IoT and Cyber Attacks

According to Gartner’s estimate, in 2016,  there are  6.4 billion IoT devices connected to the Internet. Most of these devices do not take into account the Cyber Attack vulnerabilities they create at the locations where they are installed, nor the use of these devices as platforms for Cyber Attacks on the Internet. The attacks on DNS servers by IoT devices in late 2016 which shut down the Internet in the North East USA is an example. Another example is the use of the  HVAC system  at Target to gain access to customer credit card information.

Admiral Michael Rogers, head of the NSA and the US Cyber Command, has told delegates during his keynote address at RSA 2016 the three things that keep him awake at night.

We agree with Admiral Rogers on these 3 important points. See his remarks at RSA 2016

1. His first fear is an online attack against US critical infrastructure, which he said was ” a matter of when it will happen, not if”.

We believe that tank gauge communications systems have been compromised and there is no way to detect or remove infections. When these infections go active, there will be no time to for defense.

2. Data tampering. “We’re used to data being stolen, he said, or even deleted as in the case of Sony. But if data has been subtly altered rather than stolen, then the results could be severe”.

We agree that the real damage is data tampering.

Imagine simple random tampering with tank gauge settings so that full tanks are reported as empty, and empty tanks as full. Trucks will be trying to fill full tanks and empty stations would not get loads. A logistics nightmare. Then imagine if the random tampering was randomly removed. Tank gauges do not have audit trails. The incidents would be thought of as gauge problems creating a flood of service calls.

Imagine the tank gauge leak detection falsely reporting leaking tanks and ignoring real leaks and water infiltration. Then working perfectly a day later when technicians are looking for the problem.

3. His third nightmare was down to the actions of non-state terrorist groups changing their use of online resources. At the moment, such groups are using the internet to recruit members, raise funds, and distribute propaganda. But if they go on the offensive against a country, the results are going to be grim.

“What happens when they use cyber for destruction?” he asked. “These groups are not interested in maintaining the status quo, but in tearing it down.”

We know that the tools to attack tank gauge monitoring systems are readily available to non-state terrorist groups, and simple hackers. Its not if but when they will be activated.

 

HD Moore of Rapid7 who worked with Jack Chadowitz, Kachoolie founder, in January 2015 to report tank gauge vulnerability published an article on “Serial Offenders”, IoT devices that include tank gauges. Click here to see the article.

An article on subsequent attacks on tank gauges in January 2015 can be found in Security Intelligence.
Contact us to receive a copy of the paper presented by Jack Chadowitz at the Atlanta 2015 ICS CyberTech conference on gas station vulnerabilities. These vulnerabilities exist even if the tank gauges  are protected as suggested by the Veeder Root Company. Veeder Root ATG Security.