Two researchers from Pen Test Partners turned the heat up a notch in the computer security industry by taking a smart thermostat hostage during the DEFCON conference on August 6.
Exploiting a bug in this smart object running on Linux, they took control remotely via the thermostat’s Internet and prompted the victim to install a third-party app that covertly installs ransomware.
A hacker can use this malware to set the thermostat at the highest setting in summer and the lowest in winter or can simply block access to the device. The victim has to pay a ransom or suffer the consequences of extreme temperatures.
This educational demonstration shows that while popular enthusiasm for the Internet of Things (IoT) is growing, it is still paralleled by serious security flaws.
Beyond Home Automation: The IoT is a Real Risk to the Business World
The IoT being compromised does not stop at home automation and, in this scenario, a thermostat intended for use by a few people. On a broader scale, the risk of seriously harming the business world via a multitude of connected objects is latent with potentially disastrous economic consequences.
The Future of the Industrial World
Numerous sectors of business operations will likely be affected by the rise of the IoT. However, the present IT/OT convergence challenge faced by CISOs is making the IoT phenomenon to digitally transform industry even more overwhelming. The role of the CISO is becoming crucial in this IoT framework. The CISO is responsible for installations functioning properly and facilitates the different IT, OT, and IoT services.
The IoT: One Part Opportunity, One Part Threat for Production
While the thermostat is an example of a connected object that could be used as a measuring sensor for the industrial world in general, using the IoT in industry has become as much an opportunity as it has a problem.
Indeed, companies see a real benefit in using systems of connected object to facilitate work on production lines. Connected devices will enable a wealth of information to be transmitted to external clouds. In particular, this information could help the company conduct analyses dedicated to optimizing processes or performing predictive maintenance. However, if a connected object is compromised, not only does the data it reports become useless, but more importantly, it also allows hackers to take over industrial automatons.
The question is simple: how can we set up systems that integrate connected objects so as to take advantage of the new capabilities related to big data while ensuring that they will not disrupt the existing systems?
The solution is even simpler: chief information security officers need to propose principles of separation between existing control systems and these new industrial connected devices.
Dedicated Protection Against Industrial IoT Vulnerabilities
Solutions tailored to the industrial world, such as the SNi40 firewall from our Stormshield Network Security product line, can help prevent a compromised connected object from allowing an attacker to move on to other industrial automation devices.
Protected by the SNi40 and Stormshield Network Security products, the attacker will not be able to reach your automatons. You control the incoming and outgoing flows between your company and your suppliers and/or data centers from the same administration console. You can create separate networks for the IoT, automatons, and IT using filter rules for the automatons. Lastly, our solutions enable you to perform protocol analyses (network audits) so as to ensure healthy network infrastructures.