IT Solution Blog-Top-Image1-01.png

Stuxnet, Shodan, and the Security of The Internet of Things

The Industrial Internet is primed to experience a wave of growing pains — and it’s starting now

The Internet of Things may be a potential boon for big business (GE is betting the bank that it will be), but that doesn't mean it'll be problem free. The Industrial Internet will come with its own set of issues.

Don’t get us wrong, the Internet of Things has potential to change the game in many industries. (Read our detailed feature article on the Future of the Internet of Things here). Yet one thing is definitely becoming clear....

Big data comes with big problems.


Stuxnet Redux

UraniumThe Stuxnet virus was one of the first pieces of malicious software targeting Industrial Internet devices that gained widespread notoriety in the media. Designed to “attack and disrupt the operation of uranium enrichment facilities in Iran,” Stuxnet set back the project for several years and caused millions of dollars worth of damage.

While it may have been identified, Stuxnet didn’t die.

As an Industrial Internet saboteur, Stuxnet has gone on to infect the Chevron Oil Corporation and even do damage to the Russian nuclear development network. (Chevron, understandably, worked to keep its Stuxnet infection quiet.) The virus “incorporates multiple infection techniques,” which has helped it “escape” into the wild and infect other Industrial Internet devices around the world.

Most recently, Stuxnet has infected a Russian nuclear plant. Since Stuxnet’s original claim to infamy was brought about by the damage it did to the nuclear facility in Iran, it’s easy to believe that the virus lived on and adapted to target the Russian nuclear program, as well.


WarGames Movie Poster


No matter who created the virus, there’s no sign of it completely disappearing anytime soon. It was even reported last week that Stuxnet was running rampant through the International Space Station’s computer systems. That report, thankfully, turned out to be false. (The information was taken out of context by an overzealous reporter who didn’t listen to an anecdote being delivered by Russian antivirus company owner Eugene Kaspersky.)

Still, much like a traditional epidemic, the virus has a life of its own. Just when it appears to be under control, we witness another breakout somewhere else. And who knows how many other companies or industries may be infected, but are working to keep it quiet to avoid the bad PR?


You can’t teach an old turbine new tricks

Old Hydro TurbinesDaniel Prince, associate director of network security at Lancaster University in England, points out one of the key reasons the Industrial Internet is experiencing (and probably will continue to experience) a wave of problems through its devices.

These types of devices are built to last.

A hydroelectric dam doesn't plan on replacing a power turbine every two years like we might a cell phone. Massive industrial technologies are built to last for 10, 20, 25 years and more. And it’s not uncommon for large-scale industrial devices to be custom-built to order — which makes them even more difficult to replace in the future.

PQ - Managed - Industrial devices IoT“This situation is made more severe by the long lifespan of industrial equipment,” Prince writes. “Many legacy devices are still in use which lack protection for the modern era. The recent discovery of 25 vulnerabilities on the devices that interconnect legacy and modern equipment in power stations is testament to this.”

Some of these devices were given internet connectivity capabilities at such an early point in the internet’s existence that they simply can’t defend against modern cyber-attack techniques. A medieval wooden fort is no match for an enemy armed with explosives and incendiary munitions. So, too, many of these legacy devices simply aren’t capable of defending against modern attack vectors and advances in viruses (like Stuxnet).


Shodan — bow to your enemy

So a virus can find unprotected industrial internet devices and wreak havoc on them; how does the cyber security expert work to protect those same devices? Or even find which ones are vulnerable in the massive Internet of Things in the first place?

Enter Shodan.

Shodan is to the Internet of Things as Google is to the internet. While Google searches for webpages, Shodan searches for physical devices that are connected to the Internet of Things. And it finds them. In great numbers.


Shodan screen grab


Unfortunately, many devices that are connected to the internet have such simple passwords (admin, 1234, or password) that ne’er-do-wells can quickly gain access to these devices and get into all kinds of trouble.

Servers, traffic lights, cameras galore, heating and air conditioning systems, baby monitors, cars, industrial turbines, security systems, gas stations, power grids, nuclear power plant controls, and even particle-accelerating cyclotrons — the savvy Shodan searcher can find them all.

As a cyber-security tool, this information can help companies better secure their own infrastructure; they can better protect their devices that are connected to the Internet of Things so that they can prevent abuse by the thugs that lurk in the dark corners of the internet.


With great data, comes great responsibility

Industrial Internet one percent GETrue, the Internet of Things does promise to herald in new dawn of interconnected devices that can talk to each other and provide us with larger amounts of more comprehensive data. But, it’s important to remember what can happen when we connect every device into every other device. (No, not Skynet — well, maybe a little.)

While the potential of the Industrial Internet grows, so must the protection of those devices. Better security techniques will be found, more robust preventative measures will be taken, and cyber-security updates will eventually become as common for our interconnected devices as updating your PC’s anti-virus software is.

The Internet of Things will create more data than ever before. More devices will connect to each other. And more security concerns will need to be addressed.

To paraphrase Uncle Ben’s advice to his nephew Peter: “With great data, comes great responsibility.”


[Editor's Note: Read our feature article on The Internet of Things here: "The Future of The Internet of Things." If you need a primer on The Internet of Things and the future of the connected-devices Internet, this is a great place to start.]



G.E. is owned by General Electric [GE].
Intel semiconductors is owned by the Intel Corporation [INTC].
I.B.M. is owned by The International Business Machines Corporation [IBM].
Cisco is owned by Cisco Systems, Inc. [CSCO].
AT&T is owned by AT&T Inc. [T].
Skynet is self-aware and is owned by Cyberdyne Systems Corporation.
Microsoft is owned by the Microsoft Corporation [MSFT].



Recent Posts

Posts by Topic

see all

Subscribe to Our Blog