Managing the growing risk created by the Internet of Things
IoT technology connects everyday objects via computing devices to the internet and therefore to other devices, apps and people, carrying out processes without requiring human interference.
The list of objects that may be fitted with IoT capabilities is endless and ranges from simple objects such as coffee machines or a desk lamp to complex structures such as nuclear power stations or transport control systems. The difference in scale can also be vast. On an individual basis, a heart monitor recording the heart rate of a patient with cardiovascular disease may use a microcontroller to communicate to the sensors. The system analyses the signal, extracts features and sends the results to a web server allowing easier patient monitoring. On a larger scale, “smart cities” operate a variety of electronic sensors and technology to collect data (e.g. public transport, air quality). That information is fed back through a server and analysed with a view to improving the lives of citizens and visitors by enhancing their interactions with the urban environment.
IoT devices can sense, communicate, control and cooperate, and do so without human intervention. (Interestingly, smart phones and PCs are generally not viewed as part of the IoT as they do not connect with the internet independently of human input).
Viewing this in humble domestic terms, you run out of cheese while making the children’s school lunches. Your fridge, previously programmed, records this information through sensors or a camera, sends a message to your smart phone and adds the item to your online weekly shopping list, all in good time for Friday night’s home-made pizzas: quattro formaggio, of course.
This is a frivolous example, but the issues are far from trivial. With such connectivity, comes a myriad of features, complexities and, in some case, dangers, that is the internet.
Whilst we will not mind our thermostat knowing that we are arriving home at 7 p.m., we do not necessarily want others to know these finer details of our life. If our home heating system is communicating on a network, however, others could well do so. While our fitness bracelets are busy tracking our activities, locations, steps and sleep patterns, they are also communicating on a network. In the business context, while the IoT is connecting assets and personnel and exponentially streamlining operating processes, this connectivity is increasing the susceptibility of the network. Business sectors which stand to reap huge rewards from IoT technology (including the automobile, manufacturing, agriculture, hospitality, transportation, energy, utilities and healthcare industries) must consider these vulnerabilities and the possible effects on their businesses. Security and privacy become paramount.
The vulnerabilities of the IoT were shown all too clearly in a cyber-event that hit internet performance management and web application security company Dyn in October 2016. The company offers products to monitor, control, and optimize online infrastructure, and also domain registration services and email products which allow the mapping of an internet domain name to a corresponding IP address. A notorious botnet-driven distributed denial-of-service (DDoS) attack against the company’s infrastructure started targeting network platforms in Asia Pacific, South America, Eastern Europe and Western regions. The attack quickly reached the Eastern US region causing a major internet outage. The incident took offline major websites such as Netflix, Twitter, Spotify, Reddit, CNN, PayPal, Pinterest and Fox News – as well as newspapers including the Guardian, the New York Times and the Wall Street Journal. Dyn’s analysis was that there were up to 100,000 malicious endpoints within their network. Other analysts measured over 600,000 infected IoT devices across all affected businesses.
According to global research and advisory firm Gartner, by 2020 there will be over 20 billion connected devices, nearly 3.4 devices for each person alive, and 25% of identified cyber-attacks will involve the IoT.
Kaspersky data shows that there were more than 105 million attacks on IoT devices in the first half of 2019, highlighting two major issues: the increased use of brute-force attacks (attacks involving automated software designed to generate an exhaustive onslaught) and the exponential risk to unsecured connected devices. (IoT devices are often connected through an “anchor device” such as a phone. If access is gained to one device, a criminal can potentially gain access to the anchor device, which may in turn permit access to all of the devices connected through that anchor).
A notable feature of IoT devices is that they do not always incorporate ‘security by design’ i.e. inbuilt product design that ensures devices are as secure as possible from the outset. Patching security holes and addressing vulnerabilities in IoT devices is the responsibility of the consumer, an issue not always fully understood and appreciated by those tasked with these concerns.
Another valid issue is the sheer amount of information that is being collected, stored, shared and analysed. This will create huge issues in the context of privacy and data sharing.
To date, we have not heard much about cyber criminals operating in the IoT domain but as with most things cyber-related, if there is money to be made, it will just be a matter of time before the IoT becomes the playground for the next great hack.
We must be conscious of keeping IoT devices, and the information stored on them, safe and secure. Until the issues are identified and resolved (and against a background of the General Data Protection Regulation and the increased global spotlight on privacy legislation), the IoT has the potential to create very costly problems.
While consumers and businesses are both jumping on the IoT bandwagon, an important part of the process is education and awareness. Each IoT device adds a potential entry point for cybercriminals and experts suggest that users should identify the risks that IT security cannot address.
For further information, please contact:
Account Executive, Global Professional & Financial Risks
Tel: + 44 (0)20 7933 2478