Pekka Sillanpää, CTO, Tosibox
How to build and use devices securely, so that they are protected by default against the typical threats in the field? How to make connectivity transparent enough for anyone to verify it at any time? Or simple enough to use, in order to prevent security weaknesses in configurations? These are all relevant questions for organizations dealing with the world of IoT.
We are moving towards an era where everything will be digitalized. This means a lot for our everyday living. We are no longer just dependent on computers – they surround us and control everything that makes life possible on this planet. All these “things” are connected through the internet so that we can communicate with them from anywhere – forming the Internet of Things (IoT), or more practically; the Internet of Everything (IoE). Many of these things were originally designed to work in strictly isolated environments, but that is no longer the reality.
In this world, it is crucial that communication works at all times, and only the right people can control and communicate with things. To ensure the access is possible for authorized parties only, the security of these connected things must be on an appropriate level. However, too often we can see that these devices and networks are too weak; it’s easy for malicious parties take control of them without permission, which has happened a lot during the past years.
The people who created and configured these things were not aware of all the threats or risks they took, and therefore they couldn’t protect against them – also testing the security of hardware is rather time consuming.
Information security sometimes resembles the butterfly effect familiar from chaos theory. According to this popular and inventive theory, one flapping of the wings of a butterfly, say, in the United States, could start a tsunami in Japan. Similarly, in the world of cyber security, one wrong click can lead to a catastrophic disaster.
One of the most gruesome examples is the Danish multipurpose company Maersk’s experience with the ransomware Petya. This malware spread into the internal network of Maersk’s headquarters through an accounting software, causing for the company losses of up to EUR 300 million. Petya managed to affect three of the company’s nine segments – mainly its freight business. Nonetheless, the company had to shut down some of its logistics systems, resulting in significant multiplier effects for the entire business. Four thousand servers and 45,000 workstations had to be reinstalled.
Back when industrial systems were first built, the lack of security was not considered a realistic threat. Back then nobody came to think that the lack of security could be taken advantage of, as the concept of security was hardly well known. The old systems have never had such a level of cyber security that is nowadays perceived as basic. That’s why modernizing these systems and integrating them into newer systems has opened them up for attacks from various directions.
In late 2015, 1.4 million Ukranian homes were left without electricity. The reason for this turned out to be a malicious program infiltrating the electrical network. This was not just any criminal ransomware, but the trojan known as Blackenergy. One of the components of Blackenergy was specifically designed to destroy files essential for the operating system. Anyone dealing with computers knows that if a computer’s operating system gets messed up, that said computer is good for nothing. With a computer like that, it’s not possible to restore electricity to the customers’ homes either. The Ukrainian electricity company was subject to systematic sabotage, which was described political by many cyber security companies.
Fortunately, the electricity supply for the Ukrainians was disturbed only for a few hours, but much worse damage has already been achieved, too. In 2014, the German information security authority reported a case where a German steel mill was sabotaged by a cyber-attack. The attack originated from a phishing e-mail and proceeded step-by-step from the factory network to the production environment. In the end, the mill’s blast furnace could not be shut down but got destroyed.
Only one previous case reminds of this – a highly political cyber sabotage that disintegrated the centrifuges of Iran’s uranium enrichment facility. It was a deliberate attempt to hamper Iran’s nuclear program. This case that irreversibly petrified the world is known as Stuxnet.
In the case of the German steel mill, it’s not known whether destroying the blast furnace was the attackers’ original aim. Nonetheless, it happened. That is a lesson of not only the fragility of our networks, but also the butterfly effect of cyber security.
We live in an uncertain world. In it, we face challenges caused by the impact of world politics on the everyday life of companies, human errors and unexpected shortcomings in the integrations of information systems. Network capability, security and separation are important features that, if improperly implemented, can expose the entire business to terrible events limited just by our imagination.
Even though perfect security doesn’t exist, luckily many expensive and devastating mishaps can be prevented. TOSIBOX® is capable of a lot, and even though the butterfly effect cannot be predicted, we have put a lot of effort into thinking about the cyber security of your connections. Configurating the solution is fast, and you can connect machines to your network in a matter of minutes.
TOSIBOX® is infinitely scalable, offering a cost-efficient solution that expands according to your needs, whether it is a steel mill, building automation, office network or something else, where business-critical data moves, and systems need protection.
In the TOSIBOX® solution, the entire communication chain is encrypted from start to finish, and no one can get in between. Learn more about the security of TOSIBOX® >
“Back when industrial systems were first built, nobody came to think that the lack of security could be taken advantage of, as the concept of security was hardly well known.”
Pekka Sillanpää, CTO, Tosibox