Understanding Cyberrisks

in IoT
Understanding Cyberrisks
in IoT
When Smart Things Turn
Against You

Carolina A. Adaros Boye

Understanding Cyberrisks in IoT: When Smart Things Turn Against You
Copyright © Business Expert Press, LLC, 2019.

All rights reserved. No part of this publication may be reproduced, stored

in a retrieval system, or transmitted in any form or by any means—
electronic, mechanical, photocopy, recording, or any other except for
brief quotations, not to exceed 250 words, without the prior permission
of the publisher.

As part of the Business Law Collection, this book discusses general

principles of law for the benefit of the public through education only. This
book does not undertake to give individual legal advice. Nothing in this
book should be interpreted as creating an attorney-client relationship with
the author(s). The discussions of legal frameworks and legal issues is not
intended to persuade readers to adopt general solutions to general problems,
but rather simply to inform readers about the issues. Readers should not rely
on the contents herein as a substitute for legal counsel. For specific advice
about legal issues facing you, consult with a licensed attorney.

First published in 2019 by

Business Expert Press, LLC
222 East 46th Street, New York, NY 10017
www.businessexpertpress.com

ISBN-13: 978-1-94897-664-0 (paperback)

ISBN-13: 978-1-94897-665-7 (e-book)

Business Expert Press Business Law and Corporate Risk Management

Collection

Collection ISSN: 2333-6722 (print)

Collection ISSN: 2333-6730 (electronic)

Cover and interior design by S4Carlisle Publishing Services Private Ltd.,

Chennai, India

First edition: 2019

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.

 Abstract
Information security policies and controls are deployed in many organ-
izations. Either for compliance reasons or because there is a legitimate
concern about cybersecurity risks, managers more frequently consider
this as deserving attention from a strategic point of view. However, IoT
devices and industrial systems are not very often considered within the
scope of information systems security management, leaving a door open
to ­attackers—actually, quite frequently, many doors.
The explosive growth of IoT and Industry 4.0 has increased the ex-
pectations about new business models and services and more productive
and efficient systems. However, the fact that IoT devices present many
cybersecurity vulnerabilities that can increase the risk of an attack in an
organization seems to go unnoticed. There are many examples of this,
from data stolen from a casino through a smart fish tank to IP cameras,
routers, printers, and vending machines used as bots for Distributed De-
nial of Service (DDoS) attacks. The target can be the IoT system itself,
an adjacent network, or a third party. In any of the cases, the attack can
long remain undetected because the security of these systems is not always
monitored. This book explains why smart systems such as IoT, IIoT, ICS,
and SCADA can introduce risks to a network and why it is important for
managers and decision makers to know about this. It is rather obvious
that you cannot address a problem if you do not know it exists, or if you
are unaware of how serious it is! In these pages you will also find examples
of past attack cases that can serve as lessons to avoid making the same
mistakes in the future.
You probably already know that in a business the main assets for
production are processes, technology, and people. This should make you
aware that cybersecurity is not an IT problem but an organizational prob-
lem. As a team leader, manager, or business owner, the better you under-
stand cyberrisks, the better you can ensure that the right people will be
involved in preventing them, that the right processes will be defined, and
that the right solutions will be displayed efficiently. To achieve this, it is
essential that you have some background knowledge about the challenges
that your security teams can face on IoT and cybersecurity front.
vi ABSTRACT

Keywords
IoT (Internet of Things); IIoT (Industrial Internet of Things); cybersecurity;
risks; industrial control systems; cyberattack; vulnerability; threat; availability;
integrity; privacy; confidentiality; cyber-awareness
 Contents
Acknowledgments....................................................................................ix

Chapter 1 Introduction—What Is IoT?..............................................1

Chapter 2 Real Attack Cases—It Is Not Science Fiction, Smart
Things Can Turn against You...........................................17
Chapter 3 Vulnerability Assessments and Hacking
Experiments—The Risk Is There, Just Waiting for a
Hacker with Enough Motivation.....................................27
Chapter 4 Why Is IoT Especially Vulnerable? Requirements and
Challenges........................................................................39
Chapter 5 IoT in an Office Environment—Printers, Smart TVs,
Routers, and Uninvited Guests.........................................55
Chapter 6 IoT in an Industrial Environment—Industrial
Control Systems and Industry 4.0....................................65
Chapter 7 IoT in Utilities and Service Monitoring—Smart
Meters and Other Stuff....................................................81
Chapter 8 Typical Types of Attacks Targeting IoT Systems—
Understanding What Can Go Wrong...............................87
Chapter 9 Lessons Learned—Getting a Better Idea about How
to Handle the Risks........................................................103
Chapter 10 Conclusions—Now What Do I Do with This
Information?..................................................................113

References............................................................................................119
About the Author.................................................................................123
Index..................................................................................................125
 Acknowledgments
To my dad who inspired my curiosity about things and taught me that
no matter how complicated things are, they can always be explained in a
simple way. To my mom who always believed in me as a writer, and to my
brother, who is unsparing to correct my English grammar.
 CHAPTER 1

Introduction—What Is IoT?

