Our contribution to global IoT security

February 16, 2018

As long as your network consists of just servers and workstations, cybersecurity solutions can take care of their protection. However, the Internet of Things (IoT) is completely different. The industry as a whole lacks standardization, leaving developers free to ignore security. As a result, IoT devices frequently contain vulnerabilities or loose ends. Furthermore, in many cases they are misconfigured or accessible from the Internet. That’s bad enough in office or home IoT devices — but the industrial Internet of Things is not much more secure.

Case in point

Examples are all around us. You can read about one recent discovery on Securelist: “Gas is too expensive? Let’s make it cheap!” Ido Naor, a senior security researcher on our Global Research and Analysis Team, along with his colleague Amihai Neiderman from Azimuth Security, published an investigation on the vulnerability in an automation device for a gas station. The device was directly connected to the Internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals.

More alarming, the device’s Web interface was accessible with default credentials. The researchers dug deeper into the device software code and found ways to shut down all fueling systems, cause fuel leakage, change fueling price, circumvent the payment terminal (to steal money), scrape vehicle license plates and driver identities, execute code on the controller unit, and even move freely within the gas station network.

They reported the vulnerabilities they found to the device manufacturer and MITRE to reserve CVEs. There is no evidence that any malefactors tried to exploit those vulnerabilities in any way before white hats discovered them. However, looking at statistics on the incidents with the most severe financial impact, we can see that incidents involving connected devices that aren’t computers are in the top three, with average per-incident damage of $114,000.

Answer to the problem

The need for IoT cybersecurity standards is clear. Standards bodies will need to classify IoT security issues, examine potential threats, and determine how cybersecurity measures can support the safe execution of IoT system tasks. Recommendation ITU-T Y.4806, “Security capabilities supporting safety of the Internet of Things,” developed by Study Group 20 of the ITU-T (International Telecommunication Union — Telecommunication sector) is an answer to this demand.

Kaspersky Lab, as a member of ITU-T Study Group 20, was one of the key contributors to the development of Recommendation ITU-T Y.4806. Our experts at Kaspersky Lab ICS CERT shared their expertise and developed a list of points that can help to establish a reliable level of protection in practice. You can find them, as well as other recommendations, in Recommendation ITU-T Y.4806.

Recommendation ITU-T Y.4806 is applicable mostly to safety-critical IoT systems such as industrial automation, automotive systems, transportation, smart cities, and wearable and standalone medical devices.