data Breach Investigations Report from Verizon shows the volume of breaches assigned to organized crime groups falling considerably since 2015. In that same time frame, state-affiliated activity increased.
As the level of nation-state activity increases, attempts to attribute which country was behind a given attack have also grown. While cybersecurity researchers often focus on the technical side of attacks, Bort said it is essential to understand the role of nation-states’ likely motivations in a given attack.
2. Attacking IoT Devices as a Pivot Point Is a Real Worry
The risk of an attacker spying on you as you step out of the shower through an internet-connected camera is real. But that sort of breach doesn’t align with threat actors’ more-common goals of financial gain or corporate- or government-targeted espionage.
A more significant threat, however, is using IoT devices for lateral attacks. Breaching many commodity IoT devices is relatively trivial, and it provides a jumping-off point for further espionage or sabotage.
The Microsoft Security Response Center recently reported it had observed a threat actor targeting “a VOIP phone, an office printer, and a video decoder.” The attacker’s apparent motivation was to gain access to a variety of corporate networks. “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data,” the report explained. Microsoft attributed the activity to a group it calls “Strontium,” which is also known as APT 28 of Fancy Bear. The collective is also thought to have been involved in the DNC hack in 2016.
3. Air-Gapping (Still) Doesn’t Exist
In theory, an air-gapped network is physically isolated from the rest of the world, making it immune to attacks traversing the internet. In reality, organizations who leverage a security-by-obscurity approach face an elevated risk of getting breached. “Has anyone ever actually seen a real air gap?” Bort asked. “No, because they don’t actually exist. Not a single time in my entire life of pen testing in industrial control environments [have I seen one],” he added.
The most famous example of a breach of a purportedly air-gapped system is likely Stuxnet. In that breach, the attacker was able to gain access to a network within an Iranian nuclear facility — probably via a USB stick.
4. The Dark Side of Green Energy Is Cybersecurity
That the U.S. power grid is vulnerable to a cyberattack has gained notoriety thanks to the efforts of seasoned journalists like Ted Koppel, whose 2015 book “Lights Out” covers that subject. Also in 2015, purportedly Russian hackers were able to temporarily shut down for roughly 230,000 people. In the interim, U.S. newspapers have published a string of articles claiming Russia is targeting the U.S. power grid. More recently are anonymous revelations that the United States is also targeting Russia’s.
The situation raises the question of why countries across the world are making substantial use of information technology in their power grids if it introduces a host of new threats.
Bort asked: “Why don’t we just go back to completely analog?”
Part of the answer to the question is green energy. A host of factors, from people across the world purchasing electric vehicles to installing solar panels on their roof, has fundamentally changed the equation for power distribution. A few decades ago, the flow of electrons from a substation to a consumer was unidirectional. But now, consumers, through renewables like solar energy now intermittently contribute power back to the grid. “Now, I need computers to handle the exponentially more complex electric grid,” Bort said.
5. Nation-States Are Increasingly Targeting Critical Infrastructure
Cyberwarfare may not be new, but nation-states seem to be stepping up their efforts in targeting rivals’ industrial control systems and critical infrastructure. Such infrastructure ranges from voting machines to water and power infrastructure.
In general, the nation-state actors with the most advanced cyber divisions are the United States, United Kingdom, Israel, Russia, North Korea and Iran. Vietnam would likely get an honorable mention, Bort said. “In the past year, we have seen the Vietnamese conducting nation-state espionage at an extreme level.
Earlier this year, Bloomberg reported that “Vietnam ‘state-aligned’ hackers” are targeting foreign automotive companies to support the nation’s burgeoning vehicle manufacturing initiatives.
6. Cyberattacks Help Fund Isolated Countries
In 2017, The New York Times reported the Trump administration had requested $4 billion to help fund cyberweapons to sabotage North Korea’s missile control systems. The funding would also support drones and fighter jets to knock such missiles out of the sky before they reach U.S. shores. The same publication had quoted anonymous sources claiming an ongoing cyber-campaign had targeted the country’s missile systems since at least 2014.
The other wrinkle to this story is a U.N. report that divulges how North Korea is helping fund its weapons program. It states the nation stole $2 billion in funds from financial institutions and cryptocurrency exchanges.
Bort said it is likely North Korea used the funding for a range of purchases. “Nobody cares about [North Korea’s] currency. They’re in a closed economy,” he said. “If the Dear Leader wants whiskey and Ferrari’s, he can’t buy it with local currency. He needs hard currency,” he added. “So, their primary motive from the cyber perspective is theft.”
