https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

ICS security

ICS Security, Medical Devices and the Accidental Bogeyman

Swarms of hackers could maliciously target industrial facilities and hospitals. But for now, cybersecurity-related mistakes and negligence pose bigger risks.
  • Written by Brian Buntz
  • 7th May 2019

Hacked pacemakers, insulin pumps, cars, industrial facilities, satellites and breached power grids… For years now, cybersecurity researchers have been warning of the possibility of black hat hackers to hurt or kill people through their exploits — often with demonstrations about how they could do it.

But the degree of sensationalism often accompanying the topic can obscure the true level of risk, while doing little to underscore the level of risk of common attack vectors and vulnerabilities such as outdated operating systems, unpatched or buggy software, malconfigured networks and the like.  

In general, the level of cyber risk is high with industrial control systems, which are used for an array of applications, from controlling satellites to oil-and-gas equipment to automation equipment in factories. There are reports of computer sabotage causing chaos stretching back decades. True, it is difficult to verify, say, whether the United States deployed Trojan malware on computing equipment used to control the flow of gas in a Trans-Siberian pipeline, prompting a massive explosion. Thomas C. Reed, a former Air Force secretary in the Reagan administration, claimed as much in the book “At the Abyss.”

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

But attacks on connected industrial systems are common now. A number of cybersecurity vendors, from IBM Managed Security Services to Kaspersky Lab, have tracked an uptick in ICS security attacks in recent years. Only in March, Norsk Hydro, one of the largest aluminum producers globally, struggled with cyber-induced production in operations in both Europe and the United States.

In to deal with the problem, industrial giant Siemens and TÜV SÜD, the international testing, inspection and certification firm, joined forces on what they call “a new approach to digital safety and security.” “Attacks against industrial environments are increasing at an exponential pace,” said Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens. “However, unlike in IT, where the primary concern is data loss, cyberattacks targeting operational technology can lead to a potential shutdown or worse.” The two companies will thus collaborate to offer what they are terming “digital safety and security assessments” to help energy customers, in particular, assess and manage cyber risk.

Simonovich pointed to the potentially-catastrophic Triton malware, which the cybersecurity firm Dragos discovered in Saudi Arabia in 2017. Researchers recently found the code at a second facility.

“What was remarkable about [the Triton] attack, was the ease with which attackers traversed from IT to OT to safety systems,” Simonovich said.

Indeed, this is a recurring theme across sectors where cybersecurity breaches pose a potential safety risk. Despite all of the research demonstrating esoteric and often borderline-implausible types of attacks at cybersecurity events, it is easy to overlook the risk posed by, say, an “air-gapped” Windows XP computer or dated malware such as Kwampirs, a trojan discovered in 2015, or Conficker, first discovered in 2008. While hackers could, say, modify CT scans to create fake cancer cells, as researchers demonstrated, it is more likely that a hospital will get hit with a commodity type of attack or a pacemaker patient will end up targeted by a cyber-hitman. “People always laugh when I say: ‘Even though I consider myself a cybersecurity expert, there are easier ways to hurt people,” said Stephanie Preston Domas, vice president of research and development at MedSec. “All of these fancy custom exploits designed against medical devices are not pointing to the real problem. The real problem is things like Kwampirs still work. Things like Conficker still work.”

And then there is WannaCry, the 2017 ransomware attack that Europol said was unprecedented in its scope. Affecting some 200,000 computers, WannaCry affected industrial and medical facilities. Nissan had to stop production in a facility in the United Kingdom. Renault was forced to halt production in multiple sites. Germany’s train company Deutsche Bahn was a victim. A similar piece of malware hit, Notpetya, caused millions of dollars worth of damages to shipping giant Maersk.

But as large as the ICS security impact was, WannaCry also had an outsized impact on the UK’s National Health Service, resulting in damages at nearly £100 million while leading to the cancellation of 19,000 medical appointments.

It’s possible that WannaCry, or a similar commodity attack, could lead to death or injury by, say, delaying a heart surgery, although it is generally difficult to prove a direct connection, said Leon Lerman, chief executive officer of Cynerio.

Attacks like WannaCry also illustrate the risk of exploits developed by nation states leaking and unwittingly empowering adversaries to attack the U.S. and allies. WannaCry and NotPetya both used an exploit known as EternalBlue, which the U.S. National Security Agency likely developed. The New York Times recently reported Chinese intelligence agents used “key parts of [the United States’] cybersecurity arsenal” to carry out attacks. Incidentally, the piece also reports that the sophisticated NSA-developed Stuxnet malware used to target Iranian nuclear centrifuges caused damage to U.S. businesses including Chevron.  

