We are wrapping up Cybersecurity Awareness Month at Bold Group! We hope we’ve been able to give you some understanding these past few weeks on the different types of threats that can harm your company and livelihood. As we finish up the month, we have a few more vignettes for you to consider:
- Ten years ago, Iranian nuclear scientists had no clue that their control room data feed was false. Everything looked normal on the surface while one IR-2 centrifuge after another violently self-destructed.
- The National Security Agency were allegedly working with their Israeli counterpart in 2007 to develop the “Stuxnet” worm that catalyzed chaos at the Iranian nuclear facility. At the same time, Russia was being implicated for fomenting unrest as Russian-Estonian residents clashed with their Estonian neighbors over the decision to relocate a Soviet-era war memorial. Russia is accused of also directing cyber attacks against Estonian government, financial, and business institutions at that time.
- In December 2015, electrical grid operators watched helplessly as hackers remotely took over Ukrainian distribution stations, ultimately leaving over 230,000 Ukrainians in the dark and cold of winter.
Cybersecurity Awareness Month is an opportunity to reenergize the topic with fresh insight and renewed rigor. The hacks referenced above were state-sponsored, highly sophisticated, and well-funded. While the Iranian and Ukrainian attacks highlight IoT vulnerabilities (more on that in a bit), the Estonian hack was meant to harm the government’s reputation. Collectively, they represent the sine qua non of an effective attack: vulnerability exploitation.
Our industry relies heavily upon information technology. Our life-safety mission cannot be fulfilled if the ability to relay signals between panels, central stations, and dispatchers is lost.
Our customers are also evermore dependent on information technology, particularly as they continue to adopt vulnerable smart home devices. And because central stations are connected to customers that rely on IoT devices, central stations are vulnerable.
IoT devices aren’t new. Before smart refrigerators could alert homeowners that their lettuce was wilted, there were Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition systems (SCADA). PLCs are simple industrial computers that control components of the manufacturing process, like centrifuges or robots, while SCADA systems provide high-level visibility and control of PLCs.
These systems have been a part of the manufacturing process for decades. They are inherently vulnerable to an attack because they were never designed with cybersecurity in mind. And because they were used at the Natanz Iranian nuclear facility, they were the perfect target for Stuxnet developers.
That was ten years ago. Today IoT devices are far more sophisticated in their capabilities, but just as vulnerable. For a good sense of general vulnerability, navigate to Shodan.io. It’s a powerful search engine that doesn’t provide webpage results like Google might, rather, it compiles the service banners of internet-connected devices (IoT). Entering the search term “webcamxp” will yield hundreds of webcam feeds.
The service banner results provide a cornucopia of information: operating systems, device make and model, web servers, etc. A middling hacker can use the search results to enumerate a target’s vulnerabilities and start upon a process of privilege escalation. Once privileges are exploited, the attacker can pivot and target as they please. It’s definitely easier than the NSA allegedly had it in attacking Natanz, and far more commonplace than you’d like.
It’s more than just taking control of unsecured webcams. If the attacker can access any vulnerability in your network, they have the potential to steal your data and ruin your reputation. Estonia recovered from their 2007 experience in fine form due to the immense support of the citizenry and NATO partners. Any entity that isn’t likewise superbly resourced will find repairing their reputation quite costly and challenging.
The best option? Do everything possible to prevent an attack in the first place. A good way to start is by implementing cybersecurity best practices. Train employees to recognize a phishing attempt. As phishing websites proliferate, configure your network so that it only accesses whitelisted sites. Tune your firewall and implement a viable intrusion detection/prevention system. If it all sounds expensive, there are excellent open-source options available, and with the advent of the virtual CISO, it’s up to the business owner to weigh and leverage evermore accommodating options.
At Bold Group, we provide cost-effective answers to all these dilemmas (including IoT vulnerability). Implemented properly, you can even provide Bold cybersecurity services to your customers. When everyone is secure, we all win. That’s Bold.