With our propensity to connect every gewgaw and curio in our lives to the internet, the surface area and vectors of cyber threats are expanding exponentially with each Consumer Electronics Show (CES). As the latest “smart” coffee maker, refrigerator, light bulb and doorknob – killing the expression “dumb as a doorknob” – are revealed to rapturous technophiles, many in the cybersecurity community are aghast. While the prospect of killer coffee makers or a doorknob that will not unlock or will open at will, as was recently visited upon Airbnb hosts, is certainly frightening. The specter of small scale internet of things (IoT) exploits pales in comparison to the risks posed by the internet of very big things.
Simply put, if there is a way for data feeds to get out of a device, sensor or control system, there is a way of infiltrators, viruses and ransomware to get in. Indeed, this digital backdoor is present across the IoT landscape, as well as in the third-party relationships of most organizations. In the most sophisticated cases, and this is where things get truly frightening, operating systems can be overcome handing over the reins to remote users who might have questionable motives for taking over your aircraft, navigation systems or fleet of vehicles. Indeed, this is one of the key risks to critical infrastructure, such as the electricity grid, water control systems and other industrial operating frameworks that often ride on antiquated and highly-vulnerable software platforms. One of the principle vulnerabilities is that these systems are often not inoculated through software patches because they are like digital Frankenstein’s, designed on a patchwork of dated technology. If there are gaping holes in the retail and commercial software patching process – the likes of which enabled the WannaCry ransomware attack to spread to 150 countries in 3 days – the industrial software patch quilt is in complete tatters. The irony should not be lost that to improve industrial software patching, selective connectivity will be required.