Last week I was back over in the Netherlands for TILTing Perspectives Conference 2017. Hosted by Tilburg University at their Institute for Law, Technology, and Society, this was a 3-day event with around 200 presenters, 8 parallel sessions, 6 keynotes etc. I was over there presenting a WiP paper with Derek McAuley on Cybersecurity Implications of the Industrial Internet of Things.
Security incidents like targeted distributed denial of service (DDoS) attacks on power grids and industrial control system (ICS) hacks in factories are set to increase as infrastructure becomes increasingly connected. The short paper looks at where emerging security threats might lie as the industrial IoT trend gathers pace, both from engineering and regulatory perspectives. Vulnerabilities and threats around the smart energy infrastructure are used to consider where risks might arise at different points in the energy supply chain, from exploration through to consumption.
‘The Digital Oilfield‘ sees the integration of IoT into oil platforms, for example, to monitor integrity and performance of operational components. This opens new threat vectors for advanced persistent threats (APTs) and cyber espionage. The variety of organisations operating on a platform, sharing infrastructure but seeking confidentiality in their operations adds to the complexity of securing this domain. Understanding how to make IoT components on rigs that are secure, but usable for workers is an important element, to minimise risks to safety or security of infrastructure through avoidable human error. Similarly, in a future of autonomous logistics, with oil tankers navigating the seas, new opportunities can emerge for GPS jamming or spoofing to enable remote piracy or ransomware attacks where the consequences are the environmental harm in addition to monetary loss. Perhaps most familiar are the challenges for IoT in the smart energy grid. Risks arise at many points in this supply chain such as in:
There are also regulatory changes afoot, with the EU Network and Information Security (NIS) Directive 2016 coming into effect at the same time as the GDPR in 2018. NIS brings in rules around securing critical infrastructure, including cloud platforms and establishes notification and cooperation requirements for responding to cyber attacks (e.g. role of member state computer emergency response teams). GDPR establishes obligations around personal data breach notifications, most relevant for domestic IoT/household energy management devices caught up in attacks. Balancing the growth of Industrial-IoT against the security threats and regulatory requirements is going to be a tall order. Overall, industrial IoT brings four security elements to the fore that need to be managed:
There is a working paper up on SSRN with more details, so any feedback on this is welcome!
Originally posted at https://lachlansresearch.com/2017/05/25/tilting-perspectives-2017/