The movement towards connected and cloud-enabled IoT devices has opened the door to many benefits and conveniences. Anyone that has turned up their heat without getting up off of their couch (and out from under a toasty blanket) will certainly attest to that.
However, while device manufacturers and IoT companies were opening the door to increased convenience, they were also leaving it wide open to something much more malicious – hackers and security threats. By connecting these devices to networks and the Internet, manufacturers made it possible for hackers to target them for cyberattacks.
And these malicious actors have taken them up on that opportunity. According to Gary Sockrider, the Director of Security Technology at NETSCOUT, “IoT devices are under attack five minutes after they are powered up and are targeted by specific exploits within 24 hours.”
This might be frightening for people that utilize one or more IoT devices in their home. But it gets worse. IoT is now extending beyond the home into the workplace. Many of the same benefits and conveniences that people wanted in their personal devices are now in high demand in commercial and industrial devices. Today, much of the commercial and industrial equipment that is found in commercial buildings, powerplants, water treatment facilities and other critical infrastructure is also cloud-enabled and connected to the Internet.
The evolution of the Industrial Internet of Things (IIoT) means that the critical infrastructure necessary for sustaining and enabling our modern way of life is now increasingly susceptible to cyberattacks.
Colin Dunn, the Founder and CEO of cybersecurity solution provider, Fend, recently spoke about the security concerns surrounding critical infrastructure in advance of a technology conference in the National Capital region – where protecting critical infrastructure is a hot topic of discussion and debate. Here is a portion of that conversation:
Q: Why is the cybersecurity of critical infrastructure an issue today? What has changed in the past few years that has made this a problem now?
Colin Dunn: The internet of things makes it really tempting to bring critical infrastructure like our buildings, electrical substations, and transportation networks into the cloud to improve asset use and business performance. The initial excitement over the benefits of connectivity has outpaced our understanding of attackers’ capabilities.
We have maintenance people able to control building systems from their smartphones while on vacation. As convenient as this may sound, this level of access can be exploited by attackers. With the penetration of the US power grid by the Russians and with entire cities being held captive by ransomware, many are beginning to believe we’ve taken unchecked connectivity a bit too far.
Q: Why is critical infrastructure the target of malicious actors? What types of hackers would want to attack critical infrastructure? What consequences could result from a successful cyberattack to critical infrastructure?
Colin Dunn: America’s enemies like Iran and North Korea attempt to take down our infrastructure on a daily basis, but the ability to cause harm is now more widely distributed and attacks are being carried out for a wider set of motives. The tools needed to take down our physical infrastructure have never been easier to obtain and the stakes have never been higher.
Ransomware has finally given a business model to those who might otherwise need a state-sponsor to bother attacking the grid or building automation systems. As a hospital, for example, when your chiller is held for ransom, you cannot perform surgery, use the MRI, bill customers, or save lives.
Q: What types of organizations need to worry about this?
Colin Dunn: Organizations that have physical assets – buildings, commercial vehicles, power generation equipment – that if lost would disrupt business operations. Utilities, government agencies, and commercial real estate owners are just a few [examples].
Building and industrial control systems are served by just a handful of equipment manufacturers and even though a hacker isn’t targeting your specific asset, it may be caught up in a “shotgun” attack looking to take down millions of similar devices.
Q: We’re just a few months into 2020. Can you give our readers three cybersecurity predictions for the coming year? What cybersecurity trends will we see in the coming year? What cybersecurity stories will make headlines?
Colin Dunn: This is an election year in the U.S. and since more and more voting systems have gone digital, I think we are going to see cybersecurity in the spotlight throughout the year, particularly in instances where election results are close or where any hint of irregularity – real or perceived – exists.
But the real story of election cybersecurity this year may have nothing to do with the voting machines. It’s possible we may see a full-on cyberattack on our electric grid and polling stations this November.
Trend-wise, I think you’ll see an increasingly serious public conversation around cybersecurity and the Internet of Things. You see some of this happening already with households and items like connected camera doorbells and in-home assistants like Alexa and Google. I think that the same serious conversation will also happen around critical infrastructure.