Author: Susan Bond, Sr. Program Manager, Solution Architect and Technical Leader
We are quickly entering a world that is moving beyond what IoT is defined as – any person, any device, any service. It is now every person, every device, every service. You cannot escape the IoT anymore. The convergence of Information Technology (IT), Consumer Technology (CT), and Operations Technology (OT) is a direct result of advancing technology; adoption of cloud-based services and applications in almost every business; and the proliferation of sensors in almost every facet of our lives. Consumer devices are connected to the Internet and data about us is moving all over and through the cloud. Businesses, both private and public, are leveraging advances in technology like ubiquitous wireless connectivity, machine-to-machine (M2M) systems, and data streaming. Everything can be connected to everything. I defined Operational Technology in the first post of this series. What does the convergence of IT, CT, and OT look like from the security world today? Unfortunately, the attack surfaces hackers can use are growing exponentially as the fusion of technologies continue.
The Anatomy of an Attack
Let’s take the example of a 3D printer. A 3D printer requires inputs for you to output the correct desired result. To help explain this example, let’s count the inputs. First, there are inputs such as software and firmware updates. In the OT space, firmware updates are critical for devices to have the latest updates, just like it’s important for a computer to be updated from Windows 7 to 10. So, that’s two inputs including both the software and firmware updates. Then you have the design specification as another input. The spec was created by designers so the printer knows how to print the output, for example, a gasoline can, using details like how tall it should be, how thick the can wall should be, what color the can should be, etc. Now we are three inputs. Another input is the electricity that goes into the printer to power it and the internet connection; and of course, the plastic powder material, similar to the ink cartridge in a paper printer, the 3D printer will form into these gasoline cans. So for this example, we are at six different inputs, and six different opportunities for something to go wrong.
Any of these inputs can be infiltrated with malware. Perhaps while you are downloading a firmware update someone is snooping on your network and they inject malware into that download and now your 3D printer is infected. Or, the design specification was hacked and instead of building the can to spec, the build is off by just a few strokes, and now the can has a tiny hole that can leak gasoline causing a hazard.
This can quickly become exponentially worse when you scale beyond a single output that an individual might print. Let’s say a manufacturing plant employs 3D printers to create infrastructure components used in bridges – a structural beam, maybe. What if someone infiltrates the design spec for those beams, and changes the specifications impacting the load bearing characteristics of the beam so it would fail at a lower load than expected? Can you imagine the repercussions? Bridges could collapse. With the technology fusion, there are now so many attack surfaces with IoT devices, this kind of scenario could occur.
Why Should We Care?
If the 3D printer example isn’t enough to illustrate the potential threat, let’s circle back a bit to show the fusion of consumer technology with operational technology and information technology. We will start with a smart home. Many smart home devices include cameras, and those cameras can be hacked if they are connected to your network. So, in a smart home, the camera on an alarm system can be infiltrated, and now someone has access to all your network devices. This might not be the end of the world, but it would be an invasion of privacy and could cost you a lot of money.
Let’s bump up the severity a bit. That same camera found in your alarm system could also be in your car. Someone can easily hack that camera – another consumer device connected to the internet – compromising its function and instead of being clear to backup, there might be an obstacle your camera isn’t showing. People could get hurt.
And then we escalate to issues critical to infrastructure services, the world served by OT. That same dumb camera that was so easily hacked in your home and your car is also integrated into traffic control systems including traffic signals at an intersection. That camera gets hacked, and the entire traffic control system can go haywire, causing severe delays, accidents, and potentially deaths. This is the kind of stuff movies are made of, think The Italian Job, and unfortunately, becoming a reality in our world.
I don’t tell you all of this just to scare you into becoming a luddite that never uses technology or leaves your house. There are ways we can combat these issues once we are aware of them. We can all be part of the solution, which is what I will discuss in Part 3 of this blog series. Stay tuned – it is not all doom and gloom!