Introducing the Reader to IoT

Not long ago, a friend was visiting me in Birmingham, and, as usual,
we engaged in a conversation about our career goals and projects. She is
currently based in London and works as a human resources director of a
well-known multinational company. When I told her, once again, that
my work was related to research on cybersecurity risks of the Internet of
Things (IoT), she said: “You know, my friend, everybody talks about IoT
and I still cannot understand what it is.” Her day-to-day work is about
dealing a lot more with people than with technologies. Nevertheless, in
today’s world everybody uses technology, even if it is not their main field
of endeavor. Therefore, I believe it is important for everybody to acquire
at least a general understanding of how some things that we use everyday
work, particularly if they introduce risks that you might not be aware of.
Maybe you do not currently use IoT every day, but I am sure you will,
at some point in the not-too-distant future. You may also have to decide
whether to use it or not in your business and how. In many cases, IoT
can be a useful solution to many business problems, so you may probably
decide to go for it. Just remember that this means that you will be intro-
ducing new risks to your organization. Managing these risks is extremely
important, since on that depends the potential of IoT, which is used for
the benefit of the organization and not against it. In other words, a good
cost-benefit balance should be ensured, by preventing and controlling
potential negative impacts caused by cyberincidents.
I believe that every person who could potentially make use of IoT
should have at least a general idea of what it means. Moreover, anybody
who has to make a decision about designing, building, buying, or imple-
menting an IoT solution should know the basics of it, as well as the risks
2 UNDERSTANDING CYBERRISKS IN IoT

involved. Even my neighbor who is considering getting a smart thermo-

stat for her house, just because her sister-in-law got one, should know as
well, at least to a certain extent, what she is dealing with. It is not only
businesses but also individuals that use IoT, and, according to Gartner,
the consumer’s market for IoT is growing by leaps and bounds (Panetta
2017).
Before we look at what IoT is, it is important to understand that there
is no consensus on a single definition. My favorite denotation for IoT is
the one given by the European Union Agency for Network and Informa-
tion Security (ENISA), which says that the term IoT “describes a wide
ecosystem where interconnected devices and services collect, exchange
and process data in order to adapt dynamically to a context” (ENISA
2017). I can imagine that for many this definition might mean absolutely
nothing. I am sure at least that this is the case with many people I know
who are not familiar with IT technical jargon. So to start this book, I
must provide a definition that makes sense to a broad audience.
To make it simple: From the user’s perspective, IoT is everything that
can interact with different sorts of computer devices, including mobile
phones, tablets, and a variety of so-called “human–machine interfaces.”
IoT, in most cases, is not autonomous; it depends on communication
networks to get and send information and behaves according to rules
that can be preprogrammed or learned by the devices. IoT devices can go
from fairly “dumb” and simple, like a temperature sensor, to really smart
and complex systems, like a smart vehicle, but in either case, it needs to
interact with its environment. This is what we call the context, which is the
first aspect that we need to understand in a risk assessment.
IoT is not a technology but rather a term that encompasses a variety
of technologies that differ according to the industry sector, application,
and even the preferences of the manufacturer. Currently, there is no stan-
dard way to build an IoT system. Hence, IoT is not simple, because it is
constructed through different layers of architecture that include comput-
ing devices, communication networks, and electronic or electromechani-
cal equipment. On top of this, each layer can have its own “language” to
communicate, which is referred to as a “communication protocol.”
Now, what is this book about and for whom is it written? Its intended
audience is managers, executives, and business students who want to get
 INTRODUCTION
3

familiar with the cybersecurity implications of IoT. Its main purpose is to

help the reader to prepare for the risk landscape of the future—or maybe
I should say of the present since, as you will read in these pages, IoT
has already become an attractive target for malicious agents. The reasons
for such a degree of risk are many, including the complexity of IoT sys-
tems, their lack of maturity regarding cybersecurity, and their high level
of adoption. Many aspects of IoT cybersecurity need to be approached
differently from how it is done in the case of regular information systems.
The level of interaction with the real world is a key differentiator but not
the only one. It is important to know these differences and the specific
sorts of expertise that are required to manage IoT systems securely.
People who are keen to incorporate technology into different aspects
of their lives, such as home automation, health and fitness smart devices,
connected cars, and even toys for their children, might also benefit from
reading this book, as it will help them gain awareness of the risks of in-
troducing these devices into their personal spaces. If you have an aversion
to technology, it may become even worse after reading this book, but the
actual intention is, far from discouraging people from using technology,
to encourage them to use it wisely. In summary, this book is mainly about
being aware and understanding cybersecurity risks in IoT and about dif-
ferent ways to deal with them.
Figure 1.1 shows a simplified model of the interactions between IoT
and the physical (real) world. Later in this book, some of the aspects of
these interactions will be described in more detail.
It is believed that IoT is becoming the fourth industrial revolution.
With several millions of devices already connected as you read, IoT has
a presence in almost every industry domain, from transport, health care,
sports and entertainment, heavy industry and manufacturing, to smart
grid and utility services, temperature and environment control, public
safety, and retail. There is a promising bright future around the corner,
where things are smart and communicate with each other. The degree
of development that different technologies have reached, including the
current level of coverage, speed, and reliability of the Internet, has made
it possible to realize many of the science fiction scenarios that we saw in
the movies of the 20th century. Drones are nothing new anymore, people
feed their pets and monitor their houses from their offices, driverless cars
4
“Gateway”

