My Peer to Peer “IoT & SCADA: Lessons Learned and Case Studies” was standing room only with a line out the door waiting to get in. We had a mix of attendees with varying degrees of technical depth.
We discussed some of the previous SCADA and Internet attacks such as Stuxnet and Mirai and looked at a hypothetical company that experienced two cyber incidents. The cyber incidents were created to offer insight into possible attackers, their motives and potential legal consequences.
Interestingly the focus of our case study discussions was on the legal aspects associated with IOT. Liability, data privacy, data ownership, and intellectual property issue are the chief legal concerns with IoT at the moment.
We noted quick a few lessons learned:
- Security is an after thought
- Cost pressures may overrule security considerations
- Not all attacks are motivated by money
- Malware injection can be local or remote
- Attacks can be highly focused (Stuxnet) or broad
- Standards are few or lacking
- IoT Hardware is globally manufactured
- Off shore manufacturers are cost driven
- Users may have no control over their hardware or its security
- Attackers range from individuals to nations and everything in between
There was quite a debate about what can be done to minimize IoT security risks. One proposed solution was an “Underwriter’s Laboratory like approach whereby an independent laboratory would validate the security of imported devices that would be connected to the Internet.
Attendees realized that the IoT is like the Wild West. There is no law and order and organizations need to be alert as to the potential hazards of IoT connected devices at home and at work.