As the shock starts to wear off from hearing that a window/door blew out on a recent Alaska Airlines flight I came across research from our partner Nozomi Networks that might help to explain what happened (or could happen). As reported in Ars Technica (Hackers can infect network-connected wrenches to install ransomware | Ars Technica) Nozomi researchers found that a network-connected Bosch Rexroth precision wrench contained 23 cyber vulnerabilities that would enable malware to be placed on the device. More specifically, malware that would enable threat actors to leave bolts loose (or overly tightened) while reporting that the bolts were correctly tightened.
While there is no reporting to say that this specific wrench was used, or that there was malware placed on it to cause loose bolts, it’s that this is a plausible chain of events that is most alarming. Bosch Rexroth (the wrench maker) is used in aerospace manufacturing with a dedicated webpage on how it supports aerospace firms. Over time more details will emerge on how specifically airplanes were manufactured with loose bolts, but there are already lessons organizations can learn from this on IoT security.
Many organizations have an equivalent IoT security situation with what they do, their own form of a blown-out airplane door. The real issue is around understanding the dangers of vulnerable IoT devices and what steps can be taken to prevent those vulnerabilities from creating catastrophes. Here’s some key points to help:
- IoT devices are also cyber-physical systems: with IT security the key issue is data theft and data integrity; IoT security often is about physical impact coming from cyber vulnerabilities. Loose bolts, unlocking doors, changing chemical levels in water, shutting off oil pipelines, and many other examples exist of the physical impact of IoT security breaches.
- IoT security is different than IT security: Organizations have collectively spent decades and billions of dollars to create IT security environments that work for IT systems and don’t work for IoT. Most IT security solutions rely on agents operating on the devices they secure; IoT devices do not allow agents on them. Agentless solutions exist for IoT asset discovery, threat assessment, cyber hygiene, and vulnerability remediation, but only a fraction of organizations use them compared to agent-based solutions. Bosch plans to issue a patch for the known vulnerabilities by the end of January; the real question is do organizations using Bosch wrenches have the ability to quickly patch firmware across fleets of IoT devices.
- Supply chain risk needs to be viewed through IoT: The last few years have brought a focus on supply chain risk, and have lead to customers requiring detailed security information from the organizations they buy from. Often missing in those vendor surveys is focused questions on IoT security and IoT vulnerability remediation. If you have your vendors do a security survey, review the questions to make sure you’re getting to the heart of how they handle IoT security (as Boeing customers are likely doing right now!).
- IoT security must address tightly-coupled devices and applications: As with the Bosch example, IoT is not only the device (e.g. wrench) but also the application managing it (Bosch’s NEXO-OS). This is where application-based discovery is needed for IoT security; organizations need to have not only a dictionary of the relationship between devices, ports, and applications but also accurate data on the state and operations of the tightly-coupled IoT environment.
While this discussion is theoretical (there is no direct tie between Bosch’s vulnerable IoT wrenches and the air disaster at Alaska Airlines), it should help to push organizations to dig deeper on their IoT security and decide what their next steps are. Most importantly is taking those steps and building a plan for IoT security. Want to discuss with Viakoo experts your specific situation? Sign up here for a 30 minute Zoom call on IoT security: Request a Viakoo Demo – Viakoo, Inc