Proximity Access
Computer systems Service
network network
(Service platform) network

User
interfaces

IoT users
“Things”

Real world

Figure 1.1  IoT interactions with the real world

 INTRODUCTION
5

are being tested in different cities of the world, and I have recently heard
that it is not rare to see robots in the streets of the city of Milton Keynes,
in England. Soon these robots will be the ones delivering your pizza!
Technology is meant to make processes more effective, efficient, and safer
for people. Overall, the main idea of IoT is to make our lives better. IoT
gives almost endless possibilities for innovation and creation of new busi-
ness opportunities. It will also create new jobs, while at the same time
eliminating some of the existing ones. Products, services, and professions
that never existed or were never thought of before will continue to prolif-
erate. We are finally living in the future!
So, with all this excitement, why are these security people so deter-
mined to point out all the possible things that can go wrong? I reckon
we might be considered a bunch of party poopers. The truth is that IoT
is giving cybercriminals more opportunities to develop new strategies for
stealing data, committing fraud, and causing distress and chaos. More-
over, they are using these opportunities. Offices generally contain smart
printers, routers, security cameras, and smart TVs used for videoconfer-
ences, which might not be within the scope of the cybersecurity policy.
This means that these workplaces are easy targets for cyber-attackers. In-
dustries rely heavily on automation, with more regard for performance
and safety than for cybersecurity, leaving—sometimes unknowingly—
many doors open for unauthorized agents to access their corporate in-
formation networks through these systems. Sometimes, they might even
know about these “open doors,” but worrying about security is not their
job. So if no formal risk assessment is being performed, they might be
complacent, thinking “this will not happen to us”—which many times
proves to be wrong! This book aims to be an eye-opener and a first ap-
proach to developing an insight into how cybersecurity and IoT connect
in order to facilitate more informed decision making.

Building Blocks of IoT

To begin understanding these risks, it is important to first understand
how IoT works, what its main characteristics are, and how it differs from
regular computing systems in terms of cybersecurity management. So, at
the outset, let us define the main building blocks of IoT.
6 UNDERSTANDING CYBERRISKS IN IoT

Things

The so-called things are electronic or electromechanical devices that inter-

act directly with the environment or, as we will call it here, the real world.
Some of them are designed to extract information, others to perform ac-
tions, and some to do both. As people are part of the real world, some of
the things have the means to interact with people.
These devices can have some of the following characteristics but not
necessarily all of them:

• Sensing: This means the devices are able to extract information from
the environment, for example, physical variables such as tempera-
ture, pressure, humidity, weight, and electrical power. Web cameras
that allow monitoring of images of a place are also considered
sensing devices, as well as sensors that detect presence, detection of
chemical components, such as the quality of the air or water, and
human vital signs, such as heartbeats or blood pressure—­essentially,
everything that reveals the status of something in the real world.
• Actuation: This means devices that can perform an action in the
real world. This action is performed through electrical or electro-
magnetic signals and can go from turning something on and off
to controlling a drone. Actuation will usually involve mechanical
devices such as motors and valves. A smart printer is also consid-
ered an actuator since it performs a physical action commanded
through a computer system.
• Computation: Some IoT devices serve a fixed purpose; they can
sense a variable or receive commands to perform an action, but
they cannot be programmed to do anything else. There are also
IoT devices that are “smarter” and have more advanced computa-
tional capabilities. This means that they might even need to run
an operating system to manage different pieces of software serv-
ing a variety of purposes. Even though they are not computers,
they can be configured or even programmed to customize their
behavior. This also means that they are susceptible to malware. A
malware is a malicious piece of code or “malicious” software which
is commonly used to attack computer systems. Malware has been
developed specifically for certain types or groups of IoT systems.
 INTRODUCTION
7

• Communication: Things need to communicate with each other

and with the rest of the system. Many smart things will have their
own means to communicate and be recognized by standard com-
munication networks. For example, if a device is Internet protocol
(IP) capable or able to be associated with an IP address, then it can
be directly connected to the Internet.
Some things are just capable of sending and receiving electri-
cal or electromagnetic signals. These signals represent the variable
that they are sensing or the commands that they are receiving, but
they lack the capabilities to communicate under a certain protocol.
Others might use more advanced communication protocols such
as Controller Area Network (CAN) messages or Modbus, but this
will not necessarily be compatible with standard communication
protocols. In these cases, the devices communicate first with a gate-
way, which translates the data in a way it can be understandable
by standard communication networks, for example, a local area
network (LAN) or the Internet.

Communication Networks

An IoT system will rely on different communication networks to be able

to function. The Industrial Internet Consortium differentiates three types
of networks according to the parts of the system they are meant to link.
These are the proximity network, the access network, and the service network
(Industrial Internet Consortium 2015). We are going to borrow their def-
inition since it is useful to make clear how different types of communica-
tion can interact in an IoT system.

