Everyone in the IT and business communities have been inundated with the words, “digital transformation” and IoT. They’re buzz words that have continued to gain momentum since their inception several years ago. Despite the inundation, they’re not going away anytime soon, due to the simple reason that IoT is our reality and organizations need to transform their processes and services in order to meet customer expectations and remain competitive in today’s marketplace. IoT and digital transformation require an organization to become more agile based on data, more valuable to customers through new service offerings and capabilities, and successfully adopting modern applications and processes.
Successfully implementing digital transformation and embracing IoT are met with a slew of challenges and, one of the most important, if not the most important challenge, is security. Today, we are focusing solely on the security challenge of IoT and digital transformation and the fact that organizations need to secure IoT.
This week, our very own Philip Griffiths, presented on this topic at the IoT Security Foundation event in London. His presentation illustrated the importance of securing IoT through case studies and why IoT needs Zero Trust. Today’s blog will dive into his presentation.
The Risk of Not Securing IoT Can Be Perilous
Today’s phishing attacks are more targeted and sophisticated than ever. Even the savviest of individuals are susceptible to falling into the trap of a cyber attack. These three case studies below are perfect examples.
- The 2015 Grand Jeep Cherokee Hack – Now, let us begin by saying that this was an experiment. The driver of the jeep, Andy Greenberg, had volunteered to drive the Jeep as it was hacked by Charlie Miller and Chris Valasek. Greenberg was driving near downtown St. Louis when the attack began. Without touching the dashboard, the AC started blasting, windshield wipers began furiously whisking away wiper fluid, and the radio was switched, at full blast, to a local hip-hop station. Images of Miller and Valasek flashed on the screen on the entertainment system. Greenberg’s attempts to gain control of the vehicle were to no avail. Miller and Valasek had been developing a car-hacking technique for over a year that resulted in total control of the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission. And you want to know the real kicker? They were doing all of this from a laptop on the other side of the country. Scary. This hack demonstrates how very real the need to secure IoT is and the danger that comes with leaving it vulnerable.
- Cyber Attack on a German Steel Mill – In 2014, hackers took control of the steel mill’s production software which resulted in significant material damage to the site. Through hacking the industrial site’s office software network, they were able to penetrate the production management software. From there, it was a downward spiral. The plant’s control system was intercepted and all human machine interactions were killed which resulted in serious damage to the infrastructure. While the perpetrators were never exclusively identified, it was assumed that it was a group of experienced individuals who possessed expansive knowledge about the industrial control systems. This attack on infrastructure demonstrated how populations can be directly affected as well and is an example as to why cyber attacks need to be taken seriously.
- The Hacking of Ukraine’s Power Grid – In 2016, over 230,000 Ukrainians’ homes lost electricity and heat during an attack on its power grid. Hackers accessed the control center, took approximately 30 substations offline, and disabled backup power supplies to two of the three distribution centers which left operators themselves in the dark. These hackers were stealthy, sophisticated, and had been planning this attack for months. The execution was flawless and while residents were only left without power for one to six hours, it serves as a security lesson to distribution centers all over the world.
Zero Trust is the Answer
Securing networks and IoT requires an iron-clad security model. That is why we tout the Zero Trust methodology which is centered around the concept that a user is “guilty until proven innocent.” But, you may be wondering, what is Zero Trust?
Since the beginning of digital time, companies have used firewalls to enforce perimeter security. The model works well enough as long as everyone works exclusively in the firm’s own buildings. However, with a growing mobile workforce, the surge in the variety of devices used by this workforce, increased adoption of Industrial IoT, and the growing use of cloud-based services, additional attack vectors have emerged that are challenging the traditional perimeter philosophy to the point of obsolescence.
Key assumptions of the perimeter model no longer hold: The perimeter is not just the physical location of the enterprise anymore and if the traditional perimeter is breached, an attacker has relatively easy access to an organization’s privileged internal network. That means that what lies inside the perimeter is no longer a blessed and safe place.
Conversely, in a Zero Trust model, all access to company resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials, regardless of network or location. In this model, administrators can enforce fine-grained access to different resources. As a result, employees can safely work from any network without the need for a traditional VPN connection into the privileged intranet. The user experience between local and remote access to enterprise resources is effectively identical.
To learn more about how Zero Trust can help you secure IoT, read our blog, AppWaNS 201: Zero Trust With Ease