The health, energy, and transport sectors are among IoT-enabled systems at increasing risk of a cyber attack. But why is this, and what can these sectors do to protect themselves? Kate O’Flaherty reports.
From power stations through to medical devices, internet-connected critical national infrastructure is at increasing risk from cyber attack.
Last year, the UK’s National Cyber Security Centre (NCSC) warned that assaults on critical infrastructure are “highly likely”. Increased tensions between Europe and Russia, and between the US and China, raise the stakes even higher.
Indeed, the NCSC said the Kremlin had already ordered attacks on energy companies with the aim of disrupting international order. Meanwhile, the US also recently accused Russia of attempted assaults on its utility sector, and blocked the largest deal in technology history, Broadcom’s hostile takeover of Qualcomm, on national security grounds.
But governments are starting to act. Under the EU’s network and information systems (NIS) Directive, organisations – including those in health, transport, energy, and finance – could be fined up to £17 million if they fail to implement robust cyber security measures.
The global energy sector has already fallen victim to several successful cyber attacks. In 2010, one of the first known large-scale incidents, Stuxnet, targeted an Iranian nuclear facility. Then in 2016, malware known as Industroyer was apparently deployed by the Kremlin to strike Ukraine’s national grid.
So why is this sector more vulnerable than others?
Unintended uses of equipment
The risk is elevated because utilities are often running old supervisory control and data acquisition (SCADA) systems, which were never intended to be connected to the internet in the first place. Adding to the security challenge, Internet of Things (IoT) programmes are being layered on top in a bid to increase efficiency.
The same challenge applies in healthcare, where the tightly regulated world of medical equipment – where machines are often extremely expensive and are used for many years before being replaced – has often seen old systems added to local hospital networks. Such devices can’t be redesigned, patched, or upgraded overnight.
Speaking at a Dell IoT launch in New York last year, IoT security company Zingbox claimed that hackers had entered US hospital networks via insecure medical devices, including MRI scanners and X-Ray machines, accessed patients’ medical records, and changed drug doses remotely.
Healthcare providers should consider whether all such devices need to be connected to the internet, and actively explore what the impact would be of the device being compromised, or used to access other critical systems.
They should then work with the manufacturer to take preemptive action.
The rapid growth of the IoT in these sectors is emerging as a further security challenge. According to recent research from the Wi-SUN Alliance, the IoT utilities sector alone could be worth as much as $15 billion by 2024.
Oil and gas firms, which have a long track record of using SCADA and industrial control systems (ICS) to drive efficiency, are the most eager to add the IoT to this mix, with 88 percent considering it a priority. Utilities are not far behind, with three-quarters of all firms investing in the IoT, according to Wi-SUN’s research.
“One reason for the growing interest in IoT is the fact that it plays into several other key areas, such as IT automation, big data analytics, and organisational connectivity,” says Phil Beecher, Wi-SUN Alliance president.
Adding to this, today’s connected energy systems differ to those of the past, which were historically on separate networks: “You had to physically be there to hack it,” says Ken Munro, partner and founder at penetration security company, Pen Test Partners.
When IoT solutions and processes are layered on top of legacy systems, it creates an inviting prospect for hackers and hostile ‘actors’, says Karl Lankford, senior solutions engineer at remote access specialist, Bomgar.
Lankford points to “lots of new products” being fast-tracked into use by manufacturers, which are keen to exploit the cost-saving efficiencies that the Industrial Internet of Things (IIoT) can deliver.
He warns: “In the rush to make everything internet enabled, security can sometimes be overlooked, and businesses have to ensure that someone isn’t creating or opening a backdoor into the network.”
• In a recent Internet of Business report, IBM laid out the ground rules for securing the IIoT.
In healthcare, the WannaCry cryptoworm last Spring demonstrated the potential impact of a successful cyber attack, when it brought more than one-third of the UK’s NHS Trusts to a standstill, causing cancelled appointments and halting life-saving treatments.
As is often the case with health technology, the ransomware’s impact was significant because of the high numbers of computers running an outdated and unsupported operating system – Windows 7 – which had not been patched.
Earlier NHS security review recommendations had not been implemented, partly for cost reasons. Had they been, WannaCry’s impact on the NHS would have been minimal. This tells us that ignoring security recommendations for cost reasons is a false economy.
Keeping operating systems and applications continuously patched and upgraded is essential. Particularly in an environment where hardware upgrades to run more recent OSs may not be possible for budgetary reasons.
