The Threat of Catastrophic IIoT Security Problems Grows

Increasingly, IIoT security is becoming a safety concern.

Brian Buntz

April 19, 2018

3 Min Read
Security framework

As cybersecurity guru Bruce Schneier puts it, “computer security is now everything security.” As you may have guessed, the Internet of Things is the reason for the seeming omnipresence of cybersecurity.

A growing number of security professionals are coming to grips with what this fact means. A recent Deloitte study found that 40 percent of 2,471 professionals from a variety of industries believe IoT security and data management are their greatest cybersecurity challenges.

As for IIoT security, 70 percent of security professionals in the energy sector fear potential breaches that could lead to explosions and other catastrophic failures.

“In the oil and gas and electrical worlds, those guys view risk in a different scale,” said Dean Weber, chief technology officer at Mocana in an interview at the RSA Conference. “They don’t measure risk as an economic loss at the main level; They are concerned about loss of life.”

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]

Yet for industrial companies, the choice to skirt cybersecurity risks by eschewing IoT is not a viable strategy in the long run. Business managers recognize operational data can help them drive efficiencies, build better business cases and even launch new business models.

And industrial-based attacks like Stuxnet have shown that attackers can compromise networks that were designed to be air-gapped. “And Stuxnet was just the beginning,” Weber said. “You had Duqu, Flamer, Gauss, BlackEnergy and components of Shamoon 2. Even BrickerBot and Mirai had object lessons for the industrial community. These devices are not secure and when you think they are by some form of isolation, that isolation can be compromised.”

While Stuxnet was unique in that it was believed to be the work of national government agencies, it may prove to be a harbinger of things to come in IIoT security. In the future, industrial companies now have to worry about malicious actors launching ransomware and cryptojacking attacks on industrial environments; there is also the concern that state-sponsored actors might be probing and attacking their network, as well. Recently, the U.S. government warned that the Russian government has been targeting critical infrastructure in the United States, including the energy sector.

With nation states building up their cyberoperations, it is worth noting the sophistication of such organizations. The 2010 Stuxnet attack, for instance, did a lot more than change damaged nuclear centrifuges by altering how fast they spin. It also fed computer monitors false information to fool operators into thinking nothing was wrong. “Stuxnet also infected other components of the system such as vibration monitors for the centrifuges,” Weber said. “They were masked. There were cameras on the floor environments to visually monitor those centrifuges that were literally shaking themselves apart. Those video camera feeds were replaying old footage during the attack.”  

That’s not all. The attack also rewrote firmware so that infected systems rebooted in a compromised condition. “The [attackers] DDoS’ed the phone system so that the field engineering personnel could not talk to the home office,” Weber said. And, what is less publicized, is the fact that the attack extended into the transportation and mining industries. “Not only were they going to take down the generation and transmission facilities, but they were going to take down the transportation of raw materials to those generation facilities and the companies mining the materials to be transported,” Weber explained.

What is perhaps more troubling is the fact that as awareness of the risk of IIoT security — and IoT security at large — grows, relatively few organizations have mature strategies for addressing it. Deloitte found that 19.4 percent of its survey respondents were “very confident” in their ability to fend off attacks.

While it is clear that IoT technology offers significant operational benefits to trailblazing organizations, the industrial professionals should keep in mind there is a corollary to the Marvel Comic dictum: “With great power comes great responsibility.” In our connected world, with great power also comes great vulnerability.

About the Author(s)

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like