Growth of networked electronic controls is a safety issue.
No self regarding health and safety professional would disregard hazard evaluations and systems for Asbestos, work at height or manual handling; yet I’ll wager that the only risk assessment you have for IT is a display screen assessment. In any case, on the off chance that you have equipment in your business that connects with the web and to something important — from a central heating thermostat to a blast furnace — electronic health and safety ought to be on your radar.
Numerous organizations have an IT office and a health and safety division, whose sole contact is the point at which somebody needs another laptop or fails to remember their password. Some have an unclear dependence on Google or the gentleman in PC World for support. As of not long ago that didn’t do much for your possibilities of recuperating an erased email, however it wasn’t going to kill anybody.
When we discuss the web, a great many people think about the human-driven traffic it conveys: email messages, website pages, instant messaging and videos. In truth most activity is not between people, it’s between computers: automated, quiet packets of data containing database questions, records, sensor information and control signals.
At the beginning of ARPAnet, the web’s forerunner, this movement was under the control of the US military. The outcomes of somebody playing about in there were possibly spectacular. In spite of the fact that the thought that you could sign in and launch a nuclear missile was never true, it was worthy of a few film scripts.
Then the worldwide web arrived and the entire system became a means of pouring cat videos and niche adult entertainment into every home. But the undercurrent of the internet carried on regardless.
Next year the internet will carry a zettabyte (one trillion gigabytes) of data. By 2019, two-thirds of all traffic will be from non-PC devices, and there will be three devices connected to the internet for every person on the planet.
Wired world
Networked control systems are nothing new, but in the 1990s, when they consisted of ISDN lines to the company mainframe, they were point to point and secure, though slow and expensive.
Then the internet arrived, and everything changed. People wanting access to their emails and the web installed modems and broadband routers, and all those machines suddenly had access to, in effect, a cost free means of talking to one another; instead of renting a dedicated phone line, just plug it into the net.
Manufacturers stopped putting serial ports on their devices, and started adding ethernet sockets. Later, even those disappeared, replaced by wifi antennas. Volume sales drove research and development and, as the technology became smaller and cheaper it spread from hulking great computers and rack mounted servers into individual switches and sensors.
For the price of a decent lunch you can put a camera the size of a golf ball in your house. It will automatically register with your wifi router, stream the images through a server in China, and you can sit in the restaurant and on your iPhone watch your cat shred your curtains, live and in high definition. Most of the people who buy them have no idea about that Chinese detour by the data. If you missed it too, it’s time to put down your sandwich and say hello to the Internet of Things (IoT).
Chips in everything
The IoT includes every one of the devices that operate the internet to communicate with each other. They can be transmitting information for remote examination by PCs or people (as cameras, indoor regulators, wellness trackers), they can be receiving commands (valves, programmable logic controllers (PLCs), electronic locks) and they could be doing both, as on account of mobiles, smart TVs and remote hard drives. Frequently the end purposes of that information are inside of meters of one another, yet the traffic jumps around the world to get there.
Presently, the internet conveys the control signals for all things from petrol pumps to nuclear power stations. A large portion of the devices are a piece of supervisory control and data acquisition (SCADA) frameworks,a generic term for any network of sensors, controllers and actuators that can be operating numerous different types of hardware and software.
SCADA devices are designed to be simple and reliable inside a factory, but tend to be woefully ill-prepared for connection to the internet, thanks to lax security and poorly written software. It’s often trivially simple to reprogramme a petrol pump to say something rude — it happened in the US in February — or infect the control systems of a nuclear power station — achieved in South Korea in December. All you need is to find the plant on the net and ask nicely.
Spun out
The first contact with this type of cyber attack was Stuxnet (see graphic below), a PC virus identified in 2010 that was said to be created to destroy uranium enrichment centrifuges —and it was somewhat great at it.. The code searched networks for PLCs running a specific piece of software from Siemens, and changed it;in the case of the centrifuges, to spin them into oblivion.
The problem is that, as with any virus — electronic or biological — it was rather good at destroying other things too. The original code was targeted and time limited, but it opened the eyes of hackers, from state sponsored teams to bored kids, to the opportunities for mayhem if you could seek out and take over a logic controller.
Stuxnet was dissected and improved, and its code is still used today to attack networks around the world. The reason it’s so effective is that the manufacturers of these internet connected SCADA devices almost always used trivially simple default passwords or “back door” access codes for factory testing. Many systems run firmware that is impossible to upgrade without a soldering iron, so when a hacker finds the way in they can run riot for years, and are often very hard to detect. If a device has no display screen, how do you know what it’s really doing?
