Article by John Gillies, Lead Cyber Security Assessor @Converged and the only IASME accredited IoT Assessor north of the central belt.

The Internet of Things, Smart Devices, The Digitisation of the Oilfield, Alexa, Siri, Light Bulbs, Cars, Fridges, Power Grids, Dams, Pipelines, the list is far too big to encompass this trend.

I recently spoke to a colleague who wondered how easy it would be to plug some cables in to a smart device for the oilfield and extract the data from it, without the client being aware. This is of course eminently possible, but it doesn’t really point the gun of risk mitigation where it should be.

In the digital brave new world of IoT, we are all becoming concerned about the devices themselves, and whether they should be seen as a security liability. As a user of IoT services there is a duty of care on us all to ask our suppliers to evidence the adherence these products have to basic cyber security standards. Only by pressurising these suppliers as savvy buyers, will they improve their security posture.

Importantly though

Is it possible that a balaclava wearing cybercriminal will travel to an industrial site, scale the fence, and evade the CCTV, wrestle with an Alsatian and gain access to a smart device that earlier that day automatically provided an inventory management system with data that pump unit 15 has returned to the yard for maintenance and that it had sent its latest data to the system? Of course. But is this where we should be focussing our risk mitigation?

Absolutely not. Why?

Maybe because the cybercriminal isn’t going to do that. They are much more interested in the value of their attack and the return on that investment. They are much more likely to be interested in where they can best gain value.

The Inventory Management System is running on an old Windows 7 pc “cos we can’t get the vendor to update that”. Well, therein lies the trouble, and the opportunity!

The hacker will target the Inventory Management System because they are going to gain access to the correlated information of a multitude of devices and equipment, not just pump unit 15. They are going to be able to exfiltrate data which may well be sensitive commercial or intellectual property data, very possibly of a client. They will make it portable, transfer it over the internet to their own den of iniquity or encrypt it and demand a ransom. The point is the pump isn’t of interest – it’s not worth the effort.

This must be considered when deciding where to invest in cyber security. The real risk is the place where all the small and non-valuable data is correlated to.

Time to upgrade the pc to Windows 10. Or maybe it’s time to upgrade the vendor.