Some months ago, I had a meeting offsite. I was early and, as is the norm, I was offered a drink while I waited to be collected from reception. I accepted, and the receptionist passed me a token to use in the vending machine. My host arrived to collect me from reception shortly after. His, or rather my, timing could have been better – without checking its temperature, I had just taken a rather large sip of coffee made with superheated water and was in the process of spitting out the mouthful of scalding latte just as he approached.
As first impressions go, it was not my best (though not my worst either). To mask my embarrassment, I made a joke about their coffee machine being hacked, “no doubt to stop me talking by burning my mouth”. My host looked at me like I was mad. “How would they hack the coffee machine?” he asked.
There remains a tendency to think about cyber-attacks in terms of obtaining confidential and classified information – bank details, the emails of major political parties and so on – and much of the emphasis on cyber-security is about protecting data. However, since 2010, when Stuxnet, a worm specifically designed to attack the programmable logic controllers (PLCs) controlling centrifuges in the Iranian nuclear programme, was identified, cyber-attacks that target company operations have increased. We all remember when the WannaCry ransomware hit several NHS trusts, as well as thousands more systems in 150 countries, in 2017. The attack went beyond extorting money from the victims, and the encryption of files fully paralysed computers across the NHS. Thankfully no one is reported to have been killed as a result.
Similarly, this year, manufacturing companies were targeted with LockerGoga. Norsk Hydro, an aluminium manufacturer, had to switch some of its plant to manual operation, while chemical company Momentive suffered a “global IT outage”.
Measures such as backing up files and keeping operating systems up to date on laptops, are at the core of any sensible organisation’s cyber-security policy. But security on devices not traditionally made available with networking capability, such as boilers, lathes or even teddy bears, is often neglected despite the advent of the so-called Internet of Things.
As we move into the fourth industrial revolution, companies are looking to automate more processes and harness the capabilities of cloud computing, big data analytics and AI. On top of that, connectivity and intelligence are becoming standard in even the most innocuous of devices. So it is no surprise that, according to IOT Analytics research, the number of IoT devices to be connected will increase by over 150 per cent in the next six years. By comparison, the number of traditionally connected devices (such as phones, laptops and computers) is predicted to increase by only 12 per cent in the same period.
Clearly this is opening up a whole new battleground for cyber-security. These devices can communicate data and can impact your network. If you’re not thinking about your equipment and business processes in terms of being connected, you won’t protect your systems, and then you are vulnerable.
How often have you changed the default password on an IoT device? Probably not often – even if you know how. Whereas on a new laptop or phone it’s one of the first things you do, and what employer doesn’t insist on a strong password for your work computer? Yet devices that are not only connected to an organisation’s network, but in some cases are literally controlling the business operations often still have the default password. When that happens, forget about anything as sophisticated as WannaCry and LockerGoga – any 15-year-old hacker can halt, damage or destroy your operations.
There is plenty of good advice on how to think about cyber-security in the IoT world. The first thing that is needed is to have a change of mind-set to include IoT in your security culture and recognise what is connected to your network.
Which brings me back to my hot coffee anecdote.
“How would they hack the coffee machine?” he asked.
Well, I had seen something that my colleague had not: the bright yellow contactless card reader right on the front of the vending machine.
The humble coffee machine was hooked up to something potentially more dangerous than hot water.