There are numerous examples of vulnerable systems and devices in healthcare. For example, last year in the US it was discovered that 465,000 pacemakers needed a firmware update to close security holes. (Former US vice president Dick Cheney was reportedly so paranoid that his heart defibrillator could be hacked that he demanded doctors fit a new device without a Wi-Fi connection.)
Healthcare systems pose a particular challenge to security specialists, because replacing old technology is not always possible.
Greg Day, VP and CSO EMEA at enterprise security provider Palo Alto Networks, cites the example of an MRI scanner. “It’s very expensive, and embedded within it is a lightweight operating system. But you can’t just upgrade it; the company that made the hardware, such as Siemens, needs to test it to see if it’s compatible. There’s often a complicated supply chain involved.”
Meanwhile, Dan Lyon, principal security consultant at Synopsys, explains that is not always easy to recover healthcare systems after a breach. This is because medical devices need to be serviced by the manufacturer, and lack the data backup and restore functions that are usually performed when recovering from malware attacks. “This could mean an extended period of downtime while the manufacturer either repairs or replaces the medical device,” he says.
As the IoT becomes an integral part of critical industries, the transport sector is also vulnerable. According to Alex Cowan, CEO of specialist security vendor RazorSecure, the risks to transport organisations include: “Many connected devices are being put in security zones that they were never designed for, with connectivity back out to the internet and weak segregation of systems such as virtual LANs.”
Close to the edge
So, what can be done to mitigate these risks to critical industries? In the future, Edge security will be integral, as well as systems that look for unusual behaviour.
The edge environment is where much real-time AI and IoT processing will take place, because with an estimated 30 billion connected devices online by 2020, a mass of-in-memory processing will be essential, with other data-crunching carried out near the source.
Cowan points out that the NCSC’s guidance for NIS encourages a shift towards active security monitoring and anomaly detection, rather than attempting to secure each and every IoT device.
AI, machine learning, monitoring, and detection, together with automatic discovery and identification, may be the only realistic approaches to IoT security in the long run: systems that detect unusual profiles and/or infer unusual behaviour as it emerges.
In the energy sector, Munro advises segregation, access control, and updating kit. He says: “Security isn’t perfect: all it takes is one high-grade attack and we are stuffed again, but with industrial control systems, issues tend to be systemic. A vulnerability in one can lead to a breach of them all, which is why it’s so important to have good defences.”
Policy is also important. Doug Wylie, director infrastructure and industrials practice at information security centre SANS Institute, says organisations need to accept the risks and apply counter measures, including response and recovery. “It’s understanding what the risk profile looks like, and the threat landscape. This is often addressed by ensuring that people are continuously trained.”
Overall, visibility is key, says Palo Alto’s Day. “What do we have out there; what technology is it using, and who is responsible for it?”
But in the end, a very simple solution could help those tasked with protecting these vulnerable connected environments. Munro says: “People have got to be proactive. In most cases it’s about not missing patches and not using default, common, or reused passwords: the basics just aren’t being followed.”
Additional reporting: Chris Middleton.
Internet of Business says
A raft of recent reports have identified IoT security as a blind spot for many organisations. And as IoT systems are layered on top of legacy networks and critical systems, this introduces a much broader attack surface, where responsibility for security becomes less and less clear.
This is why organisations need to take responsibility themselves, stress test systems, and consider the possible impacts of a cyber attack in advance. The NHS did this, but key security recommendations were ignored. Budgets are often the real killers, it seems.
However, several Internet of Business reports reveal that many organisations simply aren’t taking responsibility, and are doing little to secure the IoT, despite strong awareness of risk.
And as Kate O’Flaherty points out, the unique challenge in healthcare, and in some industrial deployments, is that many types of device or machinery were never designed to be connected to the internet in the first place. Taking MRI or X-Ray machines offline inevitably impacts on hospitals’ ability to treat sick patients.
Instead of living on the edge, organisations should look to the edge for new solutions.
Read more: Gartner: IoT security spend hitting $1.5 billion – but strategy poor
Kate O’Flaherty is a freelance journalist with over a decade’s experience reporting on business and IT. She has held editor and news reporter positions on titles including: The Inquirer, Marketing Week, and Mobile Magazine, and has written articles for The Guardian, the Times, the Economist, SC UK Magazine, Mobile Europe, and Wired UK. She is also a contributing analyst at Current Analysis, covering wholesale telecoms.