The Weakness We Are Ignoring
We are living in an ever increasingly connected world. Not only are we engaging with each other in traditional methods, but we are increasingly engaging with each other using technology.
This is not a bad thing, don’t get me wrong. I am not saying that we need to start creating a movement to plunge us back into the dark ages of having no technology. What I am saying though is while we are living in a world of unparalleled technological brilliance, we are opening ourselves up to new risks by adopting technology on the scale that we are at the moment.
The weak link
One of these new risks that technology has brought about is cyber terrorism and cyber crime. Hardened criminals no longer have to roam the streets with a gun or a knife; they can sit in a room with a laptop and cause just as much damage as the best bank robber.
What role does the internet of things (IoT) play in this? In a recent interview with enterpriseinnovation.net, Wally Lee – Principal Cyber Architect from Quann – shared his insights on the current state of IoT security today.
Because IoT devices connect to the internet, a significant risk exists. The significantly expanded threat surface has increased the vulnerability of enterprises and their networks.
“Not only are things now talking to each other, but the people are talking more and more through machines, resulting in the enormous amount of data generated. As more data is gathered, it is presumed that more security patches will become available as the number of entry points for cyber criminals only appears to be rising,” said Lee.
However, most IoT devices are highly vulnerable to cyber attacks. Lee added that right now, attackers are having a lot of success simply exploiting known credentials, such as default usernames and passwords or hard coded backdoors because they know that 70% of IoT devices contain inherent vulnerabilities, such as insufficient authorisation requirement, lack of in-transit encryption, insecure web interface, and inadequate software protection.
The article references a report from Gartner which forecasts that 8.4 billion connected things will be in use worldwide in 2017 and will reach 20.4 billion by 2020. This means that attack surfaces will be expanded dramatically. Also, the accelerated adoption of cloud-based computing, storage, processing, and even infrastructure adds complexity to the security of IoT.
The enterpriseinnovation.net article pointed out that the weakest link in cloud security is not in its architecture per se but the millions of remote devices accessing cloud resources. Given the potential for both mayhem and profit, we expect that more sophisticated attacks will be designed to exploit the weaknesses in the IoT communications and data gathering chain – endpoint devices. Gartner also predicts that by 2020, more than 25% of identified enterprise attacks will involve IoT.
Again, the purpose of this article is not to scare people away from technology, we need to be aware of the risks we face so that we know what we need to do when we are building up our defences.
Lee was asked about the potential impact an IoT based cyber attack can have, his answer was eye opening.
“In 2013, a dam in New York suffered a cyber-attack by Iranian hackers. The attackers only managed to breach the back office systems, through a cellular modem. But had they hacked into the operational systems of the somewhat small dam – just 20 foot tall – and remotely opened its sluice gate, 140 structures could have affected. A flood in 2007 caused more than $80 million in damages. Speculation was that this attack on an obscure dam was a practice run for a large-scale attack,” said Lee.
He added that in the Ukraine, three power distribution centers were hit in a coordinated attack, taking down power grids and leaving 230 000 residents in the dark for one to six hours. The attack was carefully planned and took down backup power supplies as well. These power centres were not unprotected. They were well-segmented with robust firewalls. But it was the remote access that workers use to log into the SCADA network that proved to be their undoing. During the attack, the hackers overwrote firmware on critical devices at 16 of the substation, leaving them unresponsive to remote commands, even six months after the attack.
Finally, the article pointed out that in Singapore, connected devices control critical functions as well. The patients’ real time health condition can be monitored remotely, and should there be warning signs of medical emergencies, alerts can be sent to care providers. Some IoT health equipment can also disperse medication autonomously based on real-time analysis of a patient’s health status. Should these devices be hijacked and their data tampered with, the subsequent medical intervention would be affected and incorrect, resulting in severe consequences for the patients.
The future of security
So, it is clear that we need to beef up security when it comes to IoT devices and risks. What is the future of this?
Lee said that fundamentally, IoT, IT and OT devices are similar in that they are now highly interconnected. Each of them can be used to deliver payloads.
“IoT devices are just beginning to be exploited. The variety of devices, OS’s and versions provide a near-term resistance to attacks because only a few companies have a large enough installed base to attract cyber thieves. Enterprises have several options available for managing security issues that IoT devices and networks introduce, such as access control and network segmentation. On the other hand, consumers have none,” said Lee.
As predicted by Gartner, through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices. We foresee that IoT devices will still remain the weakest link IoT security in the near future unless IoT manufacturers take immediate and direct action to enhance the security of their devices at the design stage.
The article ended off by saying: if IoT manufacturers fail to secure their devices, the impact on the digital economy could be devastating.
Read more on this topic in our blog here.