Although it took some time to manifest, nation-states have realized the potential for cyber espionage and sabotage on IoT devices.

The latest news

On April 16, 2018, the US authorities issued a warning that government-backed Russian hackers are using compromised routers and other network infrastructure to conduct espionage and potentially lay the groundwork for future offensive cyber operations.

In a joint statement, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), along with the UK's National Cyber Security Centre (NCSC) - the cyber arm of Government Communications Headquarters (GCHQ) - said that Kremlin-backed hackers are using exploits to carry out malicious attacks. The hackers are using compromised routers to conduct man-in-the-middle attacks to support cyber espionage, steal intellectual property, and maintain persistent access in victim networks for use in additional campaigns.

U.S. CERT noted that cyber actors are exploiting large numbers of enterprise-class and residential routers and switches worldwide to enable espionage and intellectual property theft.

A growing concern

This is just the most recent of several incidents wherein nation-states have used connected devices for their goals.

A spying campaign called “Slingshot” targeted at least 100 victims in the Middle East and Africa from at least 2012 until February 2018, hacking MikroTik routers and placing a malicious dynamic link library inside to infect target computers with spyware components.

In another incident, nation-state actors left political messages on 168,000 unpatched IoT devices. The attackers used a bot to search the Shodan search engine for vulnerable Cisco switches and were easily able to exploit a vulnerability in Cisco Smart Install Client software to infect and “deface” thousands of connected devices with propaganda massages.

The west is also toying with IoT devices

Russia and China are not alone in investigating the potential of exploiting IoT devices. In 2016, US intelligence chief James Clapper acknowledged that the US would consider using the Internet of Things to spy on adversaries. More recently, the Dutch Joint Cyber SIGINT Unit hacked a CCTV camera to spy on a Russian cyber group called ‘Cozy Bear.’ As a result, they were able to identify many of the members as employees of the Russian Foreign Intelligence Service.

As western countries become more aware of espionage efforts by foreign governments, it is not surprising that they are fighting back by trying to reduce the attack surface. Several Chinese CCTV manufacturers were recently flagged for having built-in backdoors that could allow intelligence services to syphon information. Dahua, a maker of CCTV cameras, DVRs and other devices was forced to issue an emergency patch to its connected devices. Camera models from Shenzhen Neo Electronics were also exposed to have a severe security flaw. Finally, the largest maker of surveillance equipment in the world, HIKvision, was accused of having a backdoor and banned by certain US bodies.

What’s next?

While the potential for information collection through IoT devices is enormous, we shouldn’t forget that these are physical devices deployed in the real world, so hacking them can have real consequences.

Doomsday scenarios

Here are just four of many potential “doomsday scenarios” that could result from IoT device hacking:

Grid manipulation attacks

Power grid security has received the appropriate attention in recent years, due in part to large scale cyber-attacks on power grids around the world. But what if, instead of hacking secured power plants, a nation-state was to hack millions of smart devices connected to the power supply, so that it could turn them on and off at will? That would create spikes in local and national power consumption, which could damage power transformers and carrying infrastructure, or at the very least, have substantial economic impact.

Power companies try to balance consumption loads by forecasting peak consumption times. For example, in the UK, demand spikes are as predictable as half-time breaks in football matches or the conclusion of an Eastenders episode, both of which require an additional three gigawatts of power for the roughly 3-5 minutes it takes each kettle to boil. The surge is so large that backup power stations must go on standby across the country, and there is even additional power made available in France just in case the UK grid can’t cope. 

But since no one could anticipate an IoT “on-off” attack, nobody could prepare standby power, and outages would be unavoidable. In addition, power production, transportation and storage costs would be enormous.

Smart utilities

By attacking Internet-facing utility devices such as sewage and water flow sensors and actuators, attackers could create significant damage without having to penetrate robust IT or OT networks.

Smart city mayhem

Having a connected urban infrastructure is a terrific thing. The problem is that once you rely on it, there is no turning back. If the connected traffic lights, traffic monitoring cameras and parking sensors are taken offline or manipulated, cities could suffer with large scale interferences to their inhabitants’ daily lives. For example, shutting down connected street lighting could impact millions.

Simple terror

Since we are all aware of the potential impact of a devastating cyber-attack, it would not take much to invoke large-scale hysteria. Just imagine someone hacking a street sign and altering it to display messages from the country’s enemies.

Summary

Nation-states have long targeted IT infrastructure to gather intelligence and intellectual property, but their focus has shifted to OT/industrial networks with the aim of facilitating disturbances and physical sabotage. IoT seems to be the new domain in which proficient bad actors can collect information, create disturbances, cause large-scale damage, and inflict terror and panic. The IoT is both insecure and increasingly ubiquitous, and these characteristics make it attractive for hackers and guarantee continued exploitation.

