Stuxnet, just the beginning?

As we rush into the Internet of Things, Mike Ellis suggests we remember Stuxnet, and how the data transferred between objects needs to be protected.

Stuxnet, just the beginning?
Stuxnet, just the beginning?

June was the anniversary of the discovery of Stuxnet, a computer worm that was found just four years ago.  Stuxnet is considered by many to be the first cyber-attack to target critical infrastructure.  It was specifically designed to exploit a hole in the back end of a very specific SCADA system in use at Iranian power stations. The worm reportedly ruined almost a fifth of Iran's nuclear centrifuges, severely delaying the country's nuclear programme. Yet four years later, many governments and enterprises still aren't prepared to handle this kind of threat.

Governments by their very nature are often slow to react and pass laws in response to threats. However the recent ruling stating that if "cyber-attacks result in loss of life, serious illness or injury or serious damage to national security the perpetrator would face a life sentence,” shows the validity of the threat is real and there are concerns that this is where cyber crime is heading.

Stuxnet is an early example of how hackers were able to use the digital world to disrupt physical assets in a country's critical infrastructure. The risk of attacks like this happening has never been higher as more non-smart devices are connected to the internet. Gartner predicts that by 2020, there will be 26 billion devices connected to the Internet of Things. This isn't just in the consumer world but in the public sector as well. Hampshire county council has recently introduced a scheme where they are able to control 100,000 street lights.  It would make sense that aspects of our critical infrastructure are next. Prime Minister David Cameron has recently laid out his plans for electricity meters that talk to the grid to get you the best deals; health monitors that keep an eye on your heart rate or blood pressure and water pipes that warn of a fall in pressure.

The opportunities with Internet of Things can change how a country can engage with its citizens, but how do we make sure we are keeping up with the opportunities afforded by the latest technology whilst making sure our critical infrastructure is safe and secure?  In this digital age, the vulnerabilities are endless. Imagine the havoc that would be caused by someone shutting down the traffic system of a busy city, or opening the flood gates of a dam during high tide.  At the moment we may only be talking street lights, but what about the future?

There is little reason why we shouldn't be maximising the opportunities that the IoT presents, but without the right security infrastructure in place, we could be putting our towns and cities at risk. The main worry is that these devices are passing details between each other without knowing if the data is safeguarded. Today's government identity platforms and network security platforms are completely fragmented. The missing part of this puzzle is the importance of context enabled by the next generation of identity and identity relationship management (IRM). This could involve data such as location, device used or time zone, to authorise machine to machine (M2M) communication and prove a request is authentic.  In addition to being context-aware, IRM is designed to address the complexities of extended networks that span the cloud and mobile. 

Currently governments are, metaphorically speaking, leaving their doors open and letting anyone who wants to come in and mess with our critical infrastructure do so. As the government continues to try and cut costs, technology is an avenue for savings and innovation. However, if the right precautions aren't taken, it will be more than a monetary loss when cyber criminals attack.

Contributed by Mike Ellis, CEO, ForgeRock