What We Can Learn from the Ukrainians When It Comes to IoT Security

Article By : Sylvia He

The recent growth in 5G and the upward trend of cloud adoption will expose more embedded systems to cyberthreats.

The cybersphere could be the next front in the war, and it would be waged beyond Ukraine’s borders. A decentralized defense may be one way to protect our devices.

The number of IoT devices in use is growing rapidly and will continue to rise. Cyber-physical systems—larger, algorithm-controlled embedded systems, such as autonomous vehicles and digital twins—are likewise proliferating.

Security vulnerabilities in insulin pumps and pacemakers, implantable cardiac devices, a Jeep SUV, and even a Boeing 787 have previously been discovered. The recent growth in 5G and the upward trend of cloud adoption will expose more embedded systems to cyberthreats.

Indeed, politically or financially motivated cyberattacks on the health-care, government, retail, and education sectors are already a fact of life. The Center for Strategic and International Studies keeps a long list of cyberattacks launched by various government or civilian organizations against other government or civilian entities, and North America and the EU have seen their share of IoT malware and ransomware attacks. Worse yet, hackers have started to exploit some infrastructures, such as health care, to mine cryptocurrency.

Along the way, the cost of global cybercrimes is growing rapidly — faster than most economies — to a projected €10 trillion by 2025.

Security padlock.

Adding geopolitical instability to the powder keg

The chaos in Eastern Europe, already threatening the physical security of millions, may spill over to jeopardize the cybersecurity of millions more around the world.

Russia has already launched several major attacks on Ukraine’s infrastructure. Now, it appears ready to launch cyberattacks against any country that actively assists Ukraine or just wants to shore up its own security. Finland is concerned that Russia will launch cyberattacks against its infrastructure in retaliation for Finland’s decision to join NATO. The U.S. government and major energy companies are also prepared for the worst from Russia’s cyber army.

Russia says it is conducting a “specialized military operation” in Ukraine, but it has waged its campaign with anything but surgical precision. Given the well-documented, indiscriminate attacks on civilian structures and the civilian population itself, one may wonder whether civilian systems would be spared in cyber warfare.

China may also be looking for an angle to exert influence, as indicated by its recent state-sponsored attack on Microsoft by the Hafnium group. The emerging North Korean–Russian cybercrime partnership is a further worry. More depressing still, Gartner predicts that threat actors will have weaponized operational technology environments successfully enough to cause human casualties by 2025.

Learning from the Ukrainians

As we brace for escalation on the cyber front, we ask the same question we did when Ukraine was first invaded by Russia: Is there anything to be done, or do we just throw up our hands?

Perhaps we can take a page from Ukraine’s playbook. With an army that doesn’t come close to Russia’s in size, Ukraine has stayed nimble, marshaling its collective wits and will to defend itself. Ukrainians of all stripes have been mobilized and motivated to do their part — if not by shouldering a weapon, then by putting up roadblocks, changing road signs, or reporting enemy locations to Ukrainian fighters. As a result, although Russia (and, let’s admit it, many observers) thought it would quickly prevail, it has run into walls at virtually every turn.

Can we run a decentralized defense in the cybersphere as Ukraine has done on the battlefield? What if each of us does our part?

Cybersecurity standards are critical to the collective effort to prevent attacks in the first place and reduce the effectiveness of successful incursions. There has been a push for stronger cybersecurity standards, but perhaps what we really need is better compliance with the standards we already have, says Alex Leadbeater, the chair of multiple committees in ETSI, the recognized nonprofit organization developing globally applicable standards for ICT systems.

“A well-funded nation-state, with enough effort, will eventually find and exploit the vulnerabilities in our systems even if we have multiple cybersecurity layers in place,” Leadbeater told EE Times Europe. “It is therefore key to be able to detect attacks against our infrastructure before damage is done. However, what we’re seeing is that hackers are getting in too easily. In general, that’s not because of a lack of security standards, but a lack of compliance with existing standards, be it patches, vulnerability disclosure, or just general housekeeping like removing things from the network that really shouldn’t be connected to it.”

Simple safeguards include banishing universal default passwords, implementing a means to report vulnerabilities, and keeping software updated. We all have a role in the resistance. Small measures taken by many may end up achieving better results than big initiatives undertaken by a few.

This article was originally published on EE Times Europe.

Subscribe to Newsletter

Leave a comment