The massive distributed denial of service (DDoS) attack that occurred in late October 2016 highlighted a fundamental issue concerning the burgeoning Internet of Things (IoT): are there enough standards, checks and balances to secure the millions of devices that are accessing our networks?
On Friday 21 October, simultaneous DDoS attacks on literally tens of millions IP addresses sparked a global crisis. The attack centred on Dyn, a company that provides Internet services that connect users to its clients’ websites and probably used security cameras as the ingress point.
Andrew Potgieter, security solutions director at Westcon-Comstor Southern Africa, points out that the attacks were particularly deadly for born-in-the-cloud companies that are totally reliant on their web sites. Attackers exploited a lack of security among on devices, which can include everything from security cameras to digital video recorders, printers and refrigerators. Some of those devices do not have passwords and others are sold with default passwords that many purchasers don’t change.
Chinese webcam maker Xiongmai said on Monday24 October that its devices were among those that had been hijacked for the attack, and it has issued a recall for the products. The new Marai malware, available on the Dark Web, was used to infect devices that were then employed to launch the DDoS attack.
Last week’s attack, however, is just the latest in a string of incidents. Thankfully, many of the earlier attacks were less severe, but it’s now know that hundreds of thousands of IoT devices are infected with the Mirai malware.
The experts tell us that we can expect up to 20-billion “things” to be connected in IoT networks within the next five years, so the scale of the problem could get worse.
Back in March, IT-Online carried warnings from Kaspersky Lab security experts about the looming IoT threats Amin Hasbini, senior security researcher at Kaspersky Lab, pointed out then that industrial systems are increasingly being connected as organisations seek to improve management and efficiency – but many of the devices themselves are inherently insecure.
Some flaws include hard-coded credentials that are still common in industrial systems, where a simple password gives anyone access to critical machines. And, although they are often remotely located, they are easy for criminals to access once they are connected to a network.
A fairly recent industrial IoT attack caused a shutdown across the Ukraine power grid, cutting 220 000 people off.
Other attacks include one of the South Korean transport system, another on a US dam and yet another a hydro-electric engine. More serious was an attack on a Swiss water company where chemicals in the water to 2,5-million domestic users were remotely adjusted.
Hasbini points out that these attacks are just the tip of the iceberg: 32% of IT managers responsible for safeguarding industrial systems say their control system assets or networks have been infiltrated at some point. Meanwhile, 34% believe their systems have been breached more than twice just in the last 12 months.
PwC tells us that the average number of detected breaches in the power and utilities sector increased six-fold in 2014. And the US’s ICS-CERT says that 55% of the attacks that it sees involve advanced persistent threats (APTs) or sophisticated actors.
Today, the biggest threat to connected industrial systems is malware attacks at 35%, followed by software error (23%), operator mistakes (11%), SCADA failure (19%) and other threats (12%).
The malware threats come mostly from corporate networks (35%), remote access (26%), USB ports (3%), mobile devices (4%), WiFi (5%), HMI interface (8%), Internet connections (9%), and outside contractors (9%).
The nature of the attacks is overwhelmingly APTs at 60%, including Duqu, Flame, Gauss, Energetic Bear, Epic, Turla and Stuxnet.
“So devices are vulnerable,” Hasbini says. “And exploit codes are public. Devices are not tested, audited or updated; and they are often easily reachable.”
The latest attacks have prompted renewed calls for standards to be put in place for IoT networks, particularly relating to security.
The ready availability of malicious code, coupled with the plethora of poorly-secured devices connecting to the network, means there will probably be more attacks in the future.
Standards are needed that will ensure devices are secure by design, catering to password strength, level of encryption and data sharing.