On October 21st 2016 we saw one of the largest cyber attacks in history. The Distributed Denial of Service (DDoS) attack, which brought down some of the internet’s largest sites, used internet of things (IoT) enabled devices such as video surveillance cameras and printers, to overwhelm the popular DNS service provider Dyn.
The nature of the attack has brought up important questions about the vulnerabilities being created by poor security protocols on the IoT’s edge devices. The worry is that the billions of “things” now being connected can now be used as ammunition to barrage and overwhelm important sites or core digital infrastructure.
This week Memoori spoke with Ron Victor, the Founder & CEO of ioTium, about the October 21st attack, vulnerabilities of the IoT and his company’s pragmatic approach to cyber security in our increasingly connected world.
“Anything that is based on usernames and passwords is compromisable,” Victor said. “That is why we do not believe in usernames and passwords, we focus instead on routing and security”.
IoTium’s approach accepts the fact that anything that can be hacked, will be hacked, “it’s just a matter of time,” states Victor. The problem, he points out, is that we are connecting “things” that were never meant to be connected, referring to legacy systems that are being brought online under the auspices of the IoT.
The IoT demands that everything be connected to bring about all the benefits of real-time data analytics and big data’s predictive capabilities. Victor uses the example of locomotives that routinely pull into the yard for inspection and potentially maintenance. As it stands, the train will be met by a technician who will plug their laptop into the on-board system to inspect and test it. Through the IoT, that locomotive will constantly transmit data to the cloud, meaning the central system will now tell the train when it needs to go to the yard. Creating efficiency.
However, this creates exposed networks that hackers could potentially use to not only attack the locomotive but to gain access to the entire rail network and cause widespread damage. If “anything that can be hacked will be hacked” then the thought of connecting vital infrastructure such as the rail network or the power grid seems absurd. Unless, of course, the system can be made secure.
“You need a secure network infrastructure to be able to protect against hacks, and that’s where we come in,” says Victor. He is not talking about making the system hack proof however; instead, Victor and his team at IoTium take a more pragmatic approach to protecting IoT rich systems using a virtual overlay network.
“Legacy devices are out there, they have limited security capability and were never meant to be connected. If it has a username and password, all that compromisable stuff, it will be hacked. By using our virtual overlay network we can connect anything and guarantee security from the source, simply by guaranteeing that each data stream will be isolated.”
IoTium promotes a horizontal architecture, which can seemingly be used in any industrial internet of things (IIoT) vertical. It is able to collect data from any legacy systems and push it, creating an architecture where you can securely push services to the edge. They have abstracted out the physical network layer, the carrier layer, the security layer and the OT protocol layer – “addressing and managing the convergence of the OT network with the IT network through a single pane of glass”.
Victor exaplins that “this is built on the premise that we are all going to get hacked. It’s not if we get hacked; we will be hacked. So if you build a system with that premise, then you protect the system by trying to isolate every component.”
During the October 21st attack, hackers easily accessed a huge network of IoT devices, infected them with a special malware known as a “botnet,” then synchronized their requests to barrage a specific server with a massive amount of traffic until it collapsed under the strain. Using IoTium’s approach these devices, be they cameras or toasters, would still be compromised but the hack wouldn’t be able to penetrate further than that single data stream.
The ‘traditional,’ and only, other route to achieving this level of security is manually, Victor asserts. Essentially by sending a truck to every security camera, for example, to install a firewall, consign a username and password, and so on, but that would require an army of people, considerable time and money, and still leaves a lot of vulnerabilities.
Furthermore, once this manual system gets deployed at the edge it is going to be sitting there for 5-10 years. Within that time new software will come out and our digital age demands the ability to keep upgrading and updating on the fly, potentially for 10,000 buildings, 200,000 lampposts, or one million machines.
Victor suggests we consider the oil rig, which collects sensitive data from legacy devices of Halliburton, Schlumberger, Rockwell or Emerson, sending it all to the cloud. “This data used to be flown out by helicopter because we didn’t want to risk connecting it. That is no longer going to work in the world that we live in, now it must be connected, but now we need a secure architecture that going to take all these legacy systems and connect them securely to wherever their data is supposed to go.”
Looking forward Victor thinks that while we will become progressively more secure, it doesn’t mean that hacks will not happen. He expects increasingly sophisticated hackers will continue to use cyber attacks to try and bring things down, often using these inherent vulnerabilities of the IoT and our connected legacy devices.
“We need an infrastructure that anticipates and accepts that these attacks are going to happen. We can no longer think it may happen, when the reality is that it is going to happen. And if it is going to happen, then we need to isolate the s**t out of it”.