Calculating IoT Risks
06 July 2015
Louis Wustemann presents Dr DF Merchant’s advice on how to protect your organisation from dangerous plant failure as the Internet of Things grows.
No self-respecting health and safety manager would ignore risk assessments and procedures for work at height, manual handling or asbestos; but I’ll bet that the only risk assessment you have for IT equipment is a display screen assessment. When we talk about the internet, most people think of the human-driven traffic it carries: email messages, web pages, videos and instant messages. In truth most traffic is not between humans, it’s between computers: automated, silent packets of information containing database queries, files, sensor data and control signals.
The Internet of Things (IoT) encompasses all the devices that use the internet to communicate with one another. They can be sending data for remote analysis by computers or humans (in the form of cameras, thermostats, fitness trackers), they can be receiving commands (valves, programmable logic controllers (PLCs), electronic locks) and they can be doing both, as in the case of mobile phones, wireless hard drives and smart TVs. Often the end points of that data are within metres of each other, but the traffic bounces around the world to get there.
Today, the internet carries the control signals for everything from petrol pumps to nuclear power stations. Many of these devices are part of supervisory control and data acquisition (SCADA) systems, a generic term for any network of sensors, controllers and actuators that can be running any number of different types of hardware and software.
The first public contact with a cyber-attack using these systems was Stuxnet, a computer virus discovered in 2010 that was said to be designed to destroy uranium enrichment centrifuges — and it was rather good at it. The code searched networks for PLCs running a particular piece of software from Siemens, and changed it; in the case of the centrifuges, to spin them into oblivion.
You’d think that device designers had learned their lesson by now, but far from it. Almost everything you plug into the internet, from a broadband router to a baby monitor, has at least one security hole that hackers know about. Because all these devices are connected to each other, and the security in local networks is always at the edges, it’s very simple to break in through a weakly protected device then hop around looking for something else.
We’re all used to automatic updates for Windows and mobile apps, but updating the software on IoT devices is difficult and rarely done. You may not be in charge of a nuclear reactor, but an out-dated PLC or embedded Windows XP system controlling a printer in some far flung site is the perfect place to hide the command and control software that attacks something else.
Health and safety professionals are encouraged to go beyond the consideration of display screen assessments wherever electronic control systems could be intercepted and expose your organisation to risks. The requirements out-laid within the globally recognised standard for Health and Safety Management (OHSAS 18001), will guide an organisation through necessary considerations required to properly identify and proactively manage exposure to IoT risks.
Section 4.3 of OHSAS 18001 specifies that organisations exercise on-going hazard identification risk assessment, and determination of necessary controls. Document registers of risk should probably include a score against potential IoT incidents and a proposed response should the worst happen. Request a gap analysis report to see how closely your organisations health and safety management system aligns to standard requirements for health and safety management systems.
In the next few years the IoT will invade every aspect of our lives, from internet-enabled bikinis to wireless cat-feeding stations. Some of it will control your production line, filter your drinking water and keep your doors locked. It will be watching you. You should be watching it too.
A longer version of this article appears in the current issue of Health and Safety at Work:
www.healthandsafetyatwork.com
The Internet of Things (IoT) encompasses all the devices that use the internet to communicate with one another. They can be sending data for remote analysis by computers or humans (in the form of cameras, thermostats, fitness trackers), they can be receiving commands (valves, programmable logic controllers (PLCs), electronic locks) and they can be doing both, as in the case of mobile phones, wireless hard drives and smart TVs. Often the end points of that data are within metres of each other, but the traffic bounces around the world to get there.
Today, the internet carries the control signals for everything from petrol pumps to nuclear power stations. Many of these devices are part of supervisory control and data acquisition (SCADA) systems, a generic term for any network of sensors, controllers and actuators that can be running any number of different types of hardware and software.
The first public contact with a cyber-attack using these systems was Stuxnet, a computer virus discovered in 2010 that was said to be designed to destroy uranium enrichment centrifuges — and it was rather good at it. The code searched networks for PLCs running a particular piece of software from Siemens, and changed it; in the case of the centrifuges, to spin them into oblivion.
You’d think that device designers had learned their lesson by now, but far from it. Almost everything you plug into the internet, from a broadband router to a baby monitor, has at least one security hole that hackers know about. Because all these devices are connected to each other, and the security in local networks is always at the edges, it’s very simple to break in through a weakly protected device then hop around looking for something else.
The German Federal Office for Information Security reported last December that an unnamed steel mill had suffered “massive damage to plant” after a cyber-attack destroyed parts of its control system, leaving the operators unable to shut down a blast furnace.In the next few years the IoT will invade every aspect of our lives, from internet-enabled bikinis to wireless cat-feeding stations. Some of it will control your production line, filter your drinking water and keep your doors locked. It will be watching you. You should be watching it too.
We’re all used to automatic updates for Windows and mobile apps, but updating the software on IoT devices is difficult and rarely done. You may not be in charge of a nuclear reactor, but an out-dated PLC or embedded Windows XP system controlling a printer in some far flung site is the perfect place to hide the command and control software that attacks something else.
Health and safety professionals are encouraged to go beyond the consideration of display screen assessments wherever electronic control systems could be intercepted and expose your organisation to risks. The requirements out-laid within the globally recognised standard for Health and Safety Management (OHSAS 18001), will guide an organisation through necessary considerations required to properly identify and proactively manage exposure to IoT risks.
Section 4.3 of OHSAS 18001 specifies that organisations exercise on-going hazard identification risk assessment, and determination of necessary controls. Document registers of risk should probably include a score against potential IoT incidents and a proposed response should the worst happen. Request a gap analysis report to see how closely your organisations health and safety management system aligns to standard requirements for health and safety management systems.
In the next few years the IoT will invade every aspect of our lives, from internet-enabled bikinis to wireless cat-feeding stations. Some of it will control your production line, filter your drinking water and keep your doors locked. It will be watching you. You should be watching it too.
A longer version of this article appears in the current issue of Health and Safety at Work:
www.healthandsafetyatwork.com