Internet of Things Security.

Can the Internet of Things (IoT) wreck the Internet itself?

Free White paper from Abhisam explains.

Internet of Things security

Executive Summary

Unprecedented growth in devices that are connected to the internet, mainly due to the IoT phenomenon, is becoming the Achille’s heel of the internet itself, as these things can be attacked by malicious players and used to launch attacks on the internet infrastructure. This is a serious problem for  Internet of Things security, as it can paralyze critical online infrastructure such as banks, stock exchanges and public utilities. An urgent need exists to come up with globally mandated standards to improve Internet of Things security to avoid these possible undesirable events.

Background

Recently, we all saw a unique attack, on the internet itself!  This was probably the first time that some malicious players in cyberspace, wanted to shut down the internet itself, rather than just some websites that they did not like, at least in a particular area. It was a pretty successful attack that could actually slow down user access to marquee sites such as Twitter, Facebook, Amazon and many others.

You can say the traffic slowed to a crawl, on the so called Information Superhighway. We all take this freeway for granted, never imagining that it can slow us down, however this event showed that even perhaps a small bunch of determined individuals, acting with or without co-operation among themselves, could pull this off, pretty well.

The Great Information Highway Traffic Jam

So what exactly happened? It now turns out that the attack was a large scale DDoS (Distributed Denial of Service) attack on a company that provides DNS (Domain Name Servers) to many websites, including the ones above. It was apparently executed using a botnet , which is another name for a network of compromised/hacked devices that are under the control of malicious actors.

Note: If you are not familiar with Bots, please see the explanation in the box below.

What are Bots?

The word “bot” is short form for robot. You may think of a robot as a humanoid like machine with a physical presence, in reality, there are millions of programs out there that are robotic without having a physical “body” and are referred to as simply bots. Not all bots are malicious, however, such as the famous Googlebots and Bingbots that index the web pages on the internet.

What is DDos?

DDoS is an acronym for Distributed Denial of Service. To explain it in simple terms, when you type an address in your web browser, the request is relayed to the web server that has that site hosted on it and the web pages are served by that hosting server. Different web servers may have different capacities to handle such requests, based on estimated number of users who access the site. If suddenly a large number of users request the same web page then the server is likely to get overloaded and cannot serve these webpages a.k.a. it goes “down” and the webpage is no longer accessible to users. This whole process can be deliberately engineered by hackers or other malicious entities to shut down a website. This is known as DoS or Denial of Service. If these requests came from the same computer or a single or group of IP addresses, then these can be blocked. To avoid these nowadays these criminals then spread these requests over a large number computers spread over a large number of IP addresses, in other words, the attack is “Distributed”. This is known as a Distributed Denial of Service attack or DDoS .

Are Botnets new?

Botnets are not new- what was new this time was the method. It used the much hyped Internet of Things (IoT). This malicious network was comprised of consumer grade IoT devices (not PCs as in traditional botnets). Many of these were suspected to be plain vanilla IP cameras (cameras that use the Internet Protocol to transmit their images). Others were home routers, that have minimal security.

It is not clear if restoration of internet services to these domains later, was due to the attackers having themselves “turned off” the attack OR due to mitigation done by the affected websites and the owners of the DNS service providers. This incident however exposed the internet’s two main vulnerabilities that security experts were warning for a long time now- one is the Domain Name System itself and the second is the poor security features of today’s consumer internet connected devices, many of which are part of the current IoT phenomenon.

The DNS problems are known and I am told will be fixed in the near future. What needs more attention is the upcoming IoT wave, when billions of such devices are becoming part of the internet. This also applies to the IIoT  (Industrial Internet of Things) sector.

Welcome to the insecure Internet of Things (IoT)

The IoT today is right at the top of the Gartner Hype cycle, so a lot of people have placed high hopes in this phenomenon giving a lot of benefits such as data collection, remote monitoring, energy savings, plant and process optimization and so on. However, an often overlooked aspect is the aspect of Internet of Things security.

Most of these devices come with almost no security at all, or at the most have some weak “bolt on” features as an afterthought.

So for example, all it takes to access and hack an IP camera is to find it on the internet (there are easily available tools to do these searches), then query it and try to connect to it by using the infamous “default login” and “default passwords” that IT security admins are so frustrated with, such as 1234 and 1234, or admin and admin. Viola! You have now got access to a device on the internet, that can be used to plant your malware and become part of the army of other bots that form your botnet. If you are a lazy hacker, then you could even make this entire process a fully automated one, so your bot programs scans for connected devices, logs in to them and installs the malware.

Then each of these “slave devices” starts querying whatever DNS service that you plan to target. Do not think that this needs some evil genius to execute- programs to build these botnets are available for free online, such as the infamous Mirai botnet, so even mediocre programmers can do these things. Or if you’re having some cash to throw, instead of  to doing it yourself, you can hire it for as little as $7500 or so per hour, I am told. There are even SaaS (Software as a Service) players out there in the dark recesses of the internet that you can subscribe to for achieving this.

Note: Actually the Industrial Internet of Things that is being implemented in many plants is actually more secure than traditional control and automation systems based on older technology such as DCS, PLC and  SCADA systems. To learn about Industrial Cybersecurity of these systems, take a look at the Abhisam Industrial Cybersecurity training course here.

