Nagan Research Group LLC

Internet of Things


A primer on cyber exposures arising

from IoT devices

Background The economic advantages that accrue when a piece of equipment is connected to the Internet can be very large. The ability can be used to monitor performance, get real-time alerts for issues arising, become aware when preventative maintenance is appropriate and schedule activity to meet demand, These are only a few of the benefits. Needless to say these benefits have led to a rapid embracing of Internet connectivity.

Remember that this connectivity implies that the device will have a computer chip, memory, perhaps a hard drive, control panel and access to a network and then to the Internet. In other words it is a system.

Unfortunately this has also led to implementations that, in many cases, ignore, or minimize, security considerations. The implementations are also not based on common standards, although efforts are underway to create standards they are not fully accepted nor implemented, leaving most organizations to do their own thing. Combine this with the connectivity being located in operational units who are focused with the effective operation of their unit and not understanding, or sharing, the potential risks associated with providing an access window for the bad guys into the larger organization.

Implications This creates a situation where an organization could have many exposures that they are unaware of, each of which could create havoc within their organization. Mitigating this is the fact, mentioned above, that there are no common standards so the potential of using the device as an access point requires knowledge of that specifics involved with that device and then developing ways to use it for nefarious purposes. This is far more laborious, and less cost efficient, than developing PC computer malware that can be leveraged across the millions of PCs currently connected.

However, a bad guy does not have to control an entire system to cause trouble just compromise a key element. For example think of the havoc that could be created by a blackmailer disabling elevator motors in a modern building, or stopping the water pumps. There are many choke points in modern life so a budding extortionist need only find one of these choke points to totally disrupt an organizations ability to function.

What to do? At this time there is no silver bullet but the prudent organization should consider the following steps.

First, determine what devices and systems are present in their organization that are connected to the Internet including:

Building control systems-- HVAC, UPS, electrical distribution, lighting systems, elevators, or similar systems.

Process control systems - manufacturing lines, machine tools, chemical processes, ovens, and the like.

Automated warehousing/distribution systems - automated picking conveyor systems, loading and unloading systems and equipment such as forklifts, or similar systems

Automated building services including those that process maintenance requests and tracking, managing building control systems, scheduling building resources, managing visitor traffic, or the like.

Miscellaneous equipment or devices (such as phone systems, office copiers, fax machines, scanners, communication systems, intercoms, or like devices

Then, determine if there is security on the equipment or devices so that they can only be used by authorized personnel and are protected from unauthorized usage and if it does not exist determine how to see that security gets implemented. If this is not done then you are leaving an open door for the predators to exploit.

Once they are know and secure conduct audits and testing on a regular basis to verify the operation and security of the equipment, devices and systems is operating correctly.

If you would like to know more or to discuss drop us an email at with the subject IoT cyber exposures.


2016 All rights reserved Nagan Research Group LLC