• Proximity network: It provides the means of connection between

the things and the gateway that will serve as a bridge to connect
them to a standard communication network. If all the devices are
capable of connecting directly to a standard communication net-
work, the proximity network might not be differentiated from the
access network.
• Access network: It controls the flows of data between the things
and the computer systems that process and store the data.
8 UNDERSTANDING CYBERRISKS IN IoT

• Service network: It allows the connection of the system to the plat-

forms that run higher-level software such as the interfaces where
commands and rules are generated.

Communication can be between a thing and another thing, between a

thing and a computer server (including cloud services), or between a thing
and a human user.

Computer Systems

This part represents the platforms where different software services in-
teract to make the IoT system work. Usually, there is a differentiation
between the platforms that store and process the data and the software
services that allow monitoring, executing commands, and configuring
business rules. The former are usually in charge of orchestrating the dif-
ferent functions and flows of information between the different parts of
the system. The latter usually allow for the interaction with human inter-
faces as well as with software belonging to the business domain such as
enterprise risk management (ERM), customer relationship management
(CRM), and business intelligence (BI) tools.

Human–Machine Interfaces (HMI)

An interface is a link between different components of a system. In this

case, we are referring to the hardware and software that allow humans
to interact with the system by accessing data, sending commands, or
changing configuration parameters. There are usually different roles
that a human can take in this interaction such as user, administrator,
or developer. While the user will have a more limited range of ­actions
that can be performed, the administrator and the developer will be
able to make changes to the system. The communication between
humans and the IoT systems can take place in one or more of the
following ways:

• Directly with the IoT device, through a touch screen, keyboard, or

other means of interaction;
 INTRODUCTION
9

• Through software that runs in a computing device such as a mobile

phone, a tablet, or a computer; or
• Through a dedicated interface, similar to the electronic totems or
screens that are used in airports for checking in or retrieving infor-
mation of flights. It is usual to see keyboards or touch screens as
well in industrial environments as a means to interact with differ-
ent machines.

While some IoT systems require little or no human interaction, others

are designed to have a higher level of dependency on human inputs. It
will all depend on the purpose of the system and its application. For
example, some industries can have highly automated manufacturing
processes where only monitoring is required and actions need to be per-
formed by humans only when there is an abnormal event. This is also the
case of an airplane flying in autopilot mode compared with one that is
manually commanded. A smart device that monitors sugar levels in the
blood of a patient and sends this data to a hospital’s system is another
example of an IoT system that might not require its user to perform any
action. On the other hand, a smart TV will require input from users to
select their preferred programs and the times at which they wish to watch
them. Figure 1.2 shows a general diagram of an IoT system and the inter-
action between different components.
A useful way to understand the different components of IoT and their
interactions is through an architecture model that provides a view of the
system from different perspectives. Most of these models define differ-
ent tiers or layers to describe the deployment of IoT. At one end, there
will be a layer that corresponds to the physical domain, and at the other
will be the enterprise or management of the system. In between, there
are hardware and software platforms, and communication networks that
allow the interaction between different sorts of computer interfaces and
the physical world. Although there is no standard definition for an IoT
architecture, several models are available that can be useful to study the
interactions of its components from different perspectives. To explore this
further, it is a good idea to start with the Industrial Internet Consor-
tium model, which is available online. Microsoft Azure has also made
available online an important deal of information about its IoT security
 Things

10
Computer systems
Proximity
Gateway
network
Software

Analytics Data processing

Data bases

Software platfroms

Access Hardware platforms

network

Servers Cloud servers

Human interfaces Data centers

Hardware
Software

Rules, monitoring
& control
Service network

Figure 1.2  Interaction between different components of an IoT system

 INTRODUCTION
11

architecture. Finally, the IoT-A model also provides a complete view of

IoT from different perspectives, including examples of use cases.
It should be noted that the description I made of the different IoT
building blocks or elements is agnostic with regard to any type of technol-
ogy. Most of the architecture models for IoT will also tend to be general,
in order to cover diverse technologies used across a variety of IoT systems.
Different industries have specific types of systems they often use to con-
trol their processes. Some of them precede the idea of IoT since they have
been operating in these industries for decades. Therefore, they correspond
to a special case where old technologies have been integrated with new
ones. Examples of this are systems that are built based on Programmable
Logic Controllers (PLC), Digital Direct Controllers (DDC), industrial
computers, motor drives, microcontrollers, and microprocessors. These
different types of controllers have been used to process information com-
ing from the readings of sensors, such as temperature, pressure, humid-
ity, weight, and position, and give commands to actuators like motors,
switches, or valves.
Regarding communication networks, protocols used in the proximity
by the things or in the access network can be general purpose ones, such
as Bluetooth, Wi-Fi, and cellular networks, or specific protocols that have
been developed for IoT, such as LoRa, ZigBee, and Z-Wave. In industry,
it is more often the case that the sensors and actuators are wired and use
protocols such as Bacnet, Lonworks, Profibus, DNP3, OPC, and Mod-
bus, or CAN-based protocols. All of these are industrial protocols that
have been around for a while, and most of them were not developed hav-
ing cybersecurity in mind since this was not a priority at the time. The
protocol used depends on the different requirements of the system, such
as distance range, speed, reliability, privacy, and compatibility with other
devices, or simply the preference of the manufacturer and user. Overall,
there are no standards for communication protocols for IoT, but it is
usual that the access and service networks will make use of more stan-
dard technologies and communication protocols, since it connects to IT
systems. The public Internet will therefore be a common means of com-
munication for many IoT systems, and cloud computing will often be
used as a handy way to store and process the data. Nonetheless, many
applications and industries require using local or private networks for se-
curity and privacy reasons.
12 UNDERSTANDING CYBERRISKS IN IoT

