Hacking the internet of things just got easier – it’s time to look at your security
This article was first published in Computer Weekly
Are you taking security for internet-connected devices seriously enough?
In 2016, hackers were able to use 100,000 internet-connected devices to bring down Twitter, Spotify and PayPal. They recruited and infected simple household appliances, such as digital video recorders and fridges, to attack a large network infrastructure provider and create chaos. Consumers were not aware that their own appliances were being used in this way.
Hacking internet-connected devices isn’t a completely new threat – but it is about to get much worse.
A new tool, Autosploit, has raised the stakes significantly. Autosploit uses artificial intelligence (AI) to find vulnerable internet-connected devices and conduct sophisticated cyber attacks against them. Because it is automated, it doesn’t take a lot of hacking skills to use it. Worse still, many organisations are leaving an open goal by failing to take security seriously.
That is true for manufacturers that ship devices, businesses that use or supply them, as well as industry relying on internet of things (IoT) concepts to run energy, utilities and more.
The threat has been a long time coming. And with new legislation about to come into force, it’s time to act.
The IoT market is expanding. Some forecasts suggest it could grow from 15.4 billion devices in 2015 to 125 billion by 2030. Internet-connected devices are increasingly part of people’s lives. Without a robust approach, many devices and systems are being developed and shipped with serious security issues and vulnerabilities.
There is no shortage of measures and guidance to implement effective security. But, of course, this means products take longer to get to market, increasing costs and complexity. So many manufacturers cut corners on security – or just ignore it.
Worse still, there is no way to patch the billions of vulnerable devices already shipped, so one new vulnerability could lead to a very large-scale compromise.
Businesses know that connectivity is key to their growth and success. It helps them improve operational efficiency, launch new services and get a competitive edge. And as supply chains get longer and consumers demand more, that is even more vital.
Businesses are turning to commercial off-the-shelf products and protocols to meet their needs, but if these products are not managed securely, they can introduce further risks to manage and vulnerabilities to exploit.
If your operations rely on internet-connected technology, then the potential for disruption is huge. That has an impact on your partners, suppliers and customers – and if people lose trust, that’s hard to come back from.
When margins are tight, it’s easy to ask: “Is there something cheap that does what we want?” It’s harder to consider: “What vulnerabilities could this expose us to?”
But it is essential to do so.
IoT concepts are increasingly being used to manage and monitor mission-critical and industrial operations. This industrial IoT technology has many benefits. It allows for remote asset management, predictive maintenance, smart process automation and real-time analytics.
Increased risk of cyber attacks
But these new services and further integration also carry an increased risk of cyber attacks –with the potential for catastrophic events. If hackers can exploit a device connected to a plant, there are unpredictable consequences for the facility’s performance, safety and security – and this could even mean loss of life.
There are financial implications, too. In 2016, hackers brought down Ukraine’s electricity network with a cyber attack. A similar attack on the UK could cost between £12bn and £86bn, according to the Cambridge Centre for Risk Studies.
The EU Network and Information Systems (NIS) Directive comes into force today (10 May). If organisations don’t make sure their infrastructure is resilient to cyber attacks, they could face fines of up to €20m or 4% of their global turnover for significant breaches.
While many businesses are focusing on the General Data Protection Regulation (GDPR), awareness of NIS is low. The possibility of a £17m fine should bring it into sharp relief for responsible businesses and their boards.
So what can you do about it?
A threat like this calls for sustained, joined-up action. For a start, governments need to make IoT standards, guidance and security enforceable. But industry also has a role to play.
Organisations need to:
- Develop security requirements that products must meet before they are accepted/launched.
- Put the right security controls in place to protect networks and information systems that use the IoT, as well as mechanisms to detect, respond to, investigate and report a breach quickly.
- Test the security of their infrastructure (with IoT) before and after deploying it.
The one thing you can’t afford to do? Ignore the risks.