You are on page 1of 31

Understanding Cyberrisks

in IoT
Understanding Cyberrisks
in IoT
When Smart Things Turn
Against You

Carolina A. Adaros Boye


Understanding Cyberrisks in IoT: When Smart Things Turn Against You
Copyright © Business Expert Press, LLC, 2019.

All rights reserved. No part of this publication may be reproduced, stored


in a retrieval system, or transmitted in any form or by any means—
electronic, mechanical, photocopy, recording, or any other except for
brief quotations, not to exceed 250 words, without the prior permission
of the publisher.

As part of the Business Law Collection, this book discusses general


principles of law for the benefit of the public through education only. This
book does not undertake to give individual legal advice. Nothing in this
book should be interpreted as creating an attorney-client relationship with
the author(s). The discussions of legal frameworks and legal issues is not
intended to persuade readers to adopt general solutions to general problems,
but rather simply to inform readers about the issues. Readers should not rely
on the contents herein as a substitute for legal counsel. For specific advice
about legal issues facing you, consult with a licensed attorney.

First published in 2019 by


Business Expert Press, LLC
222 East 46th Street, New York, NY 10017
www.businessexpertpress.com

ISBN-13: 978-1-94897-664-0 (paperback)


ISBN-13: 978-1-94897-665-7 (e-book)

Business Expert Press Business Law and Corporate Risk Management


Collection

Collection ISSN: 2333-6722 (print)


Collection ISSN: 2333-6730 (electronic)

Cover and interior design by S4Carlisle Publishing Services Private Ltd.,


Chennai, India

First edition: 2019

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.


Abstract
Information security policies and controls are deployed in many organ-
izations. Either for compliance reasons or because there is a legitimate
concern about cybersecurity risks, managers more frequently consider
this as deserving attention from a strategic point of view. However, IoT
devices and industrial systems are not very often considered within the
scope of information systems security management, leaving a door open
to ­attackers—actually, quite frequently, many doors.
The explosive growth of IoT and Industry 4.0 has increased the ex-
pectations about new business models and services and more productive
and efficient systems. However, the fact that IoT devices present many
cybersecurity vulnerabilities that can increase the risk of an attack in an
organization seems to go unnoticed. There are many examples of this,
from data stolen from a casino through a smart fish tank to IP cameras,
routers, printers, and vending machines used as bots for Distributed De-
nial of Service (DDoS) attacks. The target can be the IoT system itself,
an adjacent network, or a third party. In any of the cases, the attack can
long remain undetected because the security of these systems is not always
monitored. This book explains why smart systems such as IoT, IIoT, ICS,
and SCADA can introduce risks to a network and why it is important for
managers and decision makers to know about this. It is rather obvious
that you cannot address a problem if you do not know it exists, or if you
are unaware of how serious it is! In these pages you will also find examples
of past attack cases that can serve as lessons to avoid making the same
mistakes in the future.
You probably already know that in a business the main assets for
production are processes, technology, and people. This should make you
aware that cybersecurity is not an IT problem but an organizational prob-
lem. As a team leader, manager, or business owner, the better you under-
stand cyberrisks, the better you can ensure that the right people will be
involved in preventing them, that the right processes will be defined, and
that the right solutions will be displayed efficiently. To achieve this, it is
essential that you have some background knowledge about the challenges
that your security teams can face on IoT and cybersecurity front.
vi ABSTRACT

Keywords
IoT (Internet of Things); IIoT (Industrial Internet of Things); cybersecurity;
risks; industrial control systems; cyberattack; vulnerability; threat; availability;
integrity; privacy; confidentiality; cyber-awareness
Contents
Acknowledgments....................................................................................ix

Chapter 1 Introduction—What Is IoT?..............................................1


Chapter 2 Real Attack Cases—It Is Not Science Fiction, Smart
Things Can Turn against You...........................................17
Chapter 3 Vulnerability Assessments and Hacking
Experiments—The Risk Is There, Just Waiting for a
Hacker with Enough Motivation.....................................27
Chapter 4 Why Is IoT Especially Vulnerable? Requirements and
Challenges........................................................................39
Chapter 5 IoT in an Office Environment—Printers, Smart TVs,
Routers, and Uninvited Guests.........................................55
Chapter 6 IoT in an Industrial Environment—Industrial
Control Systems and Industry 4.0....................................65
Chapter 7 IoT in Utilities and Service Monitoring—Smart
Meters and Other Stuff....................................................81
Chapter 8 Typical Types of Attacks Targeting IoT Systems—
Understanding What Can Go Wrong...............................87
Chapter 9 Lessons Learned—Getting a Better Idea about How
to Handle the Risks........................................................103
Chapter 10 Conclusions—Now What Do I Do with This
Information?..................................................................113

References............................................................................................119
About the Author.................................................................................123
Index..................................................................................................125
Acknowledgments
To my dad who inspired my curiosity about things and taught me that
no matter how complicated things are, they can always be explained in a
simple way. To my mom who always believed in me as a writer, and to my
brother, who is unsparing to correct my English grammar.
CHAPTER 1

Introduction—What Is IoT?

