Prominent assaults on internet infrastructure by hackers commanding a hijacked army of connected devices should spur companies to reassess how security vulnerabilities in the Internet of Things might increasingly jeopardize critical operations and networks. Rather than getting caught up in fear, uncertainty and doubt, however, corporate leaders can take practical steps to mitigate these risks and gain a competitive advantage in the marketplace.
By targeting weak security on devices such as video recorders and routers and taking control of them in mass quantities, hackers have shown they can harness and wield the combined power of the systems as malicious robotic networks dubbed botnets. In one significant attack, up to 100,000 malicious endpoints associated with the Mirai botnet unleashed a sophisticated distributed denial of service (DDoS) attack that significantly disrupted access to prominent websites in the United States. The incident was the “highest throughput DDoS attack seen to date,” the Electricity Information Sharing and Analysis Center wrote in a white paper published online. That attack was preceded by IoT-related botnet attacks and by major DDoS assaults against the website of security blogger Brian Krebs and a hosting provider in France.
It seems likely that IoT-enabled threats will become more frequent and consequential. Businesses need to be prepared for scenarios in which relatively low-end hackers increasingly have the capability to disrupt digital commerce. In our Global State of Information Security® Survey 2017, respondents said the average annual system downtime as a result of cybersecurity incidents was 20.2 hours. This number has been steadily increasing on an annual basis. Fortunately, companies can think broadly about risks to IoT security and boldly take action to better secure key assets.
Resilience: First, we urge corporate leaders to prioritize resilience, which is the key to thriving in the digital economy. A simple example of this would be using multiple DNS services rather than only one. Establishing business and continuity plans (BCP) can help reduce the risk of organizations being caught flat-footed — either in the event that mischievous hackers hijack mobs of connected devices in the outside world to disrupt business operations, or if malicious actors target a particular organization’s IoT with the goal of penetrating a network or physically harming others. As the IoT expands, backing up data, raising employee awareness of cybersecurity best practices — including training to combat phishing attempts– and developing a comprehensive crisis response strategy is more important than ever. Companies that establish broad-based cybersecurity risk management efforts with automated security and privacy controls are better postured to sustain operations in the face of adversity.
Risk management: Second, the C-suite needs to devote increasing attention to IoT-related risks when discussing enterprise-wide cyber risk management