Introduction

Business opportunities created by Internet of Things (IoT) and the Industrial IoT (IIoT) are among the most
debated topics, as these are designed to function in a broad range of consumer and industrial applications.
Manufacturers of IoT components believe in this new trend, but many of them still not understand the essence
of the IoT concept. In reality, not every controlled device is an IoT nor IIoT.

The IoT/IIoT concept is a communication-based eco-system in which control devices, CCTV cameras and
industrial sensors communicate via the Internet with cloud-based computer systems and data sources, and
the result of this process is displayed on a computer screen, smartphone or used for optimal activation of a
process. Through an IoT/IIoT ecosystem you may boost productivity and achieve unique benefits. Examples
of IoT/IIoT include applications such as; remote operation of home appliances, medical devices, check on
availability of a product in a store, warnings of unusual conditions and malfunctions and more.

Leading market research firms already estimate that by 2020 there will be over 20 billion devices worldwide,
defined as part of IoT/IIoT systems. Although the forecasted number is growing every year, it is not clear
whether these figures correctly refer to what can be and what cannot be considered IoT or IIoT. It is strongly
recommended that decision factors such as outlined below shall be taken into consideration.

Devices not considered as IoT/IIoT

In reality not all devices can be accepted to the “IoT/IIoT Club”. Through the following three examples I will
try to clarify the main considerations referring to this topic.
a) You purchased a home air conditioner activated by a smartphone or a web based application. If the
packing label shows “Wi-Fi-Ready”, you can do that, but it will not necessarily make it an IoT, since remote
activation by itself is not a sufficient condition to call it an IoT.
b) You consider to add a vibration sensor to a large water pump or gas turbine to diagnose a malfunction.
This is not an IIoT, as the vibration sensor device is reporting to a special PLC and an ICS computer
which control the operation of that machinery and may stop it if a fault is detected.
c) You purchased a CCTV camera, which is connected to a home computer or a VCR for security
surveillance. This is also not an IoT, because 24/7 loop recording system does not require additional data
available from cloud based resources and not require cloud based computing.

Devices considered as IoT/IIoT

Here are three commercial, consumer oriented and industrial examples, that according to listed explanations
are considered appropriate for being considered as IoT/IIoT ecosystem.
a) Computerized control of a washing machine. The IoT ecosystem using the built-in controller which
support the decision related to optimal starting of the washing process. Consequently, the IoT controller
device communicates with cloud based data sources related to the following considerations:
• Is there a report from the electric company on unusually high loading of the power grid at the
neighborhood? If yes, the washing process is delayed.
• Is it forbidden to cause unusual noise in a residential area such as may be caused by the washing
machine? If yes, the washing process is delayed
• Is there sufficient amount of hot water from the sun-roof boiler as required for the washing? If not, the
activation is delayed until electric heating of the water is completed.

The operation of a solar power plant can be controlled by an IIoT process. After the power plant receives
a request to start supplying power, the IIoT ecosystem system checks the following conditions:
• Is the forecasted intensity of sun-rays during the next few hours adequate to generate the required
energy to the grid? If not, the power plant activation is canceled.
• Are there alternative electric power resources that are more suitable to generate electricity for the
requested period? If yes, the power plant activation is rejected.
• If there are no other alternatives, the solar power plant will be activated with limiting conditions, and
the power grid operator will be advised accordingly.
c) An order is received to purchase a certain type meat for home use. Following this requirement, the
customer can start and IoT-based search using his smartphone:
• In which food chain is this item available, and what is the ticket price
• Which stores are active during the hours when the purchase is required
• The outcome of that process shall be a list of options sent to the customer
From the three examples listed above you may learn that the IoT/IIoT concept is applicable when it is
impossible to perform a simple interaction between the requesting entity and the device which provides the
service. IoT/IIoT systems allow such interactive process through cloud-based data resources.

Is there a reason for concerns?

Definitely yes, because huge amounts of cheap IoT components without professional configuration and
without cyber security measures will flood the internet network and allow cyber-attacks from all directions and
for any purpose. Can ordinary home owners properly configure these devices, replace the default password
and detect DDoS-type security breach? Of course not, and that's the problem.
Today, as a result of strong expectations towards IoT market, none wants to remember the early 2000’s and
the dot.com bubble. Then, well-known and professional companies invested billions of dollars in products
that did not provide benefits for which users were willing to pay. The benefits came only years later, and then
more resources were required to create new business models in order to recover their losses.

Summary

We all hope for huge IoT/IIoT deployments in the future, as this is good for users, vendors and also for
innovation. But…., anyone considering to develop a new IoT/IIoT ecosystem, shall focus on finding a real
need and properly design a cloud-data based solution that delivers significant benefits.
Cyber protection for any IT and ICS architecture consists of three essential elements that are achievable: a)
the use of security technologies, b) strict adherence to policies, and c) careful user behavior. This is also true
for IoT/IIoT ecosystems. Innovative technologies, components and architectures that will include cyber
protection as part of the IoT/IIoT ecosystem at no extra cost, will definitely drive the success.

Photo credit Martin Košáň via Flickr.