November 8, 2016
The recent DDoS-fueled internet outage reminds us why an IoT risk strategy is key.
Last week’s assault on internet infrastructure by hackers commanding a hijacked army of connected devices—the latest in a series of record-setting distributed denial of service (DDoS) attacks—should spur companies to reassess how security vulnerabilities in the internet of things (IoT) might pose a growing risk to critical operations and networks. Rather than getting caught up in fear, uncertainty, and doubt, however, corporate leaders can take practical steps to mitigate these risks and gain a competitive advantage in the marketplace.
By targeting weak security on devices such as video recorders and wireless routers, and taking control of them in mass quantities, hackers have shown they can harness and wield the combined power of the systems as malicious robotic networks dubbed botnets. According to Dyn—the Internet firm targeted on Oct. 21—tens of millions of IP addresses associated with the Mirai botnet unleashed the sophisticated DDoS attack that significantly disrupted access to prominent websites in the United States. The incident, which spurred an electronics maker to plan a product recall, was the “highest throughput DDoS attack seen to date,” the Electricity Information Sharing and Analysis Center wrote in an Oct. 24 white paper published online. The Oct. 21 event was preceded last summer by IoT-related botnet attacks and in September by major DDoS assaults against the website of security blogger Brian Krebs and a hosting provider in France.
It seems likely that IoT-enabled threats will become more frequent and consequential. Businesses need to be prepared for scenarios in which relatively low-end hackers increasingly have the capability to disrupt digital commerce. In PwC’s Global State of Information Security® Survey 2017, respondents said the average annual system downtime as a result of cybersecurity incidents was 20.2 hours. This number has been steadily increasing every year. Fortunately, companies can think broadly about risks to IoT security and boldly take action to better secure key assets.
1. Resilience: First, we urge corporate leaders to prioritize resilience, which is the key to thriving in the digital economy. A simple example of this would be using multiple DNS services rather than only one. Establishing business and continuity plans (BCP) can help reduce the risk of organizations being caught flat-footed—either in the event that mischievous hackers take over mobs of connected devices in the outside world to disrupt business operations, or if malicious actors target a particular organization’s IoT with the goal of penetrating a network or even causing physical harm. As the IoT expands, backing up data, raising employee awareness of cybersecurity best practices—including training to combat phishing attempts—and developing a comprehensive crisis response strategy are more important than ever. Companies that establish comprehensive cybersecurity risk management efforts with automated security and privacy controls are better postured to sustain operations in the face of adversity.
2. Risk management: Second, the C-suite needs to devote increasing attention to IoT-related risks when discussing enterprisewide cyber-risk management. Corporate leaders are making some strides in this area. In PwC’s survey, 46 percent of respondents said they plan to invest in security for the internet of things over the next 12 months. Further, 35 percent of respondents said they had an IoT security strategy in place, and 28 percent said they were implementing an IoT security strategy. Respondents said top priorities for implementing IoT policies, technologies and people skills include new data collection, retention and destruction policies (37 percent); assessing device and system interconnectivity and vulnerability across the business ecosystem (35 percent); employee training in IoT security practices (35 percent); and uniform cybersecurity standards and policies for IoT devices and systems (32 percent).
Still, there is significant room for improvement. Organizations relying on IoT devices—particularly those in critical infrastructure sectors—need to fully understand the scale of the problem by taking an inventory of the devices in use and determining how best to allocate investments to improve security and mitigate risks. This is particularly important because hackers can spot IoT devices using an online searchable registry. The stakes are high for the healthcare sector, for instance, which has adopted medical IoT on a massive scale. Our research has shown that provider organizations have between three and 10 connected devices per patient room. Remediating vulnerabilities in existing or legacy devices poses a challenge. For new devices, however, it is possible to implement over-the-air patching, application and firmware updates that utilize encryption and code signing.
3. Device security: Third, IoT device makers need to do a much better job designing their products with security in mind. Designers should make it simple and inexpensive for device users to obtain security upgrades as needed. Devices should not include embedded passwords at the firmware layer than cannot be overwritten or decommissioned. They should include forensic logging and evidence capture capabilities, making it possible to determine how devices were compromised. Further, connected devices must be designed to operate in a hostile environment and to fail safely in the event they are infected with malware. Adversarial testing in the development process should be the norm. Secure engineering practices should be integrated into product lifecycle management and IoT security efforts must be applied across the supply chain. Further, devices should be designed to prompt users to change factory-default passwords that otherwise present easy targets for hackers. In addition, users must take the initiative to change such default passwords when possible.
Nascent efforts to rate the security of software and systems could provide helpful pressure on the marketplace to develop secure designs. The Defense Advanced Research Project Agency is funding such a project. In addition, the White House Cybersecurity National Action Plan notes that the Department of Homeland Security is collaborating with industry to develop a Cybersecurity Assurance Program to test and certify networked devices within the IoT. DHS also plans to release a set of strategic principles on IoT security, and the Commerce Department recently launched a new multistakeholder process on IoT security. The European Commission is reportedly drafting cybersecurity rules for IoT devices as well.
Last week’s attack should serve as a call to action for corporate leaders. Threats to IoT security can no longer be ignored or dismissed as mere nuisances. In the case of critical infrastructure, the stakes are particularly high. President Obama’s National Security Telecommunications Advisory Committee warned in a 2014 report that there was “a small and rapidly closing window to grasp the opportunities of IoT in a way that maximizes security and minimizes risk.” The nation “will be coping with the consequences for generations” if it fails to address these issues, said the report, which cautioned that hackers might “use remote access to cause physical destruction.”
The Electricity Information Sharing and Analysis Center’s white paper calls the recent IoT-related DDoS attacks “game-changing threats in terms of cybersecurity” because they have “the potential to use the immense scale of the IoT against a victim or multiple victims with vulnerabilities at high throughput rates.”
Organizations clearly need to better understand and address emerging IoT-related risks. That will require looking both inward and outward given the interconnected nature of the digital economy, industry’s reliance on third parties and the global nature of today’s supply chains.