It's the Government, Man!
Government of Canada issues warnings about the Internet of Things Devices
I'm old enough to remember the Hippies of the 60's - although I was a bit young to really understand what was going on. It was a time when the Baby Boomers were into their teens and early 20s - and like most events in the Baby Boomers' lives, they made a big splash; some good, most bad. A popular mantra of the day was Timothy Leary's Turn On, Tune in, Drop Out - a counter-culture call-to-arms that blamed the establishment for just about everything. Another popular phrase was It's the Government, Man, a lament that excused the Baby-Boomer generation from any responsibility and blamed the government-of-the-day for all of its’ woes. The phrase is still popular today. So, before you Drop Out, here's the tie-in.
I've written about the Internet of Things (IoT) before. It's the popular adoption of SMART devices that have computer capabilities, but operate autonomously (without human interaction). There are thousands of types of these devices - from light bulbs to industrial controllers to security systems. It's expected there will be 50 billion IoT devices worldwide by 2025 - outnumbering the global population by 6 to 1. IoT devices actually have tiny computers built into them.
One of the major drawbacks to IoT devices is their inherent lack of Security. Thus, hackers can easily exploit holes in the software, to spread havoc. They can take control of the device, alter it's established function, cause physical damage to it, or gain access to the rest of the network the device is connected to; none of these are good outcomes. And once one device of a particular make and model is hacked, all of the same devices worldwide are potentially compromised. It could be millions of devices.
Our Cyber Security Supervisor, Karl Buckley, alerted us to one such potential hack of a PLC (Programmable Logic Controller), that has drawn the attention of the Canadian government. Public Safety Canada has issued a warning about a popular PLC made by Rockwell. This PLC is embedded in all sorts of industrial machinery. At one such client, the Water Treatment plant uses these controllers. I'm sure there are more in use throughout Alberta.
The full article is here, but it's not a user-friendly read unless you understand PLCs, UDP and TPC ports, and version-patching embedded firmware. However, the article - and it's warnings need to be taken seriously. I would suggest you pass the information on to anyone in your organization who is responsible for industrial maintenance. They can contact the manufacturer of their equipment to see if the Rockwell PLC is used. It could be in HVAC units, (water treatment) pumps and controllers, generators, industrial lighting systems, and many more. Fortunately, there are software fixes to mitigate the risk from this security hole.
But we need to think in the larger context of how to manage the influx of IoT devices into our homes and workplaces. These devices are coming and you won't be able to stop them. It's predicted that most devices will have some sort of technology component. In 5 years, you won't be able to buy non-SMART devices - just like it's almost impossible to buy regular incandescent light-bulbs today.
So the best approach is to plan for - and manage these devices. For your business (and related to the home), here are a few simple tips:
- Overall, plan to increase your Internet bandwidth and usage (data) caps by 15 to 20%.
- Where possible, inventory these items as they come into your facility.
- If they connect via WiFi (most do), provide a segregated WiFi network from your Private and Public-access WiFi networks.
- If they connect via a network cable, have your IT provider segregate the IoT network into a separate segment (called a VLAN).
- Open firewall ports that are required to run the devices, but no others.
- If you can possibly run the device in a non-SMART mode - and it won't affect your application or the device, use it. Check the instructions.
- For items that run critical infrastructure (ie: generators, pumps, HVAC), obtain the manufacturer's data sheets and contact information. If they have a website with product information, check it often to see if updates are available (often called firmware). It should become part of your preventative maintenance routine.
- If you have - or - are obtaining Cyber-Security insurance, make sure that the critical devices are listed on the policy.
I think the warning from Public Safety Canada is a very good thing; it's the Government, Man in a positive sense of the phrase. I hope it's the first of many.