Now that we have a better idea of what IoT is, we can explore some
of its characteristics. If some readers have not gotten the complete picture
yet, please beware of the possibility of complex interactions between IoT
components that vary from system to system. However, as long as you
understand that IoT are connected things that can be controlled using
computers, mobile phones, and tablets, it is enough for now. As you prog-
ress through the chapters, many things should become clearer.
As already mentioned, a single IoT system can encompass diverse
technologies. In addition, an IoT system might be formed by subsystems,
which leads to the popularly used term system of systems. You might be al-
ready familiar with this concept as well as with the term embedded system,
but in case you are not, it simply refers to fully functioning systems that
belong within a bigger, more complex system. For example, a voice com-
mand system that has a microphone (sensor) and a microcomputer that
processes the voice input constitute a system that can be used by other
bigger systems such as cars, digital assistants, toys, or anything, imagin-
ably, that could be controlled remotely by voice. An embedded system
corresponds to hardware and software that serve a specific purpose and
are integrated into a major system. In a vehicle where you can find several
electronic control units (ECU) that are in charge of one or more systems
such as engine control, transmission, or brakes, each one of these ECU
has its own hardware and software that perform specific tasks, but all of
them belong to this major system, that is, the vehicle and work in co-
ordination to make it function properly.
It can often happen in IoT that different parts of subsystems are not in
the same location. A typical example of this is smart cities, where different
sensors will be widely distributed to collect information about traffic con-
ditions, air quality, utilities supply and consumption, and public trans-
port, among other services that are yet to be created or even imagined.
This is achieved only by the interaction of multiple processes and services
that will often run on different platforms and have different manufac-
turers, owners, and administrators. For example, a smart building will
have different electronic equipment from different brands for tempera-
ture control, access control, and power consumption monitoring, but it
all might be controlled by the same software or building management
system (BMS), which might run in its own server or might be hosted
 INTRODUCTION
13

in the cloud or use a Software as a Service (SaaS) modality. All of this

involves different suppliers for products and services, including the main-
tenance and administration of each subsystem of the smart building. The
development and wider use of cloud computing has made it possible to
commoditize the hosting of applications, delegating the administration of
hardware and software platforms to a third party. This provides important
economic benefits such as applying economies of scale principles to IT
services, but it also introduces third-party risks. This is just an example of
how the level of specialization of businesses in different technologies or
services can introduce difficulties associated with assigning clear bound-
aries and responsibilities for each part of a whole system. Furthermore,
getting a unified picture of how the system works end to end can also be
difficult since different actors might thoroughly understand only some
parts of it.

How IoT Can Introduce Risks in an Organization

While IoT is entering into every sphere of human endeavor and in all
sorts of industries, it is still a phenomenon that is not well understood—
at least not by all the relevant actors involved in its development and
use. Even if somebody knows perfectly how an IoT system works, he
or she might miss the implications that its use has in a certain context.
For a full understanding, it is necessary to have a holistic view including
operational, business, economic, legal, and even ethical implications of a
new IoT device appearing on the scene. On the one hand, IoT realizes all
the futuristic dreams of the past century, when we were expecting to have
technological cities full of flying driverless cars by the year 2000. On the
other hand, it also brings up a lot of questions and dilemma. For example,
driverless cars will force the enactment of totally new regulations and raise
questions such as who is mainly responsible in the case of an accident.
Privacy is a major concern regarding IoT since by delegating the control
of many of our tasks to “things” we are also providing them with a lot of
information about our lives and behaviors. What if somebody with bad
intentions got access to that information?
There are several ways in which IoT can introduce risks to an organ-
ization, from data theft to denial of service and interruption of industrial
14 UNDERSTANDING CYBERRISKS IN IoT

