The Shellshock bug has highlighted just how vulnerable the Internet of Things is to attack — but are manufacturers taking cyber threats seriously?
From health monitors to smart fridges, there is no getting away from the ‘Internet of Things’. Products are becoming mini-machines, responding in real time to their environment and sending data through huge global networks. The same technology is driving the ‘Industrial Internet’, with sensors embedded into equipment and accessed online. GE has described the trend as a ‘revolution’ and claims it could add $10 trillion to $15 trillion to global GDP.
But while the Internet of Things is sweeping the world, a bug known as ‘Shellshock’ has revealed just how vulnerable systems are to attack. Shellshock is a flaw in the code of a software program called Bash, which is installed on non-Windows systems such as Mac, Linux and Unix. In industry, Bash can be found in anything from CAD/CAM software to 3D printers. The flaw affects all Apple Mac computers, around half of all websites and many internet-connected products.
”‘It is already a case of ‘when’ you get breached, rather than ‘if’. Leaving this Bash hole open is just going to make it happen faster.
Prof Tim Watson
The bug could potentially allow hackers to gain control of an internet-enabled device. For instance, if a hacker slips a bad line of code into the Bash program, they could gain control of an internet-connected system, such as a machine tool or a piece of design software. They can then use this as a launchpad to hack every other device behind the same network firewall. Prof Tim Watson, director of the Cyber Security Centre at Warwick University, believes the discovery of Shellshock is a wake-up call to the industry.
‘For too long now, we’ve been putting up with poor-quality software with faults,’ he said. ‘But for quite a while, we’ve known some very simple techniques that can remove an awful lot of untrustworthiness around software issues.’ Watson’s Cyber Security Centre aims to provide best-practice information for people building and using software. Now that so many devices are connected, he says, businesses can’t afford not to take cyber security seriously.
After the Shellshock flaw was announced on 25 September, many major software manufacturers released patches to guard against possible attacks. Despite this, the US government rated the flaw as 10/10 for severity. ‘An effective measure would be to implement protective monitoring tools,’ said Ross Brewer, vice-president of LogRhythm. ‘It is already a case of ‘when’ you get breached, rather than ‘if’. Leaving this Bash hole open is just going to make it happen faster.’
”A lot of the time, one of the things that we see in system failure is something wonderfully described as “wimps”: well-intentioned but misguided people
Prof Tim Watson
But it’s not just malicious attacks industry needs to worry about — the problem runs much deeper. ‘A lot of the time, one of the things that we see in system failure is something wonderfully described as “wimps”: well-intentioned but misguided people,’ said Watson. ‘Either through misconfiguration or thinking that they are doing the right thing, “wimps” can end up putting software into a state that means it’s not working as it should.’
One example is the use of a process known as a ‘buffer overflow’. This is an anomaly in software that happens when writing data to a buffer. The data overruns the buffer’s boundary and overwrites adjacent memory. ‘Unfortunately, even though we’ve known about this for decades and decades, we can still find — today, last week, last year — software being written with no understanding of this buffer overflow attack and no protection against it,’ said Watson.
Earlier this year, for instance, buffer overflow problems caused patches to be issued for critical security flaws in production control system software built by Yokogawa Electric. In March, the company also found and highlighted vulnerabilities in the Yokogawa Centum CS3000 Windows-based production control system used in industries such as oil refinery and iron and steel manufacturing. Approximately 7,600 plants around the world were using the vulnerable software.
At the time of the incident, Billy Rios, a security researcher at Qualys, pointed out that security of software, such as iTunes, is much more robust than the software supporting critical infrastructure. ‘The software that manufacturers rely on is core to the problem and the solution to increased security and compliance challenges,’ said Tony Caine, vice-president of HP Enterprise Security Products. ‘Our recent research into the Internet of Things found that 60 per cent of devices did not use encryption when downloading software updates.’
Caine added that software, whether in an industry setting or in everyday products, is inherently insecure. The best way to defend against these vulnerabilities, he says, is improved testing of software to find bugs before lines of code are put into production. ‘If you correct the issues that you’ve got and build in the security rather than trying to bolt it on in at the end, you end up making real-world savings,’ added Watson.
As software engineers race against hackers to find security flaws, experts claim the greatest innovation needed is a change in attitude towards cyber security. ‘There is no silver-bullet solution,’ said Caine. ‘Companies generally spend the majority of their security budget on protecting the perimeter, but they need to re-examine how they distribute their resources in order to be most effective.’
Supply chain security
As well as internal issues, manufacturers face the security risk of an extended supply chain. If supply chain users have access to a manufacturer’s IT resources, they can become ‘privileged users’ with rights to sensitive information.
HP research into privileged user security found that these individuals often use their rights inappropriately. According to 64 per cent of respondents, privileged users believe they are allowed to access all the information they can view and a similar percentage say privileged users access sensitive or confidential data because of their curiosity.
‘As much as you can, you should apply the principle of least privilege to ensure that users and processes have the minimum privileges required to perform their functions and no more,’ said Tony Caine, vice-president of HP Enterprise Security Products. ‘For example, limit which users are able to download and run software. Technologies that automate access authorisation, review and certification will limit the risk of human error and negligence.