How do mobile apps impact security in the Industrial IoT?

In 2015 security firm, IOActive, analyzed 20 mobile applications that connected to industrial control systems (ICS). Last year, it reprised the research and discovered 147 issues in the 34 applications selected for analysis. This represents an average increase of 1.6 vulnerabilities per application.

What might this mean in the age of Industrial IoT? The full report “SCADA and Mobile Security in the Internet of Things Era” can be downloaded here. And we spoke to Jason Larsen, director of advisory services at IOActive to learn more. 

Roughly what percentage of the SCADA app universe does the 34 randomly tested apps represent?

There were roughly 140 apps in Google Play and 200 in the Apple App Store. 

Did the level of increase in vulnerabilities between 2015 and 2017 surprise you?

Usually when a problem is pointed out, the code quality increases. My gut tells me that since this is a new environment, the failure is in processes and procedures. Since industrial control vendors haven’t historically used mobile environments, it’s likely that many of these applications were hired out to third-party developers who used the same rapid development strategies they use for everything else. I wouldn’t be surprised if most of these were pilot projects where the contracting language wasn’t in place to require security coding practices and security testing. One of the reasons we do this kind of research is to focus industry on the problem.

How much awareness is there about this problem?

The code quality of the average mobile application has been pretty well documented. There may be some assumptions that industrial control software has been programmed and tested to a higher standard than your average app.

What is the biggest implication for security professionals about these findings?

This research highlights that while apps can be securely programmed, they shouldn’t be assumed to be good just because process control software is more thoroughly tested. Mobile applications should always be reviewed before being deployed in a production environment.

Who will ultimately be accountable for these types of vulnerabilities?

There’s not much an end-user can do to fix bugs in a mobile application themselves. The fixes will need to be done by the vendors.

What do you think is the most important way to tackle this? Maybe mandatory security standards for developers, better regulation of app stores, better security on mobile devices, a mix of these, or something else entirely?

A good start would be transparency. If an application is built using secure programming practices and has gone through a review, documenting that would go a long way. 

Is insecurity of Industrial IoT the most important security consideration at the moment?

Most mobile and IIoT is being deployed in test environments and limited cases, but if history is any indication, they will become a much bigger part of the infrastructure in the future. Everyone that tried to fight WiFi when it first came out eventually lost. The real danger is the transition phase where these devices are being adopted for minor tasks and test environments. These first devices may open up security holes way before the rest of the architecture is ready to deal with those risks.  

IOActive tests control systems all over the world and the number of interesting ways into a control network is very large. The control network perimeter can be breached. That’s where a good security architecture and safety program comes into play. We expect mobile and IIOT to only grow in popularity.

Are mobile applications the main point of insecurity for these systems – are there other areas that go under the radar? 

Control network perimeters are becoming more porous like all other networks. I wouldn’t say this attack pathway is the main attack pathway, but in five years it will likely become one of the most common. ICS administrators already have their hands full with wireless communications, just-in-time manufacturing, integrated scheduling, and all the other things that make modern environments run. Many of those systems could use a hard look. Why we think mobile deserves a closer look is because the attacker community’s existing skillset can be directly leveraged against it. This means that it could rapidly become a major problem.