Hacking critical infrastructure via a vending machine? The IOT reality
Hacking critical infrastructure via a vending machine? The IOT reality

In the BBC's recent big budget thriller, McMafia, which finished on Sunday, a hacker was able to access files and take control of Mumbai Port's IT network through a vending machine with inferior security credentials. At first glance, this may appear implausible, but the threat to critical infrastructure is very real. As more devices are connected and additional sensors are introduced across industries, the ability to compromise a corporate network through an unpatched IoT connected device poses a real threat.

So, what are the realities behind IoT hacking concerns? 

The threat is real and it isn't going away.

Globally, there has been rapid adoption of IoT devices across all sectors. However, the majority of networks are unprepared for this massive influx of new devices, and are even less prepared for bad actors that attempt to access corporate networks and user data for nefarious purposes. 

Gartner predicts that there will be 20.4 billion connected devices in existence by the end of 2020. It's evident that connected devices will continue to increase, posing many benefits, but also presenting growing security risk. As networks become more dynamic and continue to grow, it gets harder to identify and manage all of the devices connected to them. 

The threat is here and it is very real. 2016 saw one of the largest DDoS attack ever – The Mirai Botnet – which rendered many websites unreachable. The attack was made possible through infected connected devices – unique IPs hosting the Mirai malware. The device compromised the most in this attack? CCTV cameras. 

A newly discovered descendant of the Mirai IoT botnet, named Satori, has cropped up in 2018, specifically affecting ARC processors. The chief aim of this: to steal Ethereum cryptocurrency by hacking into online mining hosts and secretly replacing their wallets. 

Mirai and Satori show the potential malicious actors can have when armed with malware and lots of unsecured IoT connected devices to target. As more and more devices come online the threats will only continue to increase. More devices mean more attack points into the enterprise as well as more devices that can be infected and then used to perform DDoS attacks.

Critical infrastructure

Unfortunately, critical infrastructure such as the Mumbai port shown in McMafia is particularly at risk. Some concerning examples of similar compromises on critical systems include multiple water supply plants hacked between 2011 and 2016, and the US power grid that was infiltrated 17 times between 2013 and 2014. Perhaps the most worrying of all: a nuclear plant hacked in 2016. 

Hide and seek 

There is a huge variety of IoT devices entering organisations every day that IT does not always see, let alone manage. BYOD, consumerisation and IoT have led to the proliferation of devices with their own IP addresses and processing power – often with little security. These devices provide a gateway for hackers to enter into network systems. 

Now, new smart devices can join your network at will. Everything from a smart phone to a security camera. These devices are unmanaged and become rogue endpoints, significantly increasing the chance of a breach. These devices become targets for hackers, ready to be compromised. Rogue users could use the LAN to access the server. Or, more likely still, unmanaged devices can be hacked and the data manipulated, allowing network access. 

Most organisations don't think they have any IoT devices connected to their systems, yet without actively looking for them, they can't know for sure.

Laying critical infrastructure that prevents threats
Many are currently, and rightly, concerned about protection from outside threats getting into important networks. The latest firewalls, intrusion prevention systems, advanced protection systems all play a part in defence, but as more and more connected devices enter networks, it is now critical to look at threats from within as well. 

If firms do not have proper infrastructure to support IoT devices, they risk exposing their corporate networks to malicious activities. This can lead to devastating effects, especially if hackers uncover vulnerabilities in IoT devices within critical infrastructure. 

A good starting point for businesses as they take their network security efforts seriously in today's hyper-connected world, is to increase awareness of all the devices on the network and implement centralised management systems that help ensure compliance.

See it, assess it, control it – this must be the new mantra for defending the organisation from all manner of devices and their intentions. We are living in ‘TV land' times – and it's time to make sure cyber-defenders protect their assets better than the hacked victims from the screen. 

Contributed by Myles Bray, VP EMEA, ForeScout 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.