Introducing the Reader to IoT


Not long ago, a friend was visiting me in Birmingham, and, as usual,
we engaged in a conversation about our career goals and projects. She is
currently based in London and works as a human resources director of a
well-known multinational company. When I told her, once again, that
my work was related to research on cybersecurity risks of the Internet of
Things (IoT), she said: “You know, my friend, everybody talks about IoT
and I still cannot understand what it is.” Her day-to-day work is about
dealing a lot more with people than with technologies. Nevertheless, in
today’s world everybody uses technology, even if it is not their main field
of endeavor. Therefore, I believe it is important for everybody to acquire
at least a general understanding of how some things that we use everyday
work, particularly if they introduce risks that you might not be aware of.
Maybe you do not currently use IoT every day, but I am sure you will,
at some point in the not-too-distant future. You may also have to decide
whether to use it or not in your business and how. In many cases, IoT
can be a useful solution to many business problems, so you may probably
decide to go for it. Just remember that this means that you will be intro-
ducing new risks to your organization. Managing these risks is extremely
important, since on that depends the potential of IoT, which is used for
the benefit of the organization and not against it. In other words, a good
cost-benefit balance should be ensured, by preventing and controlling
potential negative impacts caused by cyberincidents.
I believe that every person who could potentially make use of IoT
should have at least a general idea of what it means. Moreover, anybody
who has to make a decision about designing, building, buying, or imple-
menting an IoT solution should know the basics of it, as well as the risks
2 UNDERSTANDING CYBERRISKS IN IoT

involved. Even my neighbor who is considering getting a smart thermo-


stat for her house, just because her sister-in-law got one, should know as
well, at least to a certain extent, what she is dealing with. It is not only
businesses but also individuals that use IoT, and, according to Gartner,
the consumer’s market for IoT is growing by leaps and bounds (Panetta
2017).
Before we look at what IoT is, it is important to understand that there
is no consensus on a single definition. My favorite denotation for IoT is
the one given by the European Union Agency for Network and Informa-
tion Security (ENISA), which says that the term IoT “describes a wide
ecosystem where interconnected devices and services collect, exchange
and process data in order to adapt dynamically to a context” (ENISA
2017). I can imagine that for many this definition might mean absolutely
nothing. I am sure at least that this is the case with many people I know
who are not familiar with IT technical jargon. So to start this book, I
must provide a definition that makes sense to a broad audience.
To make it simple: From the user’s perspective, IoT is everything that
can interact with different sorts of computer devices, including mobile
phones, tablets, and a variety of so-called “human–machine interfaces.”
IoT, in most cases, is not autonomous; it depends on communication
networks to get and send information and behaves according to rules
that can be preprogrammed or learned by the devices. IoT devices can go
from fairly “dumb” and simple, like a temperature sensor, to really smart
and complex systems, like a smart vehicle, but in either case, it needs to
interact with its environment. This is what we call the context, which is the
first aspect that we need to understand in a risk assessment.
IoT is not a technology but rather a term that encompasses a variety
of technologies that differ according to the industry sector, application,
and even the preferences of the manufacturer. Currently, there is no stan-
dard way to build an IoT system. Hence, IoT is not simple, because it is
constructed through different layers of architecture that include comput-
ing devices, communication networks, and electronic or electromechani-
cal equipment. On top of this, each layer can have its own “language” to
communicate, which is referred to as a “communication protocol.”
Now, what is this book about and for whom is it written? Its intended
audience is managers, executives, and business students who want to get
INTRODUCTION
3

familiar with the cybersecurity implications of IoT. Its main purpose is to


help the reader to prepare for the risk landscape of the future—or maybe
I should say of the present since, as you will read in these pages, IoT
has already become an attractive target for malicious agents. The reasons
for such a degree of risk are many, including the complexity of IoT sys-
tems, their lack of maturity regarding cybersecurity, and their high level
of adoption. Many aspects of IoT cybersecurity need to be approached
differently from how it is done in the case of regular information systems.
The level of interaction with the real world is a key differentiator but not
the only one. It is important to know these differences and the specific
sorts of expertise that are required to manage IoT systems securely.
People who are keen to incorporate technology into different aspects
of their lives, such as home automation, health and fitness smart devices,
connected cars, and even toys for their children, might also benefit from
reading this book, as it will help them gain awareness of the risks of in-
troducing these devices into their personal spaces. If you have an aversion
to technology, it may become even worse after reading this book, but the
actual intention is, far from discouraging people from using technology,
to encourage them to use it wisely. In summary, this book is mainly about
being aware and understanding cybersecurity risks in IoT and about dif-
ferent ways to deal with them.
Figure 1.1 shows a simplified model of the interactions between IoT
and the physical (real) world. Later in this book, some of the aspects of
these interactions will be described in more detail.
It is believed that IoT is becoming the fourth industrial revolution.
With several millions of devices already connected as you read, IoT has
a presence in almost every industry domain, from transport, health care,
sports and entertainment, heavy industry and manufacturing, to smart
grid and utility services, temperature and environment control, public
safety, and retail. There is a promising bright future around the corner,
where things are smart and communicate with each other. The degree
of development that different technologies have reached, including the
current level of coverage, speed, and reliability of the Internet, has made
it possible to realize many of the science fiction scenarios that we saw in
the movies of the 20th century. Drones are nothing new anymore, people
feed their pets and monitor their houses from their offices, driverless cars
4
“Gateway”

