By Ian Schenkel, Endida COO
In an ever-more connected world, the fusion of Information Technology (IT) and Operational Technology (OT) creates remarkable opportunities for efficiency and automation. These opportunities also introduce an array of new risks in the form of cyber vulnerabilities. Among the numerous cyber threats, one particularly insidious tactic, is threat actors tampering with logs transmitted from the Internet of Things (IoT) and OT devices back to headquarters (HQ). Cyber criminals have ample reasons to engage in this form of manipulation, which can have substantial and damaging effects on the automated actions being carried out by these devices. To address this challenge, we need to ensure logs are authentic and reliable through the application of data notarisation.
So why would cyber criminals want to tamper with device logs? The primary motivation is a form of deception – by manipulating the logs, threat actors can hide their intrusion making it appear as if nothing untoward has occurred. They can also generate misleading information designed to cause confusion or misdirect the attention of security teams. This deceptive act paves the way for carrying out other harmful activities such as stealing sensitive data, manipulating device operations or planting malware.
The malicious alteration of logs can also have profound and dangerous impacts on the automated actions of IoT and OT devices. Automated actions are typically carried out using the data received from device logs, any falsified information can cause these actions to be carried out inaccurately or inappropriately. For instance, an OT device controlling the water treatment system in Oldsmar, Florida, was remotely accessed and tampered with. In this particular attack, the hacker increased the sodium hydroxide content from 100 parts per million (ppm) to 11,100 ppm. Fortunately, in this case a sharp-eyed operator detected the spike and was able to bring the water content back to normal, however this is not always the case, especially when attacks happen at night when no personnel are on duty.
Verifying the authenticity and reliability of the logs produced by IoT and OT devices is fast becoming one of the most important areas in cybersecurity. This is where the concept of data notarisation comes into play. Data notarisation is a process that provides a secure means of confirming that the data transmitted from a device has not been tampered with. By establishing a cryptographic ‘seal’ at the time of creation, each log entry can be later verified for integrity and authenticity.
This notarisation process involves taking a digital ‘fingerprint’ or hash of the data and storing it on a public, immutable ledger such as a blockchain. This allows any alterations to the original data to be immediately detectable, as the altered data will generate a different hash that won’t match the original stored on the blockchain. This provides an extremely high level of assurance that the log data received at HQ is the same as when it was created at the device. Most organisations have encryption in place so the log being transmitted from the IoT or OT device will be very difficult to alter in transit. However, this only protects the log from point A to point B, how can an organisation tell if the data contained within the encrypted file is genuine and has not been tampered with before it was encrypted?
The benefits of data notarisation go beyond the ability to validate data integrity. It also provides a robust audit trail, ensuring that every data transaction can be traced and validated, which is of paramount importance in a world where legal and compliance issues are increasingly at the forefront.
Our increasingly interconnected world, where cyber threats are an ever-present concern means securing our IoT and OT devices is not just desirable, but crucial. The tampering of logs represents a significant challenge, potentially disrupting automated processes and providing cover for more sinister activities. To combat this threat, data notarisation provides an innovative and robust means to ensure the integrity and authenticity of our device logs, creating an indispensable level of trust.
