close
close

IoT Security to Protect Critical Infrastructure | Pipeline Magazine

Posted on by darion

Authors: Andrea Carcano, Michael Dugent

As global digitalization continues to advance across virtually every aspect of society, seemingly millions of new devices are being connected to corporate networks and the internet every day, creating a much larger attack surface for bad actors to exploit. Cybersecurity researchers note that many attacks are now driven by a desire for control and destruction, placing critical infrastructure environments squarely in the crosshairs of hackers. Critical infrastructure systems—the assets and networks, whether physical or virtual, that underpin the functioning of economies and societies—determine the security, prosperity, well-being, and resilience of an entire nation.

A recent report focused on operational technology (OT) and Internet of Things (IoT) security revealed that threat actors are not only increasing the frequency of attacks, but also refining tactics and identifying new entry points. In 2023, state-driven cyberattacks affected 120 countries, with more than 40 percent of them targeting critical infrastructure.

Today, cyberattacks on critical infrastructure are a global risk that requires increased attention and a deeper understanding of the activities that pose a potential threat. Attacks on critical infrastructure environments often involve first targeting IoT environments, as these devices are often easier to breach and monitoring of these environments is still limited. In this regard, IoT is an important concept embedded in a broader spectrum of networked and digital sensor products that has resulted in an explosion of applications, signifying a fundamental change in the way people interact with the Internet, amplifying both the opportunities and challenges surrounding critical infrastructure worldwide. The question arises: why do threat actors target IoT environments?

In October 2016, the worst DDoS attack in history knocked out much of the US East Coast. The following year, hackers gained access to sensitive personal and financial information from a North American casino. In March 2021, a security camera company was attacked, exposing live feeds from 150,000 surveillance cameras at hospitals, factories, prisons, and schools. The common denominator among these three attacks was that the perpetrators targeted the IoT environments of these companies to gain access to their internal systems.

The Internet of Things, known as IoT, is a system of interconnected computing devices. The definition of what constitutes an IoT device varies widely, encompassing everything from biomedical implants to sensors in manufacturing and electrical equipment. An industrial ecosystem can include a wide variety of smart devices that collect, send, and act on data from their surroundings. Sometimes, these devices communicate with each other and act on the information they receive from each other.

Over the past decade, industrial and critical infrastructure operators have rapidly deployed billions of devices to optimize their automation processes by leveraging the data these “things” provide. Unfortunately, this trend has created new cybersecurity risks because these devices are exposed to networks, both public and private. These endpoints have become easy targets for attackers looking to compromise operational processes and maximize the economic benefits of a cyberattack.

As digital transformation leads to an increase in the number of unmanaged devices in industrial environments, the importance of a solid IoT security program to protect critical infrastructure from cyberattacks cannot be overstated. But what makes IoT security such a big challenge for companies?

First, IoT devices are often unmanaged and inherently insecure. Once deployed, the software on these devices is rarely updated, especially the firmware, which is riddled with vulnerabilities. As a result, these devices remain vulnerable to attacks that could be easily prevented on other managed devices. Second, the use of default passwords and weak authentication procedures makes these devices easier to