Proximity Access
Computer systems Service
network network
(Service platform) network

User
interfaces

IoT users
“Things”

Real world

Figure 1.1  IoT interactions with the real world


INTRODUCTION
5

are being tested in different cities of the world, and I have recently heard
that it is not rare to see robots in the streets of the city of Milton Keynes,
in England. Soon these robots will be the ones delivering your pizza!
Technology is meant to make processes more effective, efficient, and safer
for people. Overall, the main idea of IoT is to make our lives better. IoT
gives almost endless possibilities for innovation and creation of new busi-
ness opportunities. It will also create new jobs, while at the same time
eliminating some of the existing ones. Products, services, and professions
that never existed or were never thought of before will continue to prolif-
erate. We are finally living in the future!
So, with all this excitement, why are these security people so deter-
mined to point out all the possible things that can go wrong? I reckon
we might be considered a bunch of party poopers. The truth is that IoT
is giving cybercriminals more opportunities to develop new strategies for
stealing data, committing fraud, and causing distress and chaos. More-
over, they are using these opportunities. Offices generally contain smart
printers, routers, security cameras, and smart TVs used for videoconfer-
ences, which might not be within the scope of the cybersecurity policy.
This means that these workplaces are easy targets for cyber-attackers. In-
dustries rely heavily on automation, with more regard for performance
and safety than for cybersecurity, leaving—sometimes unknowingly—
many doors open for unauthorized agents to access their corporate in-
formation networks through these systems. Sometimes, they might even
know about these “open doors,” but worrying about security is not their
job. So if no formal risk assessment is being performed, they might be
complacent, thinking “this will not happen to us”—which many times
proves to be wrong! This book aims to be an eye-opener and a first ap-
proach to developing an insight into how cybersecurity and IoT connect
in order to facilitate more informed decision making.

Building Blocks of IoT


To begin understanding these risks, it is important to first understand
how IoT works, what its main characteristics are, and how it differs from
regular computing systems in terms of cybersecurity management. So, at
the outset, let us define the main building blocks of IoT.
6 UNDERSTANDING CYBERRISKS IN IoT

Things

The so-called things are electronic or electromechanical devices that inter-


act directly with the environment or, as we will call it here, the real world.
Some of them are designed to extract information, others to perform ac-
tions, and some to do both. As people are part of the real world, some of
the things have the means to interact with people.
These devices can have some of the following characteristics but not
necessarily all of them:

• Sensing: This means the devices are able to extract information from
the environment, for example, physical variables such as tempera-
ture, pressure, humidity, weight, and electrical power. Web cameras
that allow monitoring of images of a place are also considered
sensing devices, as well as sensors that detect presence, detection of
chemical components, such as the quality of the air or water, and
human vital signs, such as heartbeats or blood pressure—­essentially,
everything that reveals the status of something in the real world.
• Actuation: This means devices that can perform an action in the
real world. This action is performed through electrical or electro-
magnetic signals and can go from turning something on and off
to controlling a drone. Actuation will usually involve mechanical
devices such as motors and valves. A smart printer is also consid-
ered an actuator since it performs a physical action commanded
through a computer system.
• Computation: Some IoT devices serve a fixed purpose; they can
sense a variable or receive commands to perform an action, but
they cannot be programmed to do anything else. There are also
IoT devices that are “smarter” and have more advanced computa-
tional capabilities. This means that they might even need to run
an operating system to manage different pieces of software serv-
ing a variety of purposes. Even though they are not computers,
they can be configured or even programmed to customize their
behavior. This also means that they are susceptible to malware. A
malware is a malicious piece of code or “malicious” software which
is commonly used to attack computer systems. Malware has been
developed specifically for certain types or groups of IoT systems.
INTRODUCTION
7

• Communication: Things need to communicate with each other


and with the rest of the system. Many smart things will have their
own means to communicate and be recognized by standard com-
munication networks. For example, if a device is Internet protocol
(IP) capable or able to be associated with an IP address, then it can
be directly connected to the Internet.
Some things are just capable of sending and receiving electri-
cal or electromagnetic signals. These signals represent the variable
that they are sensing or the commands that they are receiving, but
they lack the capabilities to communicate under a certain protocol.
Others might use more advanced communication protocols such
as Controller Area Network (CAN) messages or Modbus, but this
will not necessarily be compatible with standard communication
protocols. In these cases, the devices communicate first with a gate-
way, which translates the data in a way it can be understandable
by standard communication networks, for example, a local area
network (LAN) or the Internet.

Communication Networks

An IoT system will rely on different communication networks to be able


to function. The Industrial Internet Consortium differentiates three types
of networks according to the parts of the system they are meant to link.
These are the proximity network, the access network, and the service network
(Industrial Internet Consortium 2015). We are going to borrow their def-
inition since it is useful to make clear how different types of communica-
tion can interact in an IoT system.

