For industrial applications, the Internet of Things is at risk of becoming the Internet of thieves. Perhaps industries using connected solutions should learn from Apple's book and lock down their infrastructure.
What ethical hackers say
As digital processes become deeply embedded across industries, it makes sense that industrial control systems would be put to the test in this year's Pwn2Own competition. Hackers were advised to look for vulnerabilities in industrial software and systems.
Contest winners Daan Keuper and Thijs Alkemade found that once they broke into the computer networks used by these companies, it was "relatively easy" to wreak havoc on systems and equipment.
This is in part because at this stage of transformation, much of the equipment used in manufacturing was not originally designed to be connected to the Internet or has poor security or is outdated.
IT understands this, of course, as Industrial IoT deployments tend to protect the computer networks they use, but it also means that if those networks are breached, much of the deployed equipment lacks additional protection. And that means there are a lot of potential attack surfaces.
It's never good, but right now the threat to critical infrastructure is increasing.
when things go wrong
In the event of a security breach, attackers can take control of machines, modify processes, or simply choose to shut down production. This can have huge consequences – on the company, its customers and partners, and on supply chains that are already creaking.
Louis Priem, ICT Group consultant, said: “Systems in factory environments are typically running 24/7, so there is very little opportunity to patch vulnerabilities. Also, there is a lot of legacy as the machines are bought for the long haul and there is typically no ability to install antivirus applications. All of this makes the industry sector vulnerable to malicious parties.
Speaking to MIT Technology Review, the Pwn2Own winners warned that the security of industrial control systems is lagging behind. Consider how a successful attack on Target a few years ago used an unsecured CVC system to penetrate the corporate network, demonstrating the need to protect all available endpoints.
These days more than ever, security lives on the periphery.
The writing was on the wall
It's not that we can't see problems like this coming.
The evolution of the industrial IoT has seen the creation of a myriad of different standards with different levels of security. This led many people in the field (including Apple) to develop common standards for connected devices.
Matter, the consumer IoT standard that is the first fruit of this effort, should arrive this year, while the more industrial Thread standard is already seeing its rollout. (I expect more news on Matter very soon, possibly at WWDC).
“Thread is based on the universally implemented Internet Protocol version 6 (IPv6) standard, which makes it extremely robust. A thread network does not rely on a central hub, like a bridge, so there is no single point of failure. And Thread has the ability to self-heal: if a node (or an accessory on its Thread network) becomes unavailable, data packets will automatically select an alternate path and the network will simply keep going,” explained Eve Systems.
Apple's method
To some extent, one way to protect any device is to follow Apple's core mission, which is to make sure systems do the most with the least amount of information.
Although this effort has arguably slowed the company's progress in developing AI compared to more cloud-based competitors, Apple's focus on putting intelligence at the edge is seen as increasingly appropriate.
Mimic Technology and Business & Decision, for example, appear to be developing industrial IoT systems that follow a model where intelligence is at the edge.
When combined with other emerging networking technologies such as SD-WAN or 5G private networks, putting intelligence at the edge helps protect industrial networks by helping to isolate individual endpoints.
The problem, of course, is that not all connected systems are smart enough to be so protected, while differing priorities for IT and operational intelligence mean attackers have the luxury of potential vulnerabilities to attack.
And that's even before stupid and short-sighted governments impose insecure and inherently insecure device security backdoors on the mobile systems and platforms we increasingly rely on to keep people safe.
Perhaps enterprise IoT needs to borrow a page from Apple's book and design systems that are inherently more secure than anyone thinks they need to be? Because it's only a matter of time before they find out that nothing less will do.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.