7. A Single Cyber-Attack Can Cause Hundreds of Millions of Dollars of Damage
In strict terms, WannaCry and its variants aren’t explicitly IoT- or ICS-focused. But the malware, which targets Microsoft Windows operating systems, wrought similar damage on its victims. WannaCry showed that a piece of malware could waylay the operations of the U.K.’s National Health Service. The cost of the malware for NHS, which also led to the cancellation of 19,000 appointments, was £92 million. Meanwhile, WannaCry’s cousin, NotPetya, cost global shipping conglomerate between $200–300 million.
After the malware was introduced to the manufacturing plant via a susceptible supplier, the plant’s golden image was so old it couldn’t be patched. After the WannaCry variant was deployed in the environment, “it compromised everything it could touch and took the entire plant down,” Bort said.
While the U.S. has attributed WannaCry to North Korea, it is unlikely the nation-state intended to infect the plant. “This was a supplier who just happened to have had an image that was infected and introduced it,” Bort said. “I know. It’s crazy.”
8. Trisis Should Be a Wake-Up Call
Like WannaCry, Trisis ostensibly started in 2017. The attackers, which FireEye believes have ties to Russia, used a combination of phishing and watering-hole-based campaign against their victims. The attackers first targeted I.T. infrastructure and then moved laterally to their O.T. network, where they attacked the safety instrumented system at a critical infrastructure facility. “That’s a big deal,” Bort said. “In industrial control systems, [the SIS is] operating the sensors and computers changing things in the physical environment.”
While programmable logic controllers calculate what should happen in the physical environment for industrial controls, “they’re dumb computers,” Bort said. “I don’t have to hack a PLC. All I have to do is tell a PLC what to do. They don’t validate me. They don’t look for authority. [..] “That’s what the SIS does.”
While the first disclosed victims of Trisis were based in the Middle East, CyberScoop reports the authors of the attack are now targeting the U.S. power grid.
9. Critical Infrastructure Campaigns Are Ramping Up
There may be relatively few examples to point to where vast swaths of populations across the world were affected by critical-infrastructure-based cyber attacks. But a growing number of hackers are targeting this infrastructure. “The primary point here with critical infrastructure attacks is that these are iterative intelligence campaigns,” Bort said. “We don’t have much proof that what was intended to be destructive. But we definitely have proof of this intent to [get] into the infrastructure.”
10. Ransomware Has the Potential to Target IoT Devices
Security researchers have proven the feasibility of holding an array of IoT devices hostage. But while ransomware is widespread, the attackers deploying it have tended to target traditional computing devices.
Bort predicts that in the next five years, ransomware will spread to new IoT-based domains. “I think that somewhere in the world, somebody is going to wake up in the morning and they’re going to work their way down to their car to go to work,” he said. “The second they turn on that car, the infotainment system is going to pop up with: ‘Ransomware: Send 3 Bitcoins to turn it on.’”
11. In a Connected World, Suppliers Are Part of the Risk Model
Last year, Bloomberg made waves by claiming China infiltrated the U.S. supply chain by compromising one of the world’s top suppliers of server motherboards. The story was disputed by several leaders of the big-name tech firms mentioned in the story, including SuperMicro, Apple and Amazon as well as representatives from the U.S. Department of Homeland Security and the United Kingdom’s National Cyber Security Centre.
While the facts of the article may be in question, so-called “living-off-the-land” is a threat. “Attackers aren’t just bringing their own tools to the game. They are taking what’s already there in that environment and using it against you,” Bort said. “Anything that touches your infrastructure is a part of your risk model. It’s no longer just you anymore.”
12. Your Data Is Proliferating. So Is How It’s Sold.
“Did you know that a smart T.V. costs less than a T.V. with no smart functionality?” asked Bort in the DEFCON session. “Why is that? They make money off your telemetry and your data.”
An April Business Insider article reaches the same conclusion: “Some manufacturers collect data about users and sell that data to third parties. The data can include the types of shows you watch, which ads you watch, and your approximate location.”
Some carmakers are deploying similar tactics, Bort said. “There are multiple models where the car manufacturers are looking at how and what they can take from you when you drive your car.”
A report for the U.S.-China Economic and Security Review Commission voiced concern about the Chinese government’s “unauthorized access to IoT devices and sensitive data” as well as expanding “authorizing access.” The report explains: “[China’s] authorized access to the IoT data of U.S. consumers will only grow as Chinese IoT companies leverage their advantages in production and cost to gain market share in the United States.”
Bort said many consumer-grade IoT devices send data to China. “If you want to really have fun, plug in an IoT device in your home, check the packets and see where they’re going,” he said. “I have not seen a single device yet that I plugged into is not going to China. Now, I’m not suggesting that’s nefarious or malicious.” It’s just typical for such IoT devices to beam data to the country. He asked: “Where are they made?”