• Proximity network: It provides the means of connection between


the things and the gateway that will serve as a bridge to connect
them to a standard communication network. If all the devices are
capable of connecting directly to a standard communication net-
work, the proximity network might not be differentiated from the
access network.
• Access network: It controls the flows of data between the things
and the computer systems that process and store the data.
8 UNDERSTANDING CYBERRISKS IN IoT

• Service network: It allows the connection of the system to the plat-


forms that run higher-level software such as the interfaces where
commands and rules are generated.

Communication can be between a thing and another thing, between a


thing and a computer server (including cloud services), or between a thing
and a human user.

Computer Systems

This part represents the platforms where different software services in-
teract to make the IoT system work. Usually, there is a differentiation
between the platforms that store and process the data and the software
services that allow monitoring, executing commands, and configuring
business rules. The former are usually in charge of orchestrating the dif-
ferent functions and flows of information between the different parts of
the system. The latter usually allow for the interaction with human inter-
faces as well as with software belonging to the business domain such as
enterprise risk management (ERM), customer relationship management
(CRM), and business intelligence (BI) tools.

Human–Machine Interfaces (HMI)

An interface is a link between different components of a system. In this


case, we are referring to the hardware and software that allow humans
to interact with the system by accessing data, sending commands, or
changing configuration parameters. There are usually different roles
that a human can take in this interaction such as user, administrator,
or developer. While the user will have a more limited range of ­actions
that can be performed, the administrator and the developer will be
able to make changes to the system. The communication between
humans and the IoT systems can take place in one or more of the
following ways:

• Directly with the IoT device, through a touch screen, keyboard, or


other means of interaction;
INTRODUCTION
9

• Through software that runs in a computing device such as a mobile


phone, a tablet, or a computer; or
• Through a dedicated interface, similar to the electronic totems or
screens that are used in airports for checking in or retrieving infor-
mation of flights. It is usual to see keyboards or touch screens as
well in industrial environments as a means to interact with differ-
ent machines.

While some IoT systems require little or no human interaction, others


are designed to have a higher level of dependency on human inputs. It
will all depend on the purpose of the system and its application. For
example, some industries can have highly automated manufacturing
processes where only monitoring is required and actions need to be per-
formed by humans only when there is an abnormal event. This is also the
case of an airplane flying in autopilot mode compared with one that is
manually commanded. A smart device that monitors sugar levels in the
blood of a patient and sends this data to a hospital’s system is another
example of an IoT system that might not require its user to perform any
action. On the other hand, a smart TV will require input from users to
select their preferred programs and the times at which they wish to watch
them. Figure 1.2 shows a general diagram of an IoT system and the inter-
action between different components.
A useful way to understand the different components of IoT and their
interactions is through an architecture model that provides a view of the
system from different perspectives. Most of these models define differ-
ent tiers or layers to describe the deployment of IoT. At one end, there
will be a layer that corresponds to the physical domain, and at the other
will be the enterprise or management of the system. In between, there
are hardware and software platforms, and communication networks that
allow the interaction between different sorts of computer interfaces and
the physical world. Although there is no standard definition for an IoT
architecture, several models are available that can be useful to study the
interactions of its components from different perspectives. To explore this
further, it is a good idea to start with the Industrial Internet Consor-
tium model, which is available online. Microsoft Azure has also made
available online an important deal of information about its IoT security
Things

10
Computer systems
Proximity
Gateway
network
Software

Analytics Data processing

Data bases

Software platfroms

Access Hardware platforms


network

Servers Cloud servers


Human interfaces Data centers

Hardware
Software

Rules, monitoring
& control
Service network

Figure 1.2  Interaction between different components of an IoT system


INTRODUCTION
11

architecture. Finally, the IoT-A model also provides a complete view of


IoT from different perspectives, including examples of use cases.
It should be noted that the description I made of the different IoT
building blocks or elements is agnostic with regard to any type of technol-
ogy. Most of the architecture models for IoT will also tend to be general,
in order to cover diverse technologies used across a variety of IoT systems.
Different industries have specific types of systems they often use to con-
trol their processes. Some of them precede the idea of IoT since they have
been operating in these industries for decades. Therefore, they correspond
to a special case where old technologies have been integrated with new
ones. Examples of this are systems that are built based on Programmable
Logic Controllers (PLC), Digital Direct Controllers (DDC), industrial
computers, motor drives, microcontrollers, and microprocessors. These
different types of controllers have been used to process information com-
ing from the readings of sensors, such as temperature, pressure, humid-
ity, weight, and position, and give commands to actuators like motors,
switches, or valves.
Regarding communication networks, protocols used in the proximity
by the things or in the access network can be general purpose ones, such
as Bluetooth, Wi-Fi, and cellular networks, or specific protocols that have
been developed for IoT, such as LoRa, ZigBee, and Z-Wave. In industry,
it is more often the case that the sensors and actuators are wired and use
protocols such as Bacnet, Lonworks, Profibus, DNP3, OPC, and Mod-
bus, or CAN-based protocols. All of these are industrial protocols that
have been around for a while, and most of them were not developed hav-
ing cybersecurity in mind since this was not a priority at the time. The
protocol used depends on the different requirements of the system, such
as distance range, speed, reliability, privacy, and compatibility with other
devices, or simply the preference of the manufacturer and user. Overall,
there are no standards for communication protocols for IoT, but it is
usual that the access and service networks will make use of more stan-
dard technologies and communication protocols, since it connects to IT
systems. The public Internet will therefore be a common means of com-
munication for many IoT systems, and cloud computing will often be
used as a handy way to store and process the data. Nonetheless, many
applications and industries require using local or private networks for se-
curity and privacy reasons.
12 UNDERSTANDING CYBERRISKS IN IoT