You’d imagine that device designers had taken in their lesson at this point, yet a long way from it. Near enough everything that you connect to the internet, from a broadband router to a baby monitor,will have at least one security gap that hackers about. Since every one of these devices are joined with one another, and the security in local networks is dependably at the edges, it’s exceptionally easy to break in through a weakly protected device then bounce around searching for something else.
If I know you run a manufacturing plant, then first I find the unique IP address of your broadband router, which will be in the header information of every email you send, and every web page you visit. I can try to connect to the router, using the default manufacturer password.
Most of the time I’ll get in; but if access is only possible from inside your local network, I can send you a virus by email or through a malicious piece of code on a website. I could send you a free brochure on DVD or USB drive, with a virus payload attached, and your computer can open the doors for me.
Once inside, my virus sees every device on the network, and all the data flowing between them. It can see which devices are laptops, sensors, cameras and PLCs. It can try sending a few commands for fun — open a valve or two or change a temperature limit. It can reprogramme them so the emergency stop buttons become emergency start buttons.
The German Federal Office for Information Security reported last December that an anonymous steel factory had endured “massive harm to plant” following a cyber-attack demolished parts of the control framework, leaving the engineers unable to close down a blast furnace.
Auto configured
Hackers are exploiting two simple facts: the average user of an IoT device is not a programmer, and it’s cheaper to write a program than to design a chip.
Devices have to be extremely simple to set up, often doing lots of automatic configuration without telling the user what’s happening, and 90% of the time users don’t even know how to change the default password or PIN.
We’re all familiar with automatic updates for Windows and mobile apps, yet updating the operating system on IoT devices can be difficult and is hardly done. This is despite the fact that, instead of custom made chips that can only do one thing, nearly almost every IoT device uses a tiny embedded computer, with an operating system and software.
Your broadband router uses Linux, and many PLC controllers use Windows. Both are capable of running other programs — including a tweaked version of the factory installed application that appears to be doing everything normally — until someone on the other side of the planet clicks a button and unleashes a SCADA worm to disable all your interlock switches.
Thanks to the ubiquity of Bluetooth and wifi, you don’t even need to plug in anything. Your attacker can be walking past with a mobile phone or sitting in a basement on the other side of the world.
As we’ve seen in the news many times, the value of things like credit card numbers and identity theft bundles drove hackers to seek out customer databases in big corporations, but the cost/benefit ratio for IoT hacks is potentially far greater and is receiving more attention.
Hackers get long term access because the devices are hard to patch, don’t run anti-virus software, and users are oblivious to what you’re doing.
The rewards are huge; stealing an out of date customer list is nothing compared with blackmailing someone with a fleet of wind turbines that you can disable at will from anywhere in the world. That’s exploit CVE-2015-0985, in which turbines made by XZERES would obligingly send anyone the admin password for their control systems if they connected on the default web page. It made life easy for the engineers; easier still for the hackers. There were lessons learned on both sides.
Under your nose
Apart from causing physical damage and putting lives in danger, hackers can re-purpose the embedded software to work on their behalves; some of the biggest cyber attacks in recent months were carried out using botnets; hundreds of thousands of compromised systems in homes and offices working together under the control of hackers. These weren’t computers; they were broadband modems and PLCs. Millions of little boxes with flashing lights that are always connected, always vulnerable, and never checked. What’s yours doing now?
You may not be in charge of a nuclear reactor, but an outdated PLC or embedded Windows XP system controlling a printer in some far flung site is the perfect place to hide the command and control software that attacks something else. Stuxnet infected computers in Iran mainly, but many businesses in other countries suffered because they happened to have the same model of PLC.
You’ll need the IT department to work in partnership. Auditing firmware isn’t yet part of the NEBOSH exam; but making sure nothing on the network has a default password is simple enough, and educating your staff about the real-world hazards of a cyber-attack should be as important as toolbox talks on manual handling because in many cases they are the chinks in your armour. The German blast furnace was taken out by a free gift USB drive sent to a random employee. Stuxnet was an email attachment.
The IoT isn’t just for industry. People are inseparable from their smartphones, smart watches, portable hard drives and memory sticks, all of which can be re-purposed to inject viruses and scan your internal networks, sniffing for passwords and reporting back to their unseen masters.
Your IT department should be all too aware of the need to scan emails and change wifi passwords regularly, but if the security camera in your car park is accessible from anywhere and answers to “Password123”, you’re one hop away from chaos.
In a few years time the IoT will invade every aspect of our lives, from internet-enabled swimsuits to wireless cat-feeding stations. Some of it will control your production line, filter your drinking water and keep your doors locked. It will be marketed as efficient and easy to use. It will be promoted at individuals who think SCADA is a brand of car. It will be hacked. It will be watching you. You ought to be watching it as well.