operations. Over the past decade, many attacks involving IoT and In-
dustrial IoT (IIoT) have taken place. At the same time, there have been
many vulnerability reports and demonstrations of potential attacks that
reveal that some systems only need somebody willing to break them in
order to be breached. Despite all this, many problems remain unsolved
and lack of awareness still persists. Last week I went to a seminar on IoT
where academics and practitioners exposed their ideas on how they see
IoT changing our world. Cybersecurity was not even mentioned as one of
their main challenges, but certainly, it is!
IoT has, for sure, the potential to allow us to make more efficient use
of the resources available and make our lives easier. An example of this is
the use of IoT-capable technologies to program our washing machine to
turn on at the hours of low power consumption, not only reducing our
electricity bill but also helping avoid overloading the power grid. Also,
traffic can be diverted and journeys planned better by having live data
of the traffic conditions. Lives can be saved by continuously monitoring
vital signs of critical patients and raising alerts when something abnormal
is detected, and even automatically injecting them with the appropriate
doses of drugs according to their condition. Now let us think about these
same scenarios from another perspective, namely that of the risks intro-
duced by IoT. A hacker could remotely turn on not only our washing
machine but also all our electric home appliances at the hour of peak
consumption. This will not only increase our electricity bill but also over-
load the electrical grid of the area. Now imagine that they do this in every
house at the same time and cause a blackout. Traffic could be maliciously
diverted the wrong way, causing congestions or even accidents. A patient
can be put at risk or even killed by a wrong diagnosis or by the injection
of the wrong dosage of a drug. So although IoT promises great solutions,
its associated risks also need to be addressed.
There are probably many reasons why manufacturers and developers
of different products and services associated with IoT will avoid talking
about security. Some of them might not be very conscious of the im-
portance of developing secure products, or may not even know how to
do it. Remember that cybersecurity is a field that is more developed in
the IT world than in IoT, and even for traditional IT services, it faces
several challenges at the moment. In many industries, a lack of security
 INTRODUCTION
15

regulations and standards prevail, nor are there any market pressures for
improving security. On the other hand, there are pressures for time-to-
market and lower costs, which introduces another explanation: imple-
menting security measures increases production times and costs. Also,
and despite the multiple attacks involving IoT that have happened al-
ready, apparently many relevant actors still do not believe that the threat
is real. Even though they might know that their products are vulnerable,
there is a common bias toward thinking that there will be little or no
interest from the attackers’ perspective to breach certain systems. One
might think, for example, “Who will want to steal the information about
how many calories someone burnt last week?” The truth is that any in-
formation that is valuable to us is likely to be valuable to somebody else.
Maybe not the way we think about it, but by accessing private informa-
tion criminals can perpetrate scams. That is why seemingly trivial data
such as the location or routine of a person can be considered sensitive
information under a series of circumstances.
It is worth noting that not all cyberattacks have the objective of stealing
data. A device can be remotely locked and remain inaccessible until a ran-
som is paid. It can also be used as a bot in a denial of service attack against
a third party. Therefore, it is not wise to underestimate a priori the motiva-
tion and capabilities of a potential attacker. A thorough risk analysis should
determine whether an organization is able to take the chance or is better off
employing caution and doing something different to avoid or mitigate an
attack. In other words, it is important to take informed decisions based on
a cost-benefit analysis, rather than to be oblivious to the risks.

Summary
What is IoT? A straightforward and simple definition is that it is “things
other than servers and PCs which are connected to computer networks”
(Macaulay 2017). More than a specific type of product, IoT represents
a concept or a paradigm that can be used to develop different products
and services. Overall, IoT refers to systems that include objects that are
capable of interacting with the real world by extracting information from
it, executing actions on it, or both. These interactions will be transformed
into data that is sent from and to computers. This data is processed and
16 UNDERSTANDING CYBERRISKS IN IoT

used to make decisions sometimes automatically and in real time. It is also

stored, and can therefore provide knowledge about the past behavior of
the system. IoT is heterogeneous and present in every industry vertical. As
much as it has come to solve a number of problems, it is also causing and
continues to cause some too. The security problems introduced by IoT
are what the rest of this book is mostly about!
 Index
Access controls, 73 proximity network, 7
Access network, 7 service network, 7–8
Activity logs, 98 Communication protocol, 2
Aircraft, 33 Compromised closed circuit television
Application Programming Interfaces (CCTV) systems, 20
(APIs), 46 Computer systems, 8
Appropriate cybersecurity program, Confidentiality, integrity, and
72–73 availability (CIA) triad, 50
Ashton, Kevin, 39 Connected devices, 40
Attacks targeting IoT systems, Controller Area Network (CAN),
87–101. See also bots; threat 7, 30
intelligence Corporate network, 61–62
attack vectors, 92 Credentials, 42
malicious control of IoT Customer relationship management
systems, 96 (CRM), 8
privacy breaches, 96 Cyberattacks, 89, 107. See also attacks
sabotage, 97 targeting IoT systems
Authentication mechanism, 43 Cybersecurity, 5, 14
Cybersecurity measures in IoT,
Bacnet, 11 challenges, 47–54
Blackenergy, 21 awareness, lack of, 50
Bots, devices use as, 94–96 requires different approaches than
Brickerbot, 24–25 traditional security, 53
Bring your own device (BYOD), 63 security left in no-man’s-land,
Brute force attack, 18, 43 52–53
Bugs, 44 security, 49
Building management system (BMS), standards and regulations, lack
12, 56 of, 51
Business continuity planning, 78 technical constraints, 47
Business intelligence (BI) tools, 8 Cyberwarfare, 90

