In May 2022, Business Insider reported that Russian troops stole nearly $5 million worth of farm equipment from a John Deere dealership in Melitopol, Ukraine. The stolen equipment was located by remote GPS and locked, preventing it from being used. This story opens many questions around IoT security and is a path of research that I hope to pursue this year.
The fact that John Deere could remotely control these connected devices led to a positive outcome. I’ve read elsewhere that the thieves could attempt to make these machines operational by other means or, as the linked story suggests, part them out, but the time and effort to do this will distract them (or the people they sell them to) from other tasks, so it’s still a net positive.
In situations outside of a war zone, locating stolen devices via GPS and subsequently shutting them down could be used to recover the items.
But let’s look at this through another lens: What if the control systems at John Deere (or any other connected device manufacturer) were compromised, whether by a malicious insider, a remote attack, or a simple coding failure? A business’s devices and possible the majority of business operations could be brought to a screeching halt and the devices left offline.
This increases IoT management and security complexities, which also includes when a smart device company ceases operations and you’re left with devices immediately at end of support that could possibly have operational problems if they’re coded to contact the manufacturer to continue functioning.
IoT security often means protecting devices from direct attacks that could allow someone to shut them down or use them for lateral movement into other parts of the network. We think about data exfiltration from centralized systems, whether it be authentication, payment, or even data stored from the connected devices themselves.
But how often do we pivot and think of an attack originating from the manufacturer and how to protect against that? For example, consider the security needs of connected cars. How can you protect electric cars from attacks that might originate from charging stations? This isn’t a new thought, but with more public charging stations becoming operational, attacks to the vehicles don’t have to originate from end users or their home chargers; they could come from public charging stations, which have their own management systems.
Businesses partner with hardware and software vendors to implement the systems that run their operations including IoT/industrial-internet-of-things (IIoT)/operational technology (OT) solutions, and they trust these interconnected solutions are delivered securely. A crucial aspect of the CIA security triad is availability, and if your business partner can bring down your IoT devices, maliciously or mistakenly, that triad is broken.
To adhere to Zero Trust principles, every system that connects to your business operations needs to be verified, and the actions they take need to adhere to your business policies, including those from IoT vendors. As a first step, the IoT security platform you use must monitor all traffic going into and out of these devices and alert on any anomalies, including those originating from the device manufacturer, to allow your security operations center (SOC) analysts to research if this is simply a new, but benign, data pattern or the beginnings of an attack.