Sep 3, 2021
by Mollie Breen
Every new cybersecurity attack and vulnerability pushes the boundary on what we originally thought possible within the cybersecurity industry. Perhaps a couple of years ago, a complete shutdown of a pipeline would have seemed improbable. Today, the materialization of that threat sheds light on the direction of vulnerabilities (and precautions that need to be taken) to come. We are not at the end, but at the beginning of a series of hacks on operational technology and regulations that are designed to stop them.
In 2021, we are reaching a new inflection point with every new business process including an element of the internet of things (“IoT”). It is a worth a step back about what we can learn from past and future hacks to tell us about the next wave of industry response.
In 2016, the Mirai botnet took down popular websites including Amazon, Github, and Netflix. This became the catalyst for government action. While Mirai may have accelerated government action, it was not the first IoT hack, and it is worth looking back at what events led up to this moment.
The first major IoT hack was discovered in 2010 when the PLCs connected to Iran’s centrifuges were infected with a computer worm. This hack is known today by Stuxnet and caused substantial damage to the Iranian nuclear program. If Mirai’s impact years later is remembered for how loud it was and its effect on so many consumers, Stuxnet is remembered for the subtle and persistent changes it had on the Iranian network.
It would take at least two more major attacks before the government responsed: Target in 2013 and Ukraine in December in 2015. During the Target breach, hackers opened a back door into Target's network by accessing its HVAC system and located the Point of Sale system. Hackers stole more than 40 million customer’s credit card information, Target lost $252M in class action lawsuits, and their profits fell by 46%. In Ukraine, more than 230,000 residents were left without power as a result of an attack on the power grid.
The Mirai botnet in October of 2016 was the ultimate catalyst that put IoT and OT regulation on the map. At the attack’s peak, Mirai infected more than 600,000 vulnerable devices. Government responded with the first major set of measures for IoT just a month later in November. Publications from agencies including the Department of Homeland Security, Department of Defense, and National Institute of Standards and Technology (NIST) laid out varying best practices and recommendations. Shortly thereafter, a bill was introduced in Congress in 2017 that centralized IoT authority to NIST and was ultimately passed in December 2020.
The passage of the Internet of Things Cybersecurity Improvement Act in 2020 moved the industry forward by requiring device vendors to self-report cybersecurity issues, required the federal government to procure IoT devices using NIST standard, and clarified that NIST was the lead organization to set standards and to update IoT standards. This is and was an important step to setting a baseline of minimal security within the government and could have prevented or led to earlier detection of the hacks of the last decade. However, it didn’t go far enough to look at the broader system and infrastructure devices are a part of.
Colonial Pipeline in May of 2021 marked the first time that a public infrastructure hack made major news within the US. While the impact of the hack will continue to be analyzed, we know the disruption to the pipeline went far beyond the $4.4M ransom paid to DarkSide. Just like with IoT hacks of the past decade, the White House announced the Improving the Nation’s Infrastructure Executive Order. The recommendations included encouraging the adoption of zero-trust frameworks and having crisis response plans in place. This went further than the Bill passed just 6 months prior by looking at the impact of OT as greater than the sum of its parts. The executive order put operational technology in the context of critical infrastructure in the federal government, and across the country, and what’s next is putting it into the context of the entire enterprise.
While additional hacks may not be in the news at the moment, they certainly haven’t stopped. 53% of manufacturers says they have been hacked at least once in the past 12 to 24 months. The next chapter of major hacks will not solely take advantage of just the device or a critical system but take into account the interconnectedness of the business as a whole. What’s changing about the next decade is that every major new business process will include an element of IoT which opens up opportunities for even more sophisticated attacks with bigger impacts. As Information Technology “IT” and OT is more intertwined with every new process, it is not enough to secure one half or the other--or even the intersection-- it’s important to think about how to have security underpin the two.