CAN-based protocols, 11 Demilitarized zone (DMZ), 73

Cheney, Dick, 27 Denial-of-service (DoS) attack, 94–95
Code injections, vulnerability to, 45 Design flaws, 44
Common vulnerabilities and Dictionary attack, 18
exposures (CVE), 109 Digital Direct Controllers (DDC), 11
Common vulnerability scoring system Digital Economy Act (UK), 52
(CVSS), 109 Distributed control systems
Communication networks, 7–8 (DCS), 65
access network, 7 Distributed denial-of-service (DDoS)
computer systems, 8 attack, 18, 87
126 Index
Domain Name System (DNS), 18
Drone jacking, 36
Electronic Control Units (ECU),
12, 29
Embedded system, 12
Encryption, 100
Enterprise risk management (ERM), 8
European Agency for Network
and Information Security
(ENISA), 2, 52
Federal Trade Commission Act
(USA), 52
Finland, heating services in, 22
Firmware, 41, 66
Fish tank in the casino, 20
GE SCADA Systems, 33–34
General Data Protection Regulation
(GDPR), 52, 82, 88
Governance, risk, and compliance
(GRC) tools, 109
Hacking experiments, 27–38
Health care intelligent devices, 32–33
Honeypot, 29
Human–Machine Interfaces (HMI),
2, 8–13
Industrial automation and control
systems security (ISA
2015), 110
Industrial control systems (ICS),
65–79
Industrial environment, IoT in,
65–79
appropriate cybersecurity program,
72–73
business continuity planning, 78
legacy systems, assess risks
introduced by, 76
maintenance, 77
network architecture, 73–74
personnel security training, 77–78
physical access, 76
process-aware approach, 72
resilience, 78
safety regulations, alignment
with, 74
secure configuration, 77
security improvement, areas to look
into, 72–78
supply chain management, 75–76
threat intelligence, 74–75
updates, 77
vulnerability, 74–75
Industrial Internet of Things (IIoT),
14, 17, 66
Information technologies (IT), 66
Insecure data management, 42–43
Insecure interfaces, 46
Insecure network services, 46
Intelligence agencies, 90
Internet of Things (IoT), 1–16
building blocks of, 5–13
actuation, 6
communication networks, 7–8
computation, 6
sensing, 6
things, 6–7
components of, interaction
between, 10
description, 1–16
as fourth industrial revolution, 3
organization risks, reducing, 13–15
real world, interactions with, 4
Internet protocol (IP) phones, 56
Intrusion detection systems (IDS),
62, 73
Intrusion prevention systems
(IPS), 62
Jamming, 58
Legacy systems, assess risks introduced
by, 76
Local area network (LAN), 21
Lonworks, 11
LoRA, 11, 100
Malicious control of IoT systems, 96
Malware defense, 98
“Man-in-the-middle” attack, 58
Manufacturer commitment, 61
Miller, Charlie, 29
Mirai Botnet, 18–19
MITRE Corporation, 109
Modbus, 11
Munro, Ken, 35
 Index 127
National Institute of Standards and
Technology of the USA
(NIST), 52, 73
Nation-states, 90
Network architecture, 73–74
Network monitoring, 99
No-man’s-land, 52–53
Office environment, IoT in, 55–64
areas to look into, 59–64
bring your own device (BYOD),
63–64
corporate network, 61–62
disposal of IoT devices, 63
maintenance, 63
operation of IoT systems,
62–63
physical access, 62
security updates, 63
setup and configuration, 62
purchase decisions, 60–61
brand, 60
manufacturer committment, 61
model vulnerabilities, 60
vulnerability management
process, 61
remote work policies, 63–64
supply chain management, 60–61
Oil and Gas subsector (ONG-
C2M2), 110
Open ports, 45
Open Web Application Security
Project (OWASP), 42
Operational technologies (OT), 66
PDCA (Plan, Do, Check, Act)
cycle, 104
Penetration testing, 36
Permanent Denial of Service
(PDoS), 24
Personnel security training, 77–78
Physical security, 45
Printers, 55–64
Privacy breaches using IoT, 96
Privacy concerns, 46
Process-aware approach, 72
Profibus, 11
Programmable Logic Controllers
(PLC), 11, 23
Proximity network, 7
Ransomware, thermostats vulnerable
to, 35–36
Real attack cases, 17–26
real-life cyberattacks, 17–25
Real-life cyberattacks, 17–25
Brickerbot, 24–25
brute force attack, 18
CCTV Botnet, 20
Dallas Emergency Sirens, 22–23
dictionary attack, 18
drawing Pads Architecture
Company, 20–21
Finland, heating services in, 22
fish tank in the casino, 20
Iran’s Nuclear Plant, 23–24
Lodz, Poland City’s Tram
System, 22
Maroochy Water Services,
Australia, 21
Mirai Botnet, 18–19
New York, Dam, 23
Sabotage of Siberian Pipeline,
1982, 23
Ukraine’s power grid, 21
university attack, 19–20
Real world, 4, 6
Remote work policies, 63–64
Repository of Industrial Security
Incidents (RISI), 26
Resilience, 78
Return of security investment
(ROSI), 106
Risk management process, 104–111
PDCA (Plan, Do, Check, Act)
cycle, 104
Routers, 55–64
Sabotage, 97
Safety regulations, alignment with, 74
Sandworm team, 33
Security configuration, 46
Security controls, 97–101
activity logs, 98
encryption, 100
limitations, 97–101
