The flexibility that allows an authorised user access to this data and control can also potentially give an unauthorised user a backdoor. A backdoor that can be used to install a ransomware.

Ransomware is malware that is designed to infiltrate your computer and encrypt all data before you notice anything, in order to demand a ransom in exchange for unlocking the data. What makes their exploit work is when data on a computer is valuable and has not been backed up, giving hackers bargaining power over their victims. Just keeping an updated back-up can thwart attacks and make it less worthwhile for the attacker to invest their time. 2016 has been the year of ransomware; there are multiple exploits available that have been infecting not just individual computers but also businesses, and even hospital systems. Some US hospitals are reported to have paid the ransom to get access to patient data. A recent freedom of data request found that the NHS has a good defence strategy. Of the 28 NHS trusts that were infected, none paid the ransom nor lost any data.

Figure 1 Overall Ransomware Infections by Month from January 2015 to April 2016

Now, IoT devices do not hold much data themselves for them to be worthwhile paying a ransom to unlock, but they do have access to real-world systems; be that locks on the door or assets on the production line. This has a potential to do far more damage than just locking some data. The increased potential for damage also increases the financial risk for the asset owner and “potential” reward for the attacker. The attacker’s success hangs on the cost of disruption being significantly greater than their asking price – the ransom amount.

The production line is stopping or the power station is going out! Would you pay to prevent it? And at what cost?

Of course, you could just reset the infected device to return to normal operation, but the value in IoT ransomware exploit lies in the disruption it can cause. The attackers are counting on the downtime being more expensive than the ransom. In April of 2015, a group of hackers used malicious software to target France’s TV5 with the intention to destroy the television network’s system. They managed to take 12 channels off-air. Luckily for TV5, they had technicians onsite who were working to launch a new channel that day. They were able to respond in time to limit the attack by isolating the machine under attack and cutting off its internet connection. The station came within hours of losing its broadcasting contract since they were off-air for so long.

Would it be better to pay the attacker to stop at this point and potentially increase chances of a repeat attack by rewarding them? 

Or do we say no and hope to find a solution before the damage is too extensive?

This was not a ransomware attack nor were any demands made for money; in fact, the motives remain unknown. But it demonstrates the potential of damage a cyber attack can cause by taking a system offline for a substantial amount of time. 

This is not to say we should avoid moving towards an interconnected world. The advances and efficiencies are going to be truly revolutionary. However, we must proceed with caution, taking security seriously every step of the way. Communication protocols need to be secure. IoT security needs to be part of the design process and not an afterthought. Not having these weak default passwords is the very first step. We need systems that can discover and patch vulnerabilities on the fly, not through recalling millions of devices back just to patch them as in the case of Fiat’s Jeep Cherokee hack. IoT manufacturers need to have robust processes in place to deal with an attack.

There is no stopping the move towards Industry 4.0. Only by thinking about security now, can we truly benefit from the advances it brings… you know, instead of bunkering down after a breach.

If you’d like more information or have a project in mind please get in touch :-)

This post originally appeared on www.hssmi.org