Domas is more worried about generic malware or simple carelessness playing a role in cyberattacks with safety consequences. “I still see too much sensationalism focused on bad guys causing patient harm,” she said. “I would love to see more of a shift toward understanding that if patient harm has happened [as a result of a cyberattack], it’s probably accidental. It is probably a side effect of something else that they were trying to do on the system.”

Researchers who examine cyberattacks on industrial control systems see a similar pattern, Simonovich said. “Most have some level of human error associated with the breach.”

On a related note, faulty software code on industrial systems and medical devices is a subject closely related to both safety and cybersecurity. The recent saga regarding the Boeing 737 MAX underscores this point. Writing about the problem, security expert Bruce Schneier wrote: “Technically, this is safety and not security; there was no attacker. But the fields are closely related.”

Domas agrees with that sentiment, citing, for example, the case of a hospital worker who caused an anesthesia machine to seize up abnormally after plugging a cellphone into it. It is easy to overlook the risk of such everyday occurrences, which don’t involve a cyberattacker.

Similarly, the types of headline ICS security and medical device stories that tend to garner the most media coverage make it easy to overlook the risk of insider threat. But “insider threat makes up the overwhelming majority of [attacks in the industrial sector],” Simonovich said.

Ultimately, to help address risk in ever-more connected industrial and medical environments, the people who work within them need to clearly understand the risk such connected systems can pose, whether exploited on purpose or inadvertently. “I think the people who are technology savvy are becoming more aware, but I really don’t see a huge kind of uptick in understanding or appreciation for the people who are not.”

And then, the topic of gauging risk management can be fiendishly difficult. One of the threat modeling, which is a subset of risk management. “But because there are so many cyber risks in any system, and you can’t fix all of them,” Domas said. “So that’s why you have to pair it with things like threat modeling and figure out what are the ones you need to be most concerned about,” she added. “Honestly, a lot of times, you find things that come up that trickle through your ranking system and you said: ‘You know what? I’m okay with that risk,’ and you do nothing to fix it, even though you know, there’s a cybersecurity issue there,” Domas said. “You have to strategize. You can’t fix everything.”

Tags: Connected Health Care IIoT/Manufacturing Security Features

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Supply Chain Analytics and IoT Loom Large in Wake of 2020 Disruption
    The COVID-19 crisis has made disruptive events par for the course. Supply chain analytics, digital twins and other tools have become key to understanding and predicting disruption.
  • IoT App Development Gets Agility Boost From Container Technologies
    IoT app development has clamored for greater agility, productivity and security. Container technologies can realize those benefits.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Securing IoT at the Edge Is Key to Safe IoT Operations
  • Industrial Transformation Faces Rocky Road in 2020
  • Adoption of the Internet of Robotics Things Accelerates
  • Building a Foundation for AI in Cybersecurity

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

The eSIM Cookbook – Towards the Next Generation of Connected Devices

22nd February 2021

eSIM Delivers Greater Freedom for OEMs – by Beecham Research and Truphone

22nd February 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

At Microsoft Ignite: How IoT and Robotics Are Driving Industry 4.0 dlvr.it/Rttgwj

3rd March 2021
IoTWorldToday, IoTWorldSeries

🎙️ Introducing #EIOTWORLD speaker, Obinna Ilochonwu, Industrial IoT Architect at Schlumberger. 📅 Join his session… twitter.com/i/web/status/1…

2nd March 2021
IoTWorldToday, IoTWorldSeries

#Smartbuilding technology lays the foundation for #energyefficiency efforts but also new COVID-19 goals, such as… twitter.com/i/web/status/1…

2nd March 2021
IoTWorldToday, IoTWorldSeries

IoT Remote Monitoring Helps Enterprises Traverse COVID-19 and Beyond dlvr.it/RtZ3K5 https://t.co/owJXYf1gkO

26th February 2021
IoTWorldToday, IoTWorldSeries

Securing the Industrial Internet of Things dlvr.it/RtYfYk https://t.co/khUn79dvQD

26th February 2021
IoTWorldToday, IoTWorldSeries

📢 Announcing #EIOTWORLD sponsor, @BluetoothSIG — the global standard for simple, secure wireless connections. ➕ Le… twitter.com/i/web/status/1…

26th February 2021
IoTWorldToday, IoTWorldSeries

How IoT Devices Can Enhance the Connected Customer Experience dlvr.it/RtPcvS

24th February 2021
IoTWorldToday, IoTWorldSeries

🤝 Meet #EIOTWORLD speaker Ingo Feldner, Project Lead for Virtual #Hardware Platforms at @RobertBoschGmbH 📅 Join hi… twitter.com/i/web/status/1…

24th February 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X