Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/21/2016
10:00 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

7 Imminent IoT Threats

Attacks against smart home products, medical devices, SCADA systems, and other newly network-enabled systems signal the beginning of a new wave of attacks against the IoT.
6 of 8

SCADA Systems

Few people think of the Supervisory Control and Data Acquisition (SCADA) systems that are used to manage industrial control equipment and critical infrastructure, as being part of the IoT, but they are. And just like many other IoT devices, they are as vulnerable as well.

Until relatively recently, SCADA systems were not connected to the Internet and therefore didn't really require the same kind of security controls that other Internet-connected systems have. However, with many of them getting network-enabled in recent years, the relative lack of controls, including hard-coded passwords and poor patching processes, has become a big problem.

'Industrial controllers - SCADA systems that have been in place that are difficult to update - are especially ripe for attacks,' says Rod Schultz, vice president of product at Rubicon Labs. 'Any control system that controls any type of kinetic energy - water, electricity, nuclear power - or business critical information such as banking and financial data, should be assumed to be a target.'


Attacks on such systems could have substantial physical consequences. As far back as 2007, researchers have demonstrated how attackers could destroy power grid equipment by going after the SCADA systems controlling such equipment. But physical damage is not the only concerns.

Attackers could use compromised SCADA systems in DDoS attacks or in ransomware attacks, Schultz says. 'IoT attacks will be turned into profit centers,' he says. 'Financial systems are obvious targets of course, and we see SCADA systems as major and vulnerable targets too.'

Image Source: genkur via Shutterstock

SCADA Systems

Few people think of the Supervisory Control and Data Acquisition (SCADA) systems that are used to manage industrial control equipment and critical infrastructure, as being part of the IoT, but they are. And just like many other IoT devices, they are as vulnerable as well.

Until relatively recently, SCADA systems were not connected to the Internet and therefore didnt really require the same kind of security controls that other Internet-connected systems have. However, with many of them getting network-enabled in recent years, the relative lack of controls, including hard-coded passwords and poor patching processes, has become a big problem.

"Industrial controllers SCADA systems that have been in place that are difficult to update are especially ripe for attacks, says Rod Schultz, vice president of product at Rubicon Labs. Any control system that controls any type of kinetic energy water, electricity, nuclear power or business critical information such as banking and financial data, should be assumed to be a target.

Attacks on such systems could have substantial physical consequences. As far back as 2007, researchers have demonstrated how attackers could destroy power grid equipment by going after the SCADA systems controlling such equipment. But physical damage is not the only concerns.

Attackers could use compromised SCADA systems in DDoS attacks or in ransomware attacks, Schultz says. IoT attacks will be turned into profit centers, he says. Financial systems are obvious targets of course, and we see SCADA systems as major and vulnerable targets too."

Image Source: genkur via Shutterstock

6 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.