Now that we have a better idea of what IoT is, we can explore some
of its characteristics. If some readers have not gotten the complete picture
yet, please beware of the possibility of complex interactions between IoT
components that vary from system to system. However, as long as you
understand that IoT are connected things that can be controlled using
computers, mobile phones, and tablets, it is enough for now. As you prog-
ress through the chapters, many things should become clearer.
As already mentioned, a single IoT system can encompass diverse
technologies. In addition, an IoT system might be formed by subsystems,
which leads to the popularly used term system of systems. You might be al-
ready familiar with this concept as well as with the term embedded system,
but in case you are not, it simply refers to fully functioning systems that
belong within a bigger, more complex system. For example, a voice com-
mand system that has a microphone (sensor) and a microcomputer that
processes the voice input constitute a system that can be used by other
bigger systems such as cars, digital assistants, toys, or anything, imagin-
ably, that could be controlled remotely by voice. An embedded system
corresponds to hardware and software that serve a specific purpose and
are integrated into a major system. In a vehicle where you can find several
electronic control units (ECU) that are in charge of one or more systems
such as engine control, transmission, or brakes, each one of these ECU
has its own hardware and software that perform specific tasks, but all of
them belong to this major system, that is, the vehicle and work in co-
ordination to make it function properly.
It can often happen in IoT that different parts of subsystems are not in
the same location. A typical example of this is smart cities, where different
sensors will be widely distributed to collect information about traffic con-
ditions, air quality, utilities supply and consumption, and public trans-
port, among other services that are yet to be created or even imagined.
This is achieved only by the interaction of multiple processes and services
that will often run on different platforms and have different manufac-
turers, owners, and administrators. For example, a smart building will
have different electronic equipment from different brands for tempera-
ture control, access control, and power consumption monitoring, but it
all might be controlled by the same software or building management
system (BMS), which might run in its own server or might be hosted
INTRODUCTION
13

in the cloud or use a Software as a Service (SaaS) modality. All of this


involves different suppliers for products and services, including the main-
tenance and administration of each subsystem of the smart building. The
development and wider use of cloud computing has made it possible to
commoditize the hosting of applications, delegating the administration of
hardware and software platforms to a third party. This provides important
economic benefits such as applying economies of scale principles to IT
services, but it also introduces third-party risks. This is just an example of
how the level of specialization of businesses in different technologies or
services can introduce difficulties associated with assigning clear bound-
aries and responsibilities for each part of a whole system. Furthermore,
getting a unified picture of how the system works end to end can also be
difficult since different actors might thoroughly understand only some
parts of it.

How IoT Can Introduce Risks in an Organization


While IoT is entering into every sphere of human endeavor and in all
sorts of industries, it is still a phenomenon that is not well understood—
at least not by all the relevant actors involved in its development and
use. Even if somebody knows perfectly how an IoT system works, he
or she might miss the implications that its use has in a certain context.
For a full understanding, it is necessary to have a holistic view including
operational, business, economic, legal, and even ethical implications of a
new IoT device appearing on the scene. On the one hand, IoT realizes all
the futuristic dreams of the past century, when we were expecting to have
technological cities full of flying driverless cars by the year 2000. On the
other hand, it also brings up a lot of questions and dilemma. For example,
driverless cars will force the enactment of totally new regulations and raise
questions such as who is mainly responsible in the case of an accident.
Privacy is a major concern regarding IoT since by delegating the control
of many of our tasks to “things” we are also providing them with a lot of
information about our lives and behaviors. What if somebody with bad
intentions got access to that information?
There are several ways in which IoT can introduce risks to an organ-
ization, from data theft to denial of service and interruption of industrial
14 UNDERSTANDING CYBERRISKS IN IoT

