The Operational Technology (OT) networks that connect the Industrial Control Systems (ICS) that govern our vital infrastructure have been a popular target for hackers. As more services, such as power grids, water treatment facilities, transportation, and healthcare systems integrate their operational technology systems with the internet of things – for example, through remote sensors and monitoring – this creates a new frontier of risks where hackers can exploit millions of more vulnerability points and new vectors.
These assaults have far-reaching consequences not only for enterprises, but also for entire communities, towns, nations, and countries. The ramifications can be disastrous. In April 2020, hackers used their IoT system to target Israel’s water treatment plants, allowing attackers to alter the temperature, water pressure, as well as chlorine levels. If the assault had been successful, it might have caused large towns to fall ill from the water supply or triggered a failsafe, leaving thousands of individuals without water.
How are cyber-criminals exploiting IoT systems?
When security best practices are not followed, IoT devices and linked systems can pose a significant security risk to key infrastructure services. They have a few inherent flaws:
As a result, hackers may exploit these systems in a variety of ways, either to carry out attacks on larger targets or to move laterally to disrupt mission-critical systems, extract intellectual property, steal customer and employee information, or other critical assets.
In the last 18 months, a new “botnet” assault known as Mozi has been highly active, responsible for 90% of total IoT attacks in 2020 and managing almost 500,000 linked devices. Each infected device is told to seek out other devices to infect, allowing cybercriminals to seize control of whole networks and their data and keep it for ransom.
Verkada, a Silicon Valley start-up, was hit by a major IoT cyber-attack in March 2021. The hackers gained administrator access to a significant number of security video surveillance cameras, allowing them to run their own malicious malware on the equipment.
Once a hacker has gained access to a networked device, they might use it as a launching pad for subsequent attacks, compromising systems that are vital to operations. As companies continue to connect IT and OT networks in order to obtain new insights, these devices represent an even larger risk to operations that depend on industrial control systems. We are going to see more assaults on critical infrastructure sectors unless there is a larger effort for security that targets these linked devices.
What steps are being taken on a global and regional scale?
To combat ransomware and IoT threats, critical infrastructure remains primarily private-owned, necessitating a collaborative effort between both the public and private industries. Governments are introducing and expanding on current cyber security rules for IoT devices in order to solve gaps in security procedures and standards within key industries.
In 2020, the European Union Agency for Cybersecurity (ENISA) released guidelines on the security of IoT supply chains and is currently creating particular security measures for IoT operators as well as critical infrastructure businesses. Meanwhile, in late 2020, the IoT Cyber Security Improvement Act was approved, requiring US public sector IoT users, particularly those utilized in critical infrastructure, to apply effective cyber defenses to their IoT deployments.
The National Institute for Standards and Technology (NIST) established the standard, which has been key in creating ways for strengthening cyber security across the United States for several years. NIST has created a variety of guidance publications in collaboration with partners from government, industry, and the private sector, as well as in conjunction with other countries’ international standardization initiatives. Given the US government’s size as a client, the NIST guidelines set for the public sector may potentially serve as a larger de-facto industry standard for all sorts of IoT devices in the US and abroad.
In addition to the IoT Cybersecurity Improvement Act, which concentrates on the US Federal Government market, Public Law 116-283, which was approved at the end of 2020, called for an IoT Steering Committee comprised of private sector players to advise a US Federal government-wide interagency committee. The Steering Committee and Federal Working Group are responsible for identifying IoT advantages, improving IoT legislation, and removing barriers to implementation. In a related endeavor, the President’s Executive Order on Cybersecurity issued in May 2021 asks for the development of a labeling scheme for consumer IoT goods that specifies how they fulfill cybersecurity standards, with the program expected to be effective by February 2022.
Beyond federal agencies and contractors, these attempts to develop security criteria for IoT devices address the necessity for security in critical infrastructure. Industries most vulnerable to these assaults want consistency and efficiency, and so turn to these laws and regulations as recommendations for implementing basic security standards.
Where can the private and public sector focus their efforts?