Sun. Aug 9th, 2020

TerabitWeb Blog

Fascinating Technology and Security Information

Failure to secure IoT networks has far-reaching consequences, and transportation is a bullseye target

6 min read

Original Post from SC Magazine
Author: Doug Olenick

In
2017, millions of moviegoers flocked to theaters for the eighth Fast and Furious movie, where they
watched a villainous Charlize Theron take control of hundreds of self-driving
cars. Whether they knew it or not, this was many viewers’ first exposure to the
idea of a transportation-based cyberattack. And while this specific scenario is
not likely to happen, the danger of cyberattacks against connected vehicles is
very real—and the movie isn’t as far from reality as you might think.

Recent reports
estimate
that 250 million IoT-enabled vehicles will be on the road by 2020
as demand for tools like smart driving assistance, car monitoring and
geolocation services, predictive maintenance, improved fleet management, and
more, continue to rise. Although these tools offer both consumers and businesses
exciting new conveniences, millions of connected vehicles means millions of new
targets for cyberattacks. The 2019
Sonic Wall Cyber Threat Report
indicated that 32.7 million cyberattacks
targeting IoT devices occurred in 2018—a 217.5% increase over 2017—and the transportation
industry’s race to embrace connected technology unfortunately makes it an
attractive target.

Transportation: a valuable,
vulnerable target

Many traffic
lights, road sensors, mass transit systems, and many more transportation systems
and devices are connected to the network today. For this reason, transportation
is rated by Gallagher as the third-most-vulnerable
industry to cyberattack, and as partially or fully autonomous vehicles continue
to hit the market, the potential consequences of an attack grow more serious.

As far back
as 2015, hackers demonstrated their ability to remotely shut
down
a vehicle driving on the highway, using a vulnerability affecting Jeep
Cherokees. In a controlled experiment, the hackers were able to remotely change
the radio station, blast the air conditioner, turn on the windshield wipers,
and even affect speed and steering—a terrifying prospect for a vehicle in
motion. Less benevolent hackers could easily have used the same exploit caused
serious injury or even death.

These
hackers are not alone. In 2016 and 2017, Chinese security researchers took
control of a Tesla vehicle
, gaining a similar level of control to the Jeep
hackers and proving that the problem is more widespread than the industry would
like to admit. Electric cars represent a particularly concerning target,
considering the amount of software controlling energy use and distribution
required for use. Malware introduced into the energy regulation systems of a
fleet of electric cars could have potentially explosive results. This, in turn,
makes these vehicles a lucrative target for ransomware
attacks
.

Russian
hackers have taken a different
(but no less concerning) approach
, hacking into GPS and GNSS systems to
display incorrect information to drivers and operators. While a malfunctioning
GPS in a car may seem like a minor inconvenience, accurate location information
is essential for self-driving vehicles, and a significant disruption of
location services has the potential to disable vehicles or cause serious,
life-threatening accidents. The rise of 5G is cause
for concern
in this area, as security experts grapple with how to secure
the emerging network. The ability to locate and communicate with each other is
essential for self-driving vehicles, and leaving the network they will use to
do so unsecured leaves the door wide open for hackers to cause untold damage.

The
risks are not limited to ground transportation. Pilots, too, require accurate
and reliable geolocation services, and a hacked GPS could spell disaster for
entire fleets of planes. It doesn’t stop there. In May of this year, researchers
used commercially available radios to hack
the landing system
of a commercial jet, sending incorrect information to
the instrument panel to make the pilot falsely believe the plane was off
course. For pilots relying on their instruments for detailed and accurate
information—especially in low-visibility situations—this type of exploit could
spell literal doom. Imagine a pilot lining up a perfect landing, only to
realize he or she is miles from where the GPS indicated the plane dips below
the clouds. Air travel requires precise coordination, and this type of
disruption can lead to disasters ranging from inconvenient delays to crashes,
or even mid-air collisions.

Large-scale attacks have the
potential to cause widespread damage

Attacks
don’t have to result in loss of life to have significant and widespread
economic impact, and the transportation industry is vulnerable to this sort of
macro-scale attack. One such incursion has already proven capable of grinding
global corporations to a halt, costing millions—if not billions—of dollars in
damages. In 2016, A.P. Moller-Maersk, the world’s largest shipping company, was
hit by the Petya
cyberattack
. The Danish company operates a fleet of 600 ships and owns roughly
16 percent market share of worldwide shipping, including 25 percent of all
containers shipped on the Asia-Europe route.

The
ransomware attack took down servers throughout Europe and India, affecting
areas of the company including container shipping, port and boat operations,
drilling services, and oil tankers. A.P. Moller-Maersk had to shut down operations
at multiple ports, resulting in a loss of $200-$300
million
. Petya and the related “NotPetya” attack caused billions
of dollars in total damage
across Europe, Asia, and the Americas. Although
the attack was not directly caused by IoT systems, experts
routinely cite it
as the type of attack that the industry is likely to see
more of as the proliferation of connected devices provides enticing new attack
surfaces.

What we’re doing now, and what we
should be doing in the future

The
widespread vulnerability of IoT networks is a serious concern, but
organizations are slowly beginning to recognize the issue and devote resources
to solving it. A 2017
report
by ABI Research found that roadways will account for $5 billion in
cybersecurity spending by 2022, with another $3.9 billion from aviation. A
Forrester report from 2018 indicated that 89% of companies viewed increasing
their security and privacy capabilities as a high or moderate priority. Unfortunately,
while the establishment of larger security teams more capable of responding to
the massive volume of threat alerts received is a great start, it fails to
address the underlying problem.

Ultimately,
it is up to manufacturers, developers, and users to establish effective
security protocols, such as securing an organization’s network using a trusted
third-party PKI capable of authenticating large numbers of IoT devices and
effectively managing their lifecycles. Certificates capable of verifying the
identity of the user are an essential part of establishing a safer network. The
AeroMACs ecosystem already
uses public key infrastructure (PKI) certificates as a part of the security
process, requiring them on every connected device—making this a global aviation
standard. For car manufacturers and others in the transportation industry, this
represents a strong example to follow.

IoT devices
must be hardened against cyberattacks. They must include “secure boot” to
validate firmware is authentic, secure key storage to protect private keys, and
encrypt sensitive data stored on the device. 
Communication gateways, including gateway electronic control units
(ECUs) in automobiles require a built-in firewall to protect against
network-based attacks.

Researchers
at TM Forum have stated that there
is no “endgame”
for protecting connected devices. Instead, organizations
must continue to adapt their business models, market expectations, and
technical capabilities as their circumstances change. Managing software
updates, patching vulnerabilities, and adhering to established security
procedures such as changing default passwords and strictly managing access
control are essential parts
of the solution
.

But
bigger strides are needed. It’s great news that some forward-thinking organizations
are taking the issue of vulnerable IoT networks seriously, but throwing money
at the problem is not enough. Manufacturers, developers, and users alike must
be prepared to do their part to build and use effective security solutions. By
working together to establish stronger industry standards, we can build a safer
today and tomorrow.

Damon Kachur serves as VP of IoT for Sectigo,

The post Failure to secure IoT networks has far-reaching consequences, and transportation is a bullseye target appeared first on SC Media.


Go to Source
Author: Doug Olenick

Leave a Reply

Copyright © All rights reserved. | Newsphere by AF themes.