operations. Over the past decade, many attacks involving IoT and In-
dustrial IoT (IIoT) have taken place. At the same time, there have been
many vulnerability reports and demonstrations of potential attacks that
reveal that some systems only need somebody willing to break them in
order to be breached. Despite all this, many problems remain unsolved
and lack of awareness still persists. Last week I went to a seminar on IoT
where academics and practitioners exposed their ideas on how they see
IoT changing our world. Cybersecurity was not even mentioned as one of
their main challenges, but certainly, it is!
IoT has, for sure, the potential to allow us to make more efficient use
of the resources available and make our lives easier. An example of this is
the use of IoT-capable technologies to program our washing machine to
turn on at the hours of low power consumption, not only reducing our
electricity bill but also helping avoid overloading the power grid. Also,
traffic can be diverted and journeys planned better by having live data
of the traffic conditions. Lives can be saved by continuously monitoring
vital signs of critical patients and raising alerts when something abnormal
is detected, and even automatically injecting them with the appropriate
doses of drugs according to their condition. Now let us think about these
same scenarios from another perspective, namely that of the risks intro-
duced by IoT. A hacker could remotely turn on not only our washing
machine but also all our electric home appliances at the hour of peak
consumption. This will not only increase our electricity bill but also over-
load the electrical grid of the area. Now imagine that they do this in every
house at the same time and cause a blackout. Traffic could be maliciously
diverted the wrong way, causing congestions or even accidents. A patient
can be put at risk or even killed by a wrong diagnosis or by the injection
of the wrong dosage of a drug. So although IoT promises great solutions,
its associated risks also need to be addressed.
There are probably many reasons why manufacturers and developers
of different products and services associated with IoT will avoid talking
about security. Some of them might not be very conscious of the im-
portance of developing secure products, or may not even know how to
do it. Remember that cybersecurity is a field that is more developed in
the IT world than in IoT, and even for traditional IT services, it faces
several challenges at the moment. In many industries, a lack of security
INTRODUCTION
15

regulations and standards prevail, nor are there any market pressures for
improving security. On the other hand, there are pressures for time-to-
market and lower costs, which introduces another explanation: imple-
menting security measures increases production times and costs. Also,
and despite the multiple attacks involving IoT that have happened al-
ready, apparently many relevant actors still do not believe that the threat
is real. Even though they might know that their products are vulnerable,
there is a common bias toward thinking that there will be little or no
interest from the attackers’ perspective to breach certain systems. One
might think, for example, “Who will want to steal the information about
how many calories someone burnt last week?” The truth is that any in-
formation that is valuable to us is likely to be valuable to somebody else.
Maybe not the way we think about it, but by accessing private informa-
tion criminals can perpetrate scams. That is why seemingly trivial data
such as the location or routine of a person can be considered sensitive
information under a series of circumstances.
It is worth noting that not all cyberattacks have the objective of stealing
data. A device can be remotely locked and remain inaccessible until a ran-
som is paid. It can also be used as a bot in a denial of service attack against
a third party. Therefore, it is not wise to underestimate a priori the motiva-
tion and capabilities of a potential attacker. A thorough risk analysis should
determine whether an organization is able to take the chance or is better off
employing caution and doing something different to avoid or mitigate an
attack. In other words, it is important to take informed decisions based on
a cost-benefit analysis, rather than to be oblivious to the risks.

Summary
What is IoT? A straightforward and simple definition is that it is “things
other than servers and PCs which are connected to computer networks”
(Macaulay 2017). More than a specific type of product, IoT represents
a concept or a paradigm that can be used to develop different products
and services. Overall, IoT refers to systems that include objects that are
capable of interacting with the real world by extracting information from
it, executing actions on it, or both. These interactions will be transformed
into data that is sent from and to computers. This data is processed and
16 UNDERSTANDING CYBERRISKS IN IoT

used to make decisions sometimes automatically and in real time. It is also


stored, and can therefore provide knowledge about the past behavior of
the system. IoT is heterogeneous and present in every industry vertical. As
much as it has come to solve a number of problems, it is also causing and
continues to cause some too. The security problems introduced by IoT
are what the rest of this book is mostly about!
Index
Access controls, 73 proximity network, 7
Access network, 7 service network, 7–8
Activity logs, 98 Communication protocol, 2
Aircraft, 33 Compromised closed circuit television
Application Programming Interfaces (CCTV) systems, 20
(APIs), 46 Computer systems, 8
Appropriate cybersecurity program, Confidentiality, integrity, and
72–73 availability (CIA) triad, 50
Ashton, Kevin, 39 Connected devices, 40
Attacks targeting IoT systems, Controller Area Network (CAN),
87–101. See also bots; threat 7, 30
intelligence Corporate network, 61–62
attack vectors, 92 Credentials, 42
malicious control of IoT Customer relationship management
systems, 96 (CRM), 8
privacy breaches, 96 Cyberattacks, 89, 107. See also attacks
sabotage, 97 targeting IoT systems
Authentication mechanism, 43 Cybersecurity, 5, 14
Cybersecurity measures in IoT,
Bacnet, 11 challenges, 47–54
Blackenergy, 21 awareness, lack of, 50
Bots, devices use as, 94–96 requires different approaches than
Brickerbot, 24–25 traditional security, 53
Bring your own device (BYOD), 63 security left in no-man’s-land,
Brute force attack, 18, 43 52–53
Bugs, 44 security, 49
Building management system (BMS), standards and regulations, lack
12, 56 of, 51
Business continuity planning, 78 technical constraints, 47
Business intelligence (BI) tools, 8 Cyberwarfare, 90

