Safety and the Internet of Things (IoT)

Fairly new to the world of health and safety is the concept of Safety and the Internet of Things (IoT).

We have all heard about computer hacking, and some have heard about the Internet of Things (or IoT). Few, if any of us, have included susceptibility to (malicious) outside control under the category of hazards that we need to protect against. As more and more devices are able to be controlled remotely through the use of the internet, then the risks of someone else doing the controlling increases.

The global cyber attack WannaCry affected a considerable number of people in the UK. NHS Trusts, hospitals, and GP Practices had to face the consequences on the frontline.

Consider this recently reported news story

A piece of malware spotted by a cybersecurity firm (FireEye) is one of the few examples of hacking tools designed to cause real-world harm rather than steal money or data. Safety and the Internet of Things: the malware was found by FireEye’s Mandiant team responding to an alert from an industrial customer after a compromise had been detected on its computers. Mandiant considers itself the leader in helping companies respond to, and proactively protect against, advanced cyber security threats.

The malware was designed to manipulate the systems which provide emergency shutdown. There was no evidence that such an attack was imminent, as attackers often penetrate systems to retain the capability to launch such attacks in the future, without (necessarily) the intention of doing so.

The malware is understood to have targeted the Safety Instrumented Systems (SIL), autonomous controls that independently monitor industrial processes (and form part of the Process Safety solution). By manipulating what these safety systems would go into alert over the (trigger), the impact of the malware could have extended to “human safety, the environment, or damage to equipment”.

Here is an extract from Rail Cyber Security: Guidance to Industry

Cyber technology is complex and fast evolving, and cyber attacks are becoming increasingly automated and sophisticated.

Railway systems are becoming vulnerable to cyber attack due to the move
away from bespoke stand-alone systems to open-platform, standardised
equipment built using Commercial Off The Shelf (COTS) components, and
increasing use of networked control and automation systems that can be
accessed remotely via public and private networks.

The threat of cyber attack arises from organisations and people referred to as
hostile actors. Their exact intentions are wide and varied, ranging from the desire to cause death, through to the desire to cause minor disruption, inflict reputational damage or steal data.

There are also threats posed by employees operating systems inappropriately, and from inertia within the supply chain regarding the introduction of cybersecurity measures to engineering systems.

•  certification on new IoT devices to verify it has been ‘penetration tested’ (helping to prevent startups rushing out to market without strong considerations regarding security).
•  patching and updating devices will also need to in the long-term strategy of business that decides to make use of these devices.

Although rare, malware has been used to cause physical damage before. In 2010, the US and Israel deployed the Stuxnet virus to destroy a number of Iran’s nuclear centrifuges.

Stuxnet reportedly destroyed up to 1,000 centrifuges at the Iranian uranium enrichment facility in Natanz.

Another hacking tool called Industroyer, believed to have been sponsored by the Russian state, was identified targeting the Ukrainian power grid in 2016.

Update, May 2018

According to a recent EEF report, nearly half of manufacturers have been the victim of cyber-crime, and a quarter have suffered some financial loss or disruption to business as a result. The manufacturing sector is the third most targeted for attack, with only government systems and finance more vulnerable. Yet manufacturing – which has 2.6 million employees, provides 10 percent of UK output and 70 percent of business research and development – is amongst the least protected sector against cyber-crime in Britain. The Report, Cyber-Security for Manufacturing, published by EEF, is available online.

Cyber Essentials

There are five technical controls in Cyber Essentials:

1. Use a firewall to secure your Internet connection
2. Choose the most secure settings for your devices and software
3. Control who has access to your data and services
4. Protect yourself from viruses and other malware by using antivirus software, only downloading apps manufacturer-approved stores, or running apps and programs in an isolated environment (sandbox)
5. Keep your devices and software up to date by patching regularly