In the movie Jurassic Park, Dr. Ian Malcolm (played by Jeff Goldblum) has a memorable quote:\u201cYour scientists were so preoccupied with whether or not they could, they didn\u2019t stop to think if they should.\u201dWhile Dr. Malcolm was talking about cloning dinosaurs for entertainment, not about connecting billions of frequently insecure and difficult to upgrade devices to the Internet and then bridging access to mobile devices, the quote seems relevant here as well.Mobile apps are an overlooked access point for IIoTWhenever people write code, they also create bugs. Combined with cheap embedded hardware like the ESP8266 that can network devices easily on existing public networks, we now have drones that spread worms across networks of lightbulbs, thermostats that can spy on you, refrigerators that send (email) spam, and who knows what will happen when more toilets are connected to the Internet. (Disclosure: I am ashamed to admit the toilet was my fault. Sorry.)These are all attacks on residential devices, however commercial and industrial devices have the same problems. Targeted attacks against hardware aren\u2019t limited to nation-state level actors; worms that spread across networked power distribution devices have existed since at least 2009. Shodan scans targeting IoT devices regularly find SCADA systems.Common recommendations for securing general purpose and industrial IoT (IIoT) devices include limiting access to networks, especially those that have devices that assume this and as a result don\u2019t use encryption; ensuring devices have up-to-date firmware and strong passwords; and being careful using devices with cloud services. But what happens when those cloud services are inseparably integrated, with the endpoint of a mobile device - a general purpose computing device running its own code in an environment much easier for an attacker to manipulate?Mobile app risks pose IIoT dangers as wellA recent report by researchers from Embedi and IOActive paints a bleak picture about security in industrial control systems (ICSes) connected to mobile devices. In an analysis of ICS applications two years earlier, researchers made the guess that \u201cdue to the rapidly developing nature of mobile software, all these problems will soon be gone.\u201d Now with more than 20% of the almost 150 vulnerabilities they discovered from a random sampling of apps leading to attacks that could influence an industrial process or present operators with bad information, they\u2019ve conceded that they were wrong, and their previous guess was too optimistic.In the report, the authors connect the discovered vulnerabilities to the OWASP Top Ten mobile risks and include one additional category for backend software bugs. These aren\u2019t new problems, and are documented well enough to have a large volume of detailed information, analysis, and recommendations publicly available to any developer interested in learning more.With many BYOD and COPE devices on company networks, the attack surface is much larger than traditional networks that may be isolated from the public Internet. Devices may be unpatched due to no patch existing from the carrier or manufacturer, may have vulnerable or otherwise risky apps contributing to device insecurity, or may have apps that send sensitive data to questionable sites on the Internet.Inclusion of an additional category for backend software bugs in the report is also notable, since it reflects the reality of how mobile apps work. Rarely functional on their own, these mobile apps are interfaces to larger backend infrastructures, acting as sensors to collect, send, and display data. Security analysis of the backend infrastructure can be more difficult than app analysis, since an attacker doesn\u2019t have direct access to the infrastructure to control and modify the systems as they would the app itself. Findings of vulnerabilities like these are in line with other research, such as the discovery of a family of apps by a global manufacturer of agricultural machinery, where the HospitalGown unsecured backend vulnerability revealed sensor readings, telemetry, and detailed operational data for large agricultural equipment. (Disclaimer: I work for Appthority, a MTD provider, and contributed to HospitalGown research.)Mobile app security can provide IIoT protectionFortunately, enterprises can detect these threats, whether in their own control software or in apps used as part of their business, by using a mobile threat defense (MTD) solution. Behaviors described in the OWASP Mobile Top 10 risks, such as insecure communication, code tampering, and extraneous functionality, can be detected and remediated by app removal or by quarantining a device by limiting it to an untrusted network. Man in the Middle (MITM) protection will prevent attackers from tampering with data going to and from mobile control apps, blocking those apps from being used as a bridge from public to trusted control networks.Although no solution will be as effective as maintaining strictly air gapped networks (and that doesn\u2019t guarantee security, either), strong proactive risk analysis of app, network, and device security can go a long way towards preventing hacks with consequences in the physical world. Fortunately for us, mobile threat defense is easier than defending against angry velociraptors.