CAN-based protocols, 11 Demilitarized zone (DMZ), 73


Cheney, Dick, 27 Denial-of-service (DoS) attack, 94–95
Code injections, vulnerability to, 45 Design flaws, 44
Common vulnerabilities and Dictionary attack, 18
exposures (CVE), 109 Digital Direct Controllers (DDC), 11
Common vulnerability scoring system Digital Economy Act (UK), 52
(CVSS), 109 Distributed control systems
Communication networks, 7–8 (DCS), 65
access network, 7 Distributed denial-of-service (DDoS)
computer systems, 8 attack, 18, 87
126 Index

Domain Name System (DNS), 18 secure configuration, 77


Drone jacking, 36 security improvement, areas to look
into, 72–78
Electronic Control Units (ECU), supply chain management, 75–76
12, 29 threat intelligence, 74–75
Embedded system, 12 updates, 77
Encryption, 100 vulnerability, 74–75
Enterprise risk management (ERM), 8 Industrial Internet of Things (IIoT),
European Agency for Network 14, 17, 66
and Information Security Information technologies (IT), 66
(ENISA), 2, 52 Insecure data management, 42–43
Insecure interfaces, 46
Federal Trade Commission Act Insecure network services, 46
(USA), 52 Intelligence agencies, 90
Finland, heating services in, 22 Internet of Things (IoT), 1–16
Firmware, 41, 66 building blocks of, 5–13
Fish tank in the casino, 20 actuation, 6
communication networks, 7–8
GE SCADA Systems, 33–34 computation, 6
General Data Protection Regulation sensing, 6
(GDPR), 52, 82, 88 things, 6–7
Governance, risk, and compliance components of, interaction
(GRC) tools, 109 between, 10
description, 1–16
Hacking experiments, 27–38 as fourth industrial revolution, 3
Health care intelligent devices, 32–33 organization risks, reducing, 13–15
Honeypot, 29 real world, interactions with, 4
Human–Machine Interfaces (HMI), Internet protocol (IP) phones, 56
2, 8–13 Intrusion detection systems (IDS),
62, 73
Industrial automation and control Intrusion prevention systems
systems security (ISA (IPS), 62
2015), 110
Industrial control systems (ICS), Jamming, 58
65–79
Industrial environment, IoT in, Legacy systems, assess risks introduced
65–79 by, 76
appropriate cybersecurity program, Local area network (LAN), 21
72–73 Lonworks, 11
business continuity planning, 78 LoRA, 11, 100
legacy systems, assess risks
introduced by, 76 Malicious control of IoT systems, 96
maintenance, 77 Malware defense, 98
network architecture, 73–74 “Man-in-the-middle” attack, 58
personnel security training, 77–78 Manufacturer commitment, 61
physical access, 76 Miller, Charlie, 29
process-aware approach, 72 Mirai Botnet, 18–19
resilience, 78 MITRE Corporation, 109
safety regulations, alignment Modbus, 11
with, 74 Munro, Ken, 35
Index 127

National Institute of Standards and Ransomware, thermostats vulnerable


Technology of the USA to, 35–36
(NIST), 52, 73 Real attack cases, 17–26
Nation-states, 90 real-life cyberattacks, 17–25
Network architecture, 73–74 Real-life cyberattacks, 17–25
Network monitoring, 99 Brickerbot, 24–25
No-man’s-land, 52–53 brute force attack, 18
CCTV Botnet, 20
Office environment, IoT in, 55–64 Dallas Emergency Sirens, 22–23
areas to look into, 59–64 dictionary attack, 18
bring your own device (BYOD), drawing Pads Architecture
63–64 Company, 20–21
corporate network, 61–62 Finland, heating services in, 22
disposal of IoT devices, 63 fish tank in the casino, 20
maintenance, 63 Iran’s Nuclear Plant, 23–24
operation of IoT systems, Lodz, Poland City’s Tram
62–63 System, 22
physical access, 62 Maroochy Water Services,
security updates, 63 Australia, 21
setup and configuration, 62 Mirai Botnet, 18–19
purchase decisions, 60–61 New York, Dam, 23
brand, 60 Sabotage of Siberian Pipeline,
manufacturer committment, 61 1982, 23
model vulnerabilities, 60 Ukraine’s power grid, 21
vulnerability management university attack, 19–20
process, 61 Real world, 4, 6
remote work policies, 63–64 Remote work policies, 63–64
supply chain management, 60–61 Repository of Industrial Security
Oil and Gas subsector (ONG- Incidents (RISI), 26
C2M2), 110 Resilience, 78
Open ports, 45 Return of security investment
Open Web Application Security (ROSI), 106
Project (OWASP), 42 Risk management process, 104–111
Operational technologies (OT), 66 PDCA (Plan, Do, Check, Act)
cycle, 104
PDCA (Plan, Do, Check, Act) Routers, 55–64
cycle, 104
Penetration testing, 36 Sabotage, 97
Permanent Denial of Service Safety regulations, alignment with, 74
(PDoS), 24 Sandworm team, 33
Personnel security training, 77–78 Security configuration, 46
Physical security, 45 Security controls, 97–101
Printers, 55–64 activity logs, 98
Privacy breaches using IoT, 96 encryption, 100
Privacy concerns, 46 limitations, 97–101
Process-aware approach, 72 malware defense, 98
Profibus, 11 network monitoring, 99
Programmable Logic Controllers secure authentication, 97
(PLC), 11, 23 software and firmware updates and
Proximity network, 7 patches, 100
128 Index

