the newsletter of tbd consultants - Autumn/Winter 2019
Cybersecurity has continued to hit the headlines, with recent examples including Louisiana issuing a Cybersecurity State of Emergency after three of their school districts suffered cybersecurity breaches, which also took down one district’s phone system. Soon after that, we heard about the CapitalOne breach that affected about 110 million people. The rise of the IoT (Internet of Things) and the IIoT (Industrial IoT) has multiplied the number of access points that hackers can target, and these devices have become attractive backdoors for hackers because they have been left largely unprotected.
The protocols commonly used to communicate with IoT devices include Modbus, BACnet, and SNMP. Modbus has no security measures integrated into it, and BACnet has such a low-level security option that manufacturers seldom bother including it in their products. There is a new version of BACnet being worked on that will be more secure, but that is probably still a year or two away. The first version of SNMP (Simple Network Management Protocol) had no security incorporated in it, and the second version had some, but remained fairly insecure. SNMPv3 has much improved security, but as a protocol that is now 15 years old, it has also become highly vulnerable to hackers.
Does it really matter if someone hacks into your Internet-connected refrigerator and lets your milk go sour? Probably not, but what if they hack into a controller at a power station and black out your city? The recent blackout in Manhattan was due to a communications issue with the Protective Relays at a substation. These same relays have already been the subject of cybersecurity vulnerability reports and, while this incident appears to have been unintentional, it shows how serious the cyber threat is to our everyday lives.
While devices, like protective relays, can affect tens of thousands of companies and individuals, Building Management Systems (BMS) in office buildings and data centers have become more frequent targets of attacks and these can shut down an entire building and all the companies located in that facility. In addition, items like Programmable Logic Controllers (PLCs), Uninterruptible Power Supplies (UPSs) and Air Conditioning (AC) systems all represent prime targets for hackers to interrupt and sabotage critical operations at almost any type of facility.
As a general rule, manufacturers have been more interested in getting new technology onto the market as quickly and cheaply as possible, in order to undercut the competition. Security has, sadly, often been an afterthought. Yet, all these devices are effectively turning our office buildings, hospitals, data centers and homes into Internet-connected objects, and laying out the welcome mat to cybercriminals.
Enter California Senate Bill No. 327 (SB327), the first legislation in the U.S. to specifically address the security associated with IoT and IIoT devices. In addition, there are at least two bills working their way through Congress, ‘The Internet of Things Cybersecurity Improvement Act’ and the ‘Securing IoT Act’, but, at time of writing, neither of them has come up for a vote.
SB327 was signed into law in September 2018 and, in simple terms, says that from January 1, 2020, all new IoT devices sold and installed in California must have security appropriate to the type and use of that particular device. ‘Appropriate’ means that the more critical the device is and, the more essential the use to which it is put, the more demanding the security must be. The wording does give plenty of room for lawyers to argue about it and for case-law to define it, but in a rapidly changing field of technology like IoT, it is about as good as lawmakers could come up with. It can certainly be said that SB327 is better than any similar law that has been enacted, if only because there are no other laws yet that relate specifically to security on these kinds of devices.
There are some specific requirements in SB327, such as those related to passwords used to access such a device. No more default passwords, so loved by hackers worldwide. Each device must either have a unique password, or it must force a user to change the password the first time they use it. But that brings little help to Modbus and BACnet devices which do not even offer secured passwords. It’s fair to say that, for these protocols, no security is not “appropriate security”.
With this law coming into effect at the start of next year, it is an issue that designers will need to be addressing now. Using SNMPv3, with all its security features implemented, for the communication protocol may meet the requirements of SB327 in most instances, as would the forthcoming version of BACnet (whenever it’s available). If the IIoT device was, say, controlling a critical piece of equipment in a power station, something better than SNMPv3 would almost certainly be needed to make the security level ‘appropriate’. However, if the device being sold past 1/1/20 is using Modbus or the current version of BACnet, then a dedicated security device would be needed in order to be compliant with the law. This law can include fines and penalties, and any such events would likely generate wide-ranging headlines that would embarrass the engineer, manufacturer and the end user. This all makes it paramount for all designs to include the proper security systems for each new project in California.
Our thanks to Bob Hunter of AlphaGuardian for his help with this article.
Solar power seems like an ideal way to help the environment and save long-term costs. Here we look at the economics and other issues surrounding a proposed solar installation.
Talk of a recession has been increasing in recent months, but how realistic are the indicators and how can we negotiate the market confusion?
Design consultant: Katie Levine of Vallance, Inc.