Author: Giorgio Sbaraglia
1. The origins of IoT
The term “Internet of Things”(IoT) was coined by the English engineer Kevin Ashton, a researcher at the Massachusetts Institute of Technology (MIT), who used it as the title of a presentation that he held at Procter & Gamble (P&G) in 1999 on the possible use of RFID (Radio Frequency IDentification) technology in supply chains (read the article here).
IoT used to describe a system whereby objects in the physical world could be connected to the Internet using sensors.
Twenty years on from Ashton’s intuition, the Internet of Things has exploded and today it concerns billions of devices connected in a variety of sectors, making possible higher automation and control over the systems where it is applied.
Among the many possible definitions of Internet of Things (IoT), we would like to report the one that ENISA (European Union Agency For Network And Information Security) gives in the “Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures”, dated November 2017: “a cyber-physical ecosystem of interconnected sensors and actuators, which enable decision making”
Practically speaking, any electronic device which has got a processor, an operative system, and an Internet connection is – to all intents and purposes – comparable to a computer. It is a connected object (hence the term “Internet of Objects”) and for this reason it can be attacked, exactly through the web net.
Many are the types of IoT devices already present today in our houses and companies: routers, televisions, home appliances, thermostats, webcams, cars, locks, industrial plants, medical appliances, sensors, etc.
2. The numbers of IoT
It is estimated that IoT connected devices have reached and risen above over 30 billion in the world.
According to International Data Corporation (IDC) estimates, the world expenditure on IoT could surpass 1.000 billion (one trillion) dollars in 2022, reaching 1.100 billion dollars in 2023, as indicated by the distribution by sector.
The internet connection makes it possible to control these devices remotely. And if they are not adequately protected, cyberattacks become a real and serious threat, even more critical if they are aimed at industrial plants and strategic infrastructures.
3. What are Industrial Control Systems
Let’s have a look at what ICSs are: this is the acronym that stands for Industrial Control Systems, the most important and critical form of IoT and Industry 4.0. They are different types of systems and technologies, for example SCADA systems (Supervisory Control And Data Acquisition) and PLC systems (Programmable Logical Controllers)
SCADA systems are used to monitor and control remotely infrastructural and industrial plants. Because of their vulnerabilities, they have been the subject of many targeted attacks, of which we will talk about later. Other attacks have been aimed at PLC, like the famous Stuxnet.
ICSs manage physical processes and are widely used in a variety of industrial sectors: oil and gas, power stations and distribution networks, highways, ports, airports, train stations. We talk – rightly – about critical infrastructures.
Initially, industrial plants used to have characteristics that made them immune to cyberthreats, since they were not connected to the IP network.
When ICSs were finally connected to the Internet, together with unquestionable advantages came important risks for their security. On one side, connected systems are more flexible in terms of rapid reaction to critical situations and implementation of updates. But, on the other side, these infrastructures, that manage vital services, have shown their vulnerability to cyber attacks.
We can consider the 2000s as the moment when these attacks began, when the standardization of industrial system connectivity (SCADA, PLC, etc.) through TCP/IP protocols allowed IT and OT (Operational Technology) to converge.
>> FlashStart protects you from a wide range of threats and prevents access to malicious websites ? Start your free trial now and navigate safely towards the future
4. From SCADA systems to the convergence of IT and OT
The SCADA architecture was born in the 50s, way before the Internet network appeared. This is why they were referred to as “monolithic”: they were isolated systems, controlled by PLCs, but without any sort of connection.
Over the next generations, SCADA systems were connected to the Internet, but often without being designed with mechanisms able to prevent unauthorised access or face the continuous evolution of threats coming from internal and external networks.
In other words: industrial networks became more and more complex, with tens and sometimes hundreds of connected devices (PLCs, sensors, PCs, switches, routers, etc.), but without a clear project.
5. The “Best Practices” to protect yourself
What emerges is that best practices that are applied to normal company networks are neglected in favour of “flat” networks, which do not segment and segregate the most critical assets.
Often, these networks aren’t even protected by firewalls, which are instead used in the networks of company computers.
SCADA systems are frequently installed on old and “forgotten” systems: updating patches are neglected, operative systems are by now obsolete.