Service network, 7–8 GE SCADA Systems, 33–34


Smart meters, 82 health care intelligent devices,
Smart things, disadvantages, 17–26 32–33
Smart TVs, 55–64 IP cameras, 35
Software as a Service (SaaS), 13 Jeep Cherokee, 29–30
STRIDE model, 109 Samsung Smart TV, 30–31
Stuxnet, 23–24 Sandworm team, 33
Supervisory Control and Data Siemens healthineers products, 34
Acquisition (SCADA) system, Smart meters, 35
21, 65–70 Smart Toys, 34
Supply chain management (SCM), Tesla Model S, 30
60–61, 75–76 thermostats vulnerable to
System of systems, 12 ransomware, 35–36
Toaster Experiment and IoT
Threat intelligence, 74–75, 88–93 Honeypots, 28–29
attack vectors, 92 Vulnerability of IoT, 39–54, 74–75.
cyberwarfare, 90 See also cybersecurity
intelligence agencies, 90 measures
nation-states, 90 application over privilege, 47
typical attacks, 93–97 brand, 60
3-D printing, 67 challenges, 39–54
Tierney, Andrew, 35 connected devices, 40
critical components not/badly
Uninvited guests, 55–64 implemented, isolation, 45
University attack, 19–20 design flaws and bugs, 44
US Cybersecurity Capability Maturity insecure data management, 42–43
Model for the Electricity insecure interfaces, 46
subsector (ES-C2M2), 110 insecure network services, 46
Utilities and service monitoring, IoT management, 61
in, 81–86 model vulnerabilities, 60
business continuity planning and open ports, 45
resilience, 85 poor physical security, 45
insurance, 85 poor security configuration, 46
ownership of systems and of privacy concerns, 46
data, 85 requirements, 39–54
security improvement, areas to link to code injections, 45
into, 84–85 typical, 48
users’ awareness, 43–44
Valasek, Chris, 29 weak authentication mechanism, 43
Vault 7, 31 weak credentials, 42
Virtual Private Network (VPN), 64 weak security policies, 44
Vulnerability assessments, 27–38
hacking experiments, 27–38 Wannacry Ransomware attack, 34
potential attacks, 28–37 Wi-Fi Protected Access (WPA), 33
Aircraft, 33
baby monitors, 31–32 Zigbee, 11, 100
commercial drones, 36–37 Zozosuit, 82
connected kettles in London, 34–35 Z-Wave, 11
OTHER TITLES IN OUR BUSINESS LAW
AND CORPORATE RISK MANAGEMENT COLLECTION
John Wood, Econautics Sustainability Institute, Editor
• Buyer Beware: The Hidden Cost of Labor in an International Merger and Acquisition
by Elvira Medici and Linda J. Spievack
• European Employment Law: A Brief Guide to the Essential Elements
by Claire-Michelle Smyth
• When Business Kills: The Emerging Crime of Corporate Manslaughter by Sarah Field
and Lucy Jones
• A Freelancer’s Guide to Legal Entities by Alex D. Bennett
• Corporate Maturity and the “Authentic Company” by David Jackman
• Counterintelligence for Corporate Environments, Volume I: How to Protect Information
and Business Integrity in the Modern World by Dylan van Genderen
• Counterintelligence for Corporate Environments, Volume II: How to Protect Information
and Business Integrity in the Modern World by Dylan van Genderen
• Contract Law: A Comparison of Civil Law and Common Law Jurisdictions
by Claire-Michelle Smyth and Marcus Gatto
• Board-Seeker: Your Guidebook and Career Map into the Corporate Boardroom
by Ralph Ward
• Conversations in Cyberspace by Giulio D’Agostino
• Cybersecurity Law: Protect Yourself and Your Customers by Shimon Brathwaite
Business Expert Press has over 30 collection in business subjects such as finance,
marketing strategy, sustainability, public relations, economics, accounting, corporate
communications, and many others. For more information about all our collections, please visit
www.businessexpertpress.com/collections.
Business Expert Press is actively seeking collection editors as well as authors. For more
information about becoming an BEP author or collection editor, please visit
http://www. businessexpertpress.com/author

Announcing the Business Expert Press Digital Library


Concise e-books business students need for classroom and research
This book can also be purchased in an e-book collection by your library as
• a one-time purchase,
• that is owned forever,
• allows for simultaneous readers,
• has no restrictions on printing, and
• can be downloaded as PDFs from within the library community.
Our digital library collections are a great solution to beat the rising cost of textbooks. E-books
can be loaded into their course management systems or onto students’ e-book readers.
The Business Expert Press digital libraries are very affordable, with no obligation to buy in
future years. For more information, please visit www.businessexpertpress.com/librarians.
To set up a trial in the United States, please email sales@businessexpertpress.com.