Discover how the ‘Internet of Things’ is opening up vulnerabilities in business
The Internet of Things is a buzzword of our age. Analyst firm Gartner estimates that we’re currently using 8.4 billion connected things worldwide. By 2020 that will sky-rocket to 20.4 billion. And those ‘things’ can be anything from a mobile phone to a coffee maker – any item that has an on/off switch to the internet. In the future, any object that can be connected will be connected. This constant connectivity and data sharing has huge potential for organisations and consumers. But this exposure also comes at a cost to security.
When it concerns industrial control systems (ICS), the IoT has led to substantial increases in vulnerabilities. And that’s because supervisory control systems (such as SCADA) were designed for efficiency, and not security, without the internet in mind – let alone the Internet of Things. This risk is therefore particularly poignant for certain industries and sectors that haven’t had to seriously consider cyber threats, until recently. Entire industrial control systems and machinery can be brought down by a single cyberattack. And the business interruption this can cause can be catastrophic.
FM Global – commercial property insurer – takes a holistic approach when it comes to advising clients about their cyber risk, mitigation and exposure. In fact, it approaches it in the same way as any other risk. A trinity of research, engineering and underwriting is at the heart of FM Global’s unique business model. They form the cornerstone of its Cyber Resilience Solutions, that help clients understand their exposure to cyberattacks and the steps required to remain resilient in an unpredictable world.
“Cyber risk is not stagnant, it’s very dynamic. All organisations need to stay ahead and do everything possible to prevent an attack, or at least be able to recover from one in a mindful manner. But the hackers will find new ways to come after our clients and it’s not a static issue. You have to take measures to prevent loss,” says Carmelina Borsellino, FM Global’s Chief Engineer – Engineering and Research.
“We’ve seen a shift in the sophistication of attacks and also in the attitudes of our clients. Previously they were concerned about theft of information, data or intellectual property. But, as attackers are becoming a lot more sophisticated, they are finding more ways to disrupt operations. And this has definitely been a wake-up call for businesses,” adds Borsellino.
The first publicly recognised attack to exploit weaknesses in ICS products happened back in 2010 when ‘Stuxnet’ – a ‘worm’ that spread malicious codes – was discovered at Iran’s Natanz nuclear plant. Since then, there have been a few attacks that have caused physical damage, such as one on a German steel mill, that prevented a blast furnace from being shut down properly, and attacks in Ukraine, that caused power outages. Awareness of ICS risk is, therefore increasing, but FM Global believes it’s imperative to address the problem.
For the past few years, FM Global has been thoroughly investigating business exposure to attacks, and, therefore, what armour clients need to protect themselves – both inside and out. In response, FM Global has introduced a cyber risk assessment designed to help its clients identify exposure across three key business areas—physical security, information security and industrial control systems. The assessment is designed to develop clear, actionable steps to mitigate cyber risk and avoid business interruption. The first step is an enhanced field engineering visit that looks at preventing unauthorised physical access to data, workstations and networks. Next up is evaluating risk to data, software and intellectual property across the enterprise. Finally, the assessment examines potential risks that may expose facilities systems and equipment to malicious actions – locally or via network intrusion. FM Global’s cyber risk assessment goes beyond compliance and provides a complete, detailed picture of a client’s cyber risk profile and resiliency.
For ICS operators, the advice is to bear these factors in mind when analysing risk:
- Recognise vulnerabilities, understand threats and take steps to protect ICS against cyberattacks
- Educate key individuals associated with your ICS, evaluate need for access and educate about cyber risks
- Monitor ICS to detect malware or attempted attacks.
In manufacturing, the IoT enables self-governing processes that resolve issues at their source, before they escalate. But on the flip side, cyberattacks can shut down entire production lines. The potential for physical damage to ICS is very real and can hugely affect critical infrastructure facilities.
Until now, the malware hasn’t been sophisticated enough and so more ransomware attacks on ICS is likely. The UK National Cyber Security Centre warns: “The rise of internet connected devices gives attackers more opportunity. Consumer goods and industrial systems combined with the ever-increasing commercial footprint online provides threat actors with more attack vectors than ever before.”
The IoT will continue to grow at a frenzied pace. This explosion of connected devices promises exponential advances in convenience and efficiency. But, businesses need to change their security mindset, and view it as the ‘Internet of Unsecure Things’ – and in doing so, protect themselves against potentially costly damage in the future.