malware defense, 98
network monitoring, 99
secure authentication, 97
software and firmware updates and
patches, 100
128 Index
Service network, 7–8
Smart meters, 82
Smart things, disadvantages, 17–26
Smart TVs, 55–64
Software as a Service (SaaS), 13
STRIDE model, 109
Stuxnet, 23–24
Supervisory Control and Data
Acquisition (SCADA) system,
21, 65–70
Supply chain management (SCM),
60–61, 75–76
System of systems, 12
Threat intelligence, 74–75, 88–93
attack vectors, 92
cyberwarfare, 90
intelligence agencies, 90
nation-states, 90
typical attacks, 93–97
3-D printing, 67
Tierney, Andrew, 35
Uninvited guests, 55–64
University attack, 19–20
US Cybersecurity Capability Maturity
Model for the Electricity
subsector (ES-C2M2), 110
Utilities and service monitoring, IoT
in, 81–86
business continuity planning and
resilience, 85
insurance, 85
ownership of systems and of
data, 85
security improvement, areas to link
into, 84–85
Valasek, Chris, 29
Vault 7, 31
Virtual Private Network (VPN), 64
Vulnerability assessments, 27–38
hacking experiments, 27–38
potential attacks, 28–37
Aircraft, 33
baby monitors, 31–32
commercial drones, 36–37
connected kettles in London, 34–35
GE SCADA Systems, 33–34
health care intelligent devices,
32–33
IP cameras, 35
Jeep Cherokee, 29–30
Samsung Smart TV, 30–31
Sandworm team, 33
Siemens healthineers products, 34
Smart meters, 35
Smart Toys, 34
Tesla Model S, 30
thermostats vulnerable to
ransomware, 35–36
Toaster Experiment and IoT
Honeypots, 28–29
Vulnerability of IoT, 39–54, 74–75.
See also cybersecurity
measures
application over privilege, 47
brand, 60
challenges, 39–54
connected devices, 40
critical components not/badly
implemented, isolation, 45
design flaws and bugs, 44
insecure data management, 42–43
insecure interfaces, 46
insecure network services, 46
management, 61
model vulnerabilities, 60
open ports, 45
poor physical security, 45
poor security configuration, 46
privacy concerns, 46
requirements, 39–54
to code injections, 45
typical, 48
users’ awareness, 43–44
weak authentication mechanism, 43
weak credentials, 42
weak security policies, 44
Wannacry Ransomware attack, 34
Wi-Fi Protected Access (WPA), 33
Zigbee, 11, 100
Zozosuit, 82
Z-Wave, 11
 OTHER TITLES IN OUR BUSINESS LAW
AND CORPORATE RISK MANAGEMENT COLLECTION
John Wood, Econautics Sustainability Institute, Editor
• Buyer Beware: The Hidden Cost of Labor in an International Merger and Acquisition
by Elvira Medici and Linda J. Spievack
• European Employment Law: A Brief Guide to the Essential Elements
by Claire-Michelle Smyth
• When Business Kills: The Emerging Crime of Corporate Manslaughter by Sarah Field
and Lucy Jones
• A Freelancer’s Guide to Legal Entities by Alex D. Bennett
• Corporate Maturity and the “Authentic Company” by David Jackman
• Counterintelligence for Corporate Environments, Volume I: How to Protect Information
and Business Integrity in the Modern World by Dylan van Genderen
• Counterintelligence for Corporate Environments, Volume II: How to Protect Information
and Business Integrity in the Modern World by Dylan van Genderen
• Contract Law: A Comparison of Civil Law and Common Law Jurisdictions
by Claire-Michelle Smyth and Marcus Gatto
• Board-Seeker: Your Guidebook and Career Map into the Corporate Boardroom
by Ralph Ward
• Conversations in Cyberspace by Giulio D’Agostino
• Cybersecurity Law: Protect Yourself and Your Customers by Shimon Brathwaite
Business Expert Press has over 30 collection in business subjects such as finance,
marketing strategy, sustainability, public relations, economics, accounting, corporate
communications, and many others. For more information about all our collections, please visit
www.businessexpertpress.com/collections.
Business Expert Press is actively seeking collection editors as well as authors. For more
information about becoming an BEP author or collection editor, please visit
http://www. businessexpertpress.com/author

Announcing the Business Expert Press Digital Library

Concise e-books business students need for classroom and research
This book can also be purchased in an e-book collection by your library as
• a one-time purchase,
• that is owned forever,
• allows for simultaneous readers,
• has no restrictions on printing, and
• can be downloaded as PDFs from within the library community.
Our digital library collections are a great solution to beat the rising cost of textbooks. E-books
can be loaded into their course management systems or onto students’ e-book readers.
The Business Expert Press digital libraries are very affordable, with no obligation to buy in
future years. For more information, please visit www.businessexpertpress.com/librarians.
To set up a trial in the United States, please email sales@businessexpertpress.com.