One of the main criticalities of OT systems is their life cycle, on average higher than 10-15 years (versus an average life cycle of 3 to 5 years for IT systems). WindowsXP is still very common and hasn’t been supported by Microsoft since 2014, and Windows Server 2003 as well, whose support Microsoft stopped in 2015.
And if this was not enough: sometimes antivirus and antimalware software are missing, either because they are not present or because they are incompatible with the applications. And the net is almost never “closed”: there are USB doors which are accessible, the doors of the system are left open (maybe to allow remote access by maintenance workers) or even people forget to close them.
To conclude: the approach used to design and manage ICSs is still very much “industrial” and pays little attention to security, as if these plants were set in a world where cyber risks still didn’t exist.
It is necessary to change this attitude completely and consider them on the same level as IT networks, with the awareness that – in case of an attack – the impact could be even more serious.
> FlashStart is leader in competitiveness ? Request an offer
6. IT vs. ICS/OT: a complicated relationship
For a long time, since SCADA systems were born, Information Technology (IT) and Operational Technology (OT) developed as two completely separate and distinct domains.
IT used to focus on all the technologies necessary to manage IT processes with mainly economic and financial purposes.
OT focused on devices, sensors, networks, and software needed to manage the operational processes (for example electricity supply and production systems) with the purpose of trustworthiness and security.
The continuous opening and integration of the OT world with the rest of IT processes changed this vision completely. The two domains are becoming more and more interconnected.
But it is difficult for such interconnection to be integrated into companies, because IT and OT seem to have different priorities still today, as we can see from picture 3.
To sum up: in the IT field, confidentiality of data has the maximum priority since it must not be stolen (Confidentiality). While in the OT field what is most important is the availability of data, since if data are not available (Availability) or get altered (Integrity) production risks to stop.
7. The nature of cyber-attacks on industrial systems
Today cyber attacks are more and more frequent and aimed especially at IT systems. Among these, the most popular is ransomware, which encrypt files blocking operations in the companies.
But an informatic attack on an industrial system could have even more serious effects because it can hit critical infrastructures and operators of essential services (electricity, water, transport, etc.).
Today, attacks are becoming more frequent and aimed at IT systems. The most spread are ransomware
This is why, even more so with the spread of Industry 4.0, OT systems need to be protected with maximum attention. They need of course to be connected, but these connections should be presided over and controlled with great attention.
The industrial network will have to be segregated in protected subnets and – when these networks must communicate with the company IT systems – connected to the IT network through well defined points controlled with protection systems.
8. The system of “Industrial Demilitarized Zone”
That’s why we talk about IDMZ (Industrial Demilitarized Zone): between the company (IT) systems and the OT industrial area there is a demilitarized industrial zone, or IDMZ, which allows connecting in a safe way network with different needs for security (IT and OT).
By not permitting direct communication between IT and OT systems, an additional level of separation can be added to the whole architecture of the company network. The systems at industrial levels are not directly exposed to attacks.
If an attack should involve an industrial system, the IDMZ could be closed, the damage might be contained (mitigated) and production might go on.
The systems which are typically present in the industrial demilitarized area include a proxy server (web), a server that replicate databases, controllers of the Microsoft domain, etc.
This segregated architecture with IDMZ has exactly the purpose of preventing the most frequent risk: an attack to the OT systems that arrives through the IT net, typically more exposed, because many of the most (in)famous and serious cyber attacks to industrial systems have arrived through the IT network and in many cases have exploited human errors.
9. Cases of (in)famous and very damaging attacks!
9.1The Stuxnet attack to the Iranian Natanz nuclear plant (2010)
Stuxnet represents a turning point in cyber warfare, on top of being one of the most famous ICS attacks.
In January of 2010 in the nuclear plant of Natanz in Iran the centrifuges used to enrich Uranium235 went crazy, got out of control and exploded. This put out of use at least 1.000 of the 5.000 Iranian centrifuges and set back the Iranian nuclear program by a couple of years.
What happened? It was a sophisticated informatic attack developed by the US and Israel through an operation under the coded name “Olympic Games”, realised to damage the Iranian atomic program, without producing a conventional war.
