Blog / It’s the Government, Man!

I’ve written about the Internet of Things (IoT) before.  It’s the popular adoption of SMART devices that have computer capabilities, but operate autonomously (without human interaction). There are thousands of types of these devices – from light bulbs to industrial controllers to security systems.  It’s expected there will be 50 billion IoT devices worldwide by 2025 – outnumbering the global population by 6 to 1. IoT devices actually have tiny computers built into them.

One of the major drawbacks to IoT devices is their inherent lack of security.  Thus, hackers can easily exploit holes in the software to spread havoc.  They can take control of the device, alter it’s established function, cause physical damage to it, or gain access to the rest of the network the device is connected to; none of these are good outcomes. And once one device of a particular make and model is hacked, all of the same devices worldwide are potentially compromised. It could be millions of devices.

Our Cyber Security Supervisor, Karl Buckley, alerted us to one such potential hack of a PLC (Programmable Logic Controller) that has drawn the attention of the Canadian government. Public Safety Canada has issued a warning about a popular PLC made by Rockwell. This PLC is embedded in all sorts of industrial machinery.  At one such client, the Water Treatment plant uses these controllers. I’m sure there are more in use throughout Alberta.

The full article is here, but it’s not a user-friendly read unless you understand PLCs, UDP and TPC ports, and version-patching embedded firmware. However, the article – and it’s warnings need to be taken seriously.  I would suggest you pass the information on to anyone in your organization who is responsible for industrial maintenance.  They can contact the manufacturer of their equipment to see if the Rockwell PLC is used.  It could be in HVAC units, (water treatment) pumps and controllers, generators, industrial lighting systems, and many more. Fortunately, there are software fixes to mitigate the risk from this security hole.

But we need to think in the larger context of how to manage the influx of IoT devices into our homes and workplaces. These devices are coming and you won’t be able to stop it.  It’s predicted that most devices will have some sort of technology component.  In 5 years, you won’t be able to buy non-SMART devices – just like it’s almost impossible to buy regular incandescent light-bulbs today.

So the best approach is to plan for – and manage these devices.  For your business (and related to the home), here are a few simple tips:

• Overall, plan to increase your Internet bandwidth and usage (data) caps by 15 to 20%
• Where possible, inventory these items as they come into your facility.
• If they connect via WiFi (most do), provide a segregated WiFi network from your Private and Public-access WiFi networks.
• If they connect via a network cable, have your IT provider segregate the IoT network into a separate segment (called a VLAN).
• Open firewall ports that are required to run the devices, but no others.
• If you can possibly run the device in a non-SMART mode – and it won’t affect your application or the device, use it. Check the instructions.
• For items that run critical infrastructure (ie: generators, pumps, HVAC), obtain the manufacturer’s data sheets and contact information.  If they have a website with product information, check it often to see if updates are available (often called firmware). It should become part of your preventative maintenance routine.
• If you have – or – are obtaining Cyber Security insurance, insure the the critical devices are listed on the policy.

On this last point, I don’t think the insurance industry has woken up to the threat that IoT devices can pose, but they will. It will drive requirements and premiums up.

I think the warning from Public Safety Canada is a very good thing; it’s the Government, Man in a positive sense of the phrase. I hope it’s the first of many.