TILTing Perspectives 2017

Last week I was back over in the Netherlands for TILTing Perspectives Conference 2017. Hosted by Tilburg University at their Institute for Law, Technology, and Society, this was a 3-day event with around 200 presenters, 8 parallel sessions, 6 keynotes etc. I was over there presenting a WiP paper with Derek McAuley on Cybersecurity Implications of the Industrial Internet of Things.

Security incidents like targeted distributed denial of service (DDoS) attacks on power grids and industrial control system (ICS) hacks in factories are set to increase as infrastructure becomes increasingly connected. The short paper looks at where emerging security threats might lie as the industrial IoT trend gathers pace, both from engineering and regulatory perspectives. Vulnerabilities and threats around the smart energy infrastructure are used to consider where risks might arise at different points in the energy supply chain, from exploration through to consumption.

hacker-2300772_1920The Digital Oilfield‘ sees the integration of IoT into oil platforms, for example, to monitor integrity and performance of operational components. This opens new threat vectors for advanced persistent threats (APTs) and cyber espionage. The variety of organisations operating on a platform, sharing infrastructure but seeking confidentiality in their operations adds to the complexity of securing this domain.  Understanding how to make IoT components on rigs that are secure, but usable for workers is an important element, to minimise risks to safety or security of infrastructure through avoidable human error. Similarly, in a future of autonomous logistics, with oil tankers navigating the seas, new opportunities can emerge for GPS jamming or spoofing to enable remote piracy or ransomware attacks where the consequences are the environmental harm in addition to monetary loss. Perhaps most familiar are the challenges for IoT in the smart energy grid. Risks arise at many points in this supply chain such as in:

  • Energy generation with the hacking of industrial control systems in power plants.
  • Energy transmission /distribution across the power grid with DDoS attacks causing blackouts and knock on effects for services relying on power (hospitals, transportation etc).
  • Energy consumption where insecure domestic IoT devices can become parts of cybercrime infrastructure, particularly botnets and be used to leverage attacks against critical infrastructure (e.g. Mirai; Persirai; Hajime). The use of software agents to help manage dynamic energy tariffs on behalf of users (to enable peak levelling on the grid) is another emerging domain to consider threats to end users.

oil-rig-2205542_1920There are also regulatory changes afoot, with the EU Network and Information Security (NIS) Directive 2016 coming into effect at the same time as the GDPR in 2018. NIS brings in rules around securing critical infrastructure, including cloud platforms and establishes notification and cooperation requirements for responding to cyber attacks (e.g. role of member state computer emergency response teams). GDPR establishes obligations around personal data breach notifications, most relevant for domestic IoT/household energy management devices caught up in attacks. Balancing the growth of Industrial-IoT against the security threats and regulatory requirements is going to be a tall order. power-plant-2259713_1920Overall, industrial IoT brings four security elements to the fore that need to be managed:

  • Anticipating risks from bringing infrastructure online when it is ordinarily offline.
  • Managing infrastructural complexity where critical systems interact and share dependencies in ways that make it difficult to anticipate both threats and knock on effects of attacks.
  • Temporal dimensions of security, particularly how IoT risks are managed over the life cycle of systems, subject to organisational change, loss of IT support for platforms etc.
  • The implementation gap around best practice where standards for security in Industrial IoT are still emerging, and once settled, will still take some time to be actioned.

There is a working paper up on SSRN with more details, so any feedback on this is welcome!