Access controls, 73
Access network, 7
Activity logs, 98
Aircraft, 33
Application Programming Interfaces (APIs), 46
Appropriate cybersecurity program, 72–73
Ashton, Kevin, 39
Attacks targeting IoT systems, 87–101. See also bots; threat intelligence
attack vectors, 92
malicious control of IoT systems, 96
privacy breaches, 96
sabotage, 97
Authentication mechanism, 43
Bacnet, 11
Blackenergy, 21
Bring your own device (BYOD), 63
Bugs, 44
Building management system (BMS), 12, 56
Business continuity planning, 78
Business intelligence (BI) tools, 8
CAN-based protocols, 11
Cheney, Dick, 27
Code injections, vulnerability to, 45
Common vulnerabilities and exposures (CVE), 109
Common vulnerability scoring system (CVSS), 109
access network, 7
computer systems, 8
proximity network, 7
Communication protocol, 2
Compromised closed circuit television (CCTV) systems, 20
Computer systems, 8
Confidentiality, integrity, and availability (CIA) triad, 50
Connected devices, 40
Controller Area Network (CAN), 7, 30
Credentials, 42
Customer relationship management (CRM), 8
Cyberattacks, 89, 107, See also attacks targeting IoT systems
Cybersecurity measures in IoT, challenges, 47–54
awareness, lack of, 50
requires different approaches than traditional security, 53
security left in no-man’s-land, 52–53
security, 49
standards and regulations, lack of, 51
technical constraints, 47
Cyberwarfare, 90
Demilitarized zone (DMZ), 73
Denial-of-service (DoS) attack, 94–95
Design flaws, 44
Dictionary attack, 18
Digital Direct Controllers (DDC), 11
Digital Economy Act (UK), 52
Distributed control systems (DCS), 65
Distributed denial-of-service (DDoS) attack, 18, 87
Domain Name System (DNS), 18
Drone jacking, 36
Electronic Control Units (ECU), 12, 29
Embedded system, 12
Encryption, 100
Enterprise risk management (ERM), 8
European Agency for Network and Information Security (ENISA), 2, 52
Federal Trade Commission Act (USA), 52
Finland, heating services in, 22
Fish tank in the casino, 20
General Data Protection Regulation (GDPR), 52, 82, 88
Governance, risk, and compliance (GRC) tools, 109
Health care intelligent devices, 32–33
Honeypot, 29
Human–Machine Interfaces (HMI), 2, 8–13
Industrial automation and control systems security (ISA 2015), 110
Industrial control systems (ICS), 65–79
Industrial environment, IoT in, 65–79
appropriate cybersecurity program, 72–73
business continuity planning, 78
legacy systems, assess risks introduced by, 76
maintenance, 77
personnel security training, 77–78
physical access, 76
process-aware approach, 72
resilience, 78
safety regulations, alignment with, 74
secure configuration, 77
security improvement, areas to look into, 72–78
supply chain management, 75–76
updates, 77
Industrial Internet of Things (IIoT), 14, 17, 66
Information technologies (IT), 66
Insecure data management, 42–43
Insecure interfaces, 46
Insecure network services, 46
Intelligence agencies, 90
Internet of Things (IoT), 1–16
actuation, 6
computation, 6
sensing, 6
components of, interaction between, 10
as fourth industrial revolution, 3
organization risks, reducing, 13–15
real world, interactions with, 4
Internet protocol (IP) phones, 56
Intrusion detection systems (IDS), 62, 73
Intrusion prevention systems (IPS), 62
Jamming, 58
Legacy systems, assess risks introduced by, 76
Local area network (LAN), 21
Lonworks, 11
Malicious control of IoT systems, 96
Malware defense, 98
“Man-in-the-middle” attack, 58
Manufacturer commitment, 61
Miller, Charlie, 29
MITRE Corporation, 109
Modbus, 11
Munro, Ken, 35
National Institute of Standards and Technology of the USA (NIST), 52, 73
Nation-states, 90
Network monitoring, 99
Office environment, IoT in, 55–64
bring your own device (BYOD), 63–64
disposal of IoT devices, 63
maintenance, 63
operation of IoT systems, 62–63
physical access, 62
security updates, 63
setup and configuration, 62
brand, 60
manufacturer committment, 61
model vulnerabilities, 60
vulnerability management process, 61
supply chain management, 60–61
Oil and Gas subsector (ONG-C2M2), 110
Open ports, 45
Open Web Application Security Project (OWASP), 42
Operational technologies (OT), 66
PDCA (Plan, Do, Check, Act) cycle, 104
Penetration testing, 36
Permanent Denial of Service (PDoS), 24
Personnel security training, 77–78
Physical security, 45
Privacy breaches using IoT, 96
Privacy concerns, 46
Process-aware approach, 72
Profibus, 11
Programmable Logic Controllers (PLC), 11, 23
Proximity network, 7
Ransomware, thermostats vulnerable to, 35–36
brute force attack, 18
CCTV Botnet, 20
Dallas Emergency Sirens, 22–23
dictionary attack, 18
drawing Pads Architecture Company, 20–21
Finland, heating services in, 22
fish tank in the casino, 20
Lodz, Poland City’s Tram System, 22
Maroochy Water Services, Australia, 21
New York, Dam, 23
Sabotage of Siberian Pipeline, 1982, 23
Ukraine’s power grid, 21
Repository of Industrial Security Incidents (RISI), 26
Resilience, 78
Return of security investment (ROSI), 106
Risk management process, 104–111
PDCA (Plan, Do, Check, Act) cycle, 104
Sabotage, 97
Safety regulations, alignment with, 74
Sandworm team, 33
Security configuration, 46
activity logs, 98
encryption, 100
malware defense, 98
network monitoring, 99
secure authentication, 97
software and firmware updates and patches, 100
Smart meters, 82
Smart things, disadvantages, 17–26
Software as a Service (SaaS), 13
STRIDE model, 109
Supervisory Control and Data Acquisition (SCADA) system, 21, 65–70
Supply chain management (SCM), 60–61, 75–76
System of systems, 12
Threat intelligence, 74–75, 88–93
attack vectors, 92
cyberwarfare, 90
intelligence agencies, 90
nation-states, 90
3-D printing, 67
Tierney, Andrew, 35
US Cybersecurity Capability Maturity Model for the Electricity subsector (ES-C2M2), 110
Utilities and service monitoring, IoT in, 81–86
business continuity planning and resilience, 85
insurance, 85
ownership of systems and of data, 85
security improvement, areas to link into, 84–85
Valasek, Chris, 29
Vault 7, 31
Virtual Private Network (VPN), 64
Vulnerability assessments, 27–38
Aircraft, 33
connected kettles in London, 34–35
health care intelligent devices, 32–33
IP cameras, 35
Sandworm team, 33
Siemens healthineers products, 34
Smart meters, 35
Smart Toys, 34
Tesla Model S, 30
thermostats vulnerable to ransomware, 35–36
Toaster Experiment and IoT Honeypots, 28–29
Vulnerability of IoT, 39–54, 74–75. See also cybersecurity measures
application over privilege, 47
brand, 60
connected devices, 40
critical components not/badly implemented, isolation, 45
design flaws and bugs, 44
insecure data management, 42–43
insecure interfaces, 46
insecure network services, 46
management, 61
model vulnerabilities, 60
open ports, 45
poor physical security, 45
poor security configuration, 46
privacy concerns, 46
to code injections, 45
typical, 48
weak authentication mechanism, 43
weak credentials, 42
weak security policies, 44
Wannacry Ransomware attack, 34
Wi-Fi Protected Access (WPA), 33
Zozosuit, 82
Z-Wave, 11