The operation had been assigned to American experts of the National Security Agency (NSA), in collaboration with Israeli IT technicians (the legendary Unit 8200 of the Israel Defense Force – IDF).
A deadly and very sophisticated malware was created, called Stuxnet, which was able to act on the industrial plants inside Natanz, taking under control the PLC Siemens Simatic S7-300, which governed the functioning of the centrifuges for uranium enrichment.
Once the IT weapon had been designed and realised, in order to act it had to be introduced in the plant. In every cyber attack, the intrusion phase is always one of the most delicate and difficult to realise: to realise the attack, the attacker must first of all enter into the target system.
How could Stuxnet penetrate into the Natanz plant?
Of course, Iranians weren’t so naive as to put their super secret plants online. These were isolated from the Internet network: in these cases, we talk about “air gapped systems”, meaning systems that are physically disconnected from the rest of the net to guarantee a higher level of security.
The problem for the attackers was therefore that of managing to enter the Stuxnet malware in Natanz.
As of now, it has been ascertained that the Stuxnet contagion began inside the plant itself, with an infected USB key introduced by some Iranian suppliers.
These companies were not aware that they had been attacked and, once infected, it was only a matter of time before the plant in Natanz was hit. Through a USB device inserted in the computers inside Natanz, the infection spread from the Windows computers to the industrial software Step7 (realised by Siemens) which controlled the PLCs of the plant and modified their code.
USB devices are still today a relatively easy and unsuspectable way to inject malware. Most people, indeed, insert them in laptops without worrying much about potential viruses they might contain. Also in this case the human factor was the weakest point in the security structure.
More information about the Stuxnet attack is available here
9.2 BlackEnergy turned off Ukraine in 2015
Another famous cyber attack on industrial plants is the one that hit the power plants of Ukraine in 2015.
23 December 2015, 15:35 Ukrainian time: the Ukrainian Kyivoblenergo, a regional electricity distributor, is hit by a cyber attack. Shortly afterwards the systems of at least other 3 regional electricity operators are hit.
Seven substations at 110kV and twenty-three at 35kV are disconnected for over three hours. 225 thousand people are left with no electricity.
The attack was developed by a foreign country (most likely Russia).
The agent used for the attack was the trojan BlackEnergy, which took control of the SCADA systems in the power plants, opened the switchers and caused the interruption of the power supply in a vast area of Ukraine.
To restore the service, the managers of the power plants had to shift to the manual control of the plants. Also in this case, the vector used to penetrate into the plants exploited the human factor and social engineering: an email of spear phishing was used to get access to the company networks of the three plant managers.
The email had an Excel attachment which included a macro (picture 4): the macro was activated by the user who received it (probably a carefully identified target), who opened the door to BlackEnergy, triggering the attack.
>> The FlashStart web filtering software for businesses helps you prevent attackers from targeting your company ? Start your free trial now
In conclusion, it is important to be aware that ICS systems, as much as they might be protected and segregated, must necessarily be connected to the internet (or at least have a way to communicate outside, even only for maintenance interventions and to be updated).
This represents the vulnerable point of the system, through which the attacker can enter. And – we stress it again – the intrusion also in this kind of attacks exploits especially human error, using social engineering and phishing techniques.
The protection systems that FlashStart® supplies are aimed exactly at limiting and preventing these kinds of attacks, acting as prevention measures and to block phishing attempts.
Giorgio Sbaraglia (https://www.giorgiosbaraglia.it), engineer, is a consultant and trainer on the topics of cyber security and privacy.
He holds training courses about these topics for numerous important Italian companies, including the 24Ore Business School (read here).
He is a member of the Scientific Committee CLUSIT (Italian Association for Cyber Security) and an Innovation Manager certified by RINA
He has DPO (Data Protection Officer) positions in companies and Professional Associations.
He is the author of the following books:
“GDPR kit di sopravvivenza” – “GDPR survival kit” (Edited by goWare),
“Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” – “Cybersecurity survival kit. The web is a dangerous place. We must defend ourselves!” (Edited by goWare),
“iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” – “iPhone. How to use it to its full potential. Let’s discover together all the functions and best apps” (Edited by goWare).
He collaborates with CYBERSECURITY360 a specialised online magazine of the group Digital360 focusing on Cybersecurity.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.