Going Forward with IoT

Going forward, I hope the security community wakes up and educates users to ensure that they are not inadvertently contributing to these botnets by taking basic steps to at least ensure that their internet connected devices such as TVs, webcams, baby monitors, smart meters, etc are having secure logins and passwords. Also more importantly, the manufacturers should stop setting these easily guessed logins and passwords as the default values.

More importantly, for the companies that want to make good use of this technology, including its industrial cousin, the Industrial Internet of Things (IIoT), it is crucial that they lobby hard to ensure security of all the consumer and domestic grade IP connected devices is strengthened, so that their own networks should not fall prey to mistakes done by third parties.

What about DNS Security then?

This is an entirely big topic, all by itself to be covered in this whitepaper. However, we are informed that work is still ongoing to ensure better security as related to DNS and can only hope that this happens quicker, at least before the IoT really takes shape. In the meantime you can ensure that your own DNS is in OK shape by devising perhaps automated tests that ensure that it is not hacked. Many consumer grade routers and switches do fall prey to DNS viruses, that redirect browser queries to spam and malware sites. The makers of IIoT devices, should ensure that their networks are well protected against such dangers.

Industrial Cybersecurity course

Industrial Cyber Security Training Course

Take this Industrial cybersecurity course today and learn everything about ICS security, IEC 62443 and related standards and more.

Most manufacturing plants today have not implemented Industrial IoT so the Internet of Things security is not that big an issue, as compared to the cyber security risks of traditional automation systems having DCS, PLC and SCADA systems.

Click here to know more

Free Industrial IoT Whitepaper

IndustrialInternetOfThingsTraining

This popular white paper explores how the Industrial Internet of Things and Digitalization are revolutionizing manufacturing including Discrete parts manufacturing as well as the Process Industries.

Click here to know more

Contact Us by filling the form below OR call us OR email

Contact Form Demo (#2)

Just get this Confined Space Safety e-learning course today and get trained in working safely in confined spaces.

Note that it includes all the knowledge that you need to have to know how to work safely in confined spaces.

Can I not get this information free from elsewhere?

There is a  common myth  “Just Google it”

It is a myth that you can simply Google for Confined Space   information and get everything that you need to know.

Most likely you will get a large number of occupational safety articles and information, some videos, some power point slides, but much of the information may be in bits and pieces.

While you can get some basic information about confined space safety from these sources, it may not be complete. Even if you do find enough material, it will take you a long time to sequence it all together in one coherent document that makes sense to you.

Even after doing all this there is a possibility that you may not get what you really need to know from an OSHA compliance perspective

Plus you will spend several hours of your time doing all this for zero returns on your investment!

On the other hand, when you take this Abhisam Confined Space safety course, you know that

    1.  It is very carefully made, with subject matter experts in the field of Occupational Safety, Process Safety & Industrial operations who have spent decades in the actual field creating permit systems, investigating incidents and streamlining methods to reduce or eliminate confined space safety accidents.
    2. Utilizes easy graphics, animations and simulations, real life examples of dos and donts, correct and incorrect practices  that enable you to understand everything easily.
    3.  Earn a Certificate when you pass the associated exam and also get an electronic badge that can be displayed online on places such as LinkedIn. Get Noticed.

Can I not simply buy a book? That will be much cheaper!

Of course, you could always pass this up and decide to go for  buy a book on this topic,

but,

remember that there are some disadvantages with this approach

    1.  The first is that not a single book is available  that covers all the topics that you need to know. On the other hand, there will be many books on general workplace safety, occupational safety, permit systems, that may be relevant to only those working in normal workplaces, not those having confined spaces.
    2.  Some of these books may be outdated and obsolete.
    3.  Nobody gives you a certificate if you simply read a book!

 

What does the $7 trial include?

The $7 trial includes trial access to ALL the courses in the Abhisam Catalog for a limited time including this Confined Spaces Safety course

After the trial is over you can choose to either buy an individual course OR subscribe to the GOLD or PLATINUM membership plans.

Your card will not be billed automatically.

Which versions are available?

This course is available as either stand alone (select the Standard version above), Professional, or as part of the Abhisam GOLD membership level.

The Standard version allows you to access the course online from any device (PC/tablet/smartphone) that has an internet connection and a browser that supports HTML 5 (such as Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, etc). You can access the course for a period of one year, within which you need to take the exam to earn a Certificate (electronic). You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The Professional version allows you access to the course for 3 years online. You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The content in the Standard and Professional versions is the same.

What is the Abhisam GOLD membership?

When you subscribe to the Abhisam GOLD membership, you get access to all the courses in the Abhisam Catalog, by paying just one low monthly subscription with no commitment as you can cancel anytime. You can also get a free certification exam every month. If you are interested in taking a bunch of courses, then the GOLD membership gives you an affordable plan to do this. This is available to individuals only.

What is the Abhisam Platinum membership?

This is meant for organizations with multiple learners. When you subscribe to the Abhisam Platinum membership, your learners get access to all the courses in the Abhisam Catalog, by paying just one low Enterprise yearly subscription. You can also get a free certification exam every month. 

Additionally Platinum membership gives you a Dashboard where your Training Manager can see the progress of the learners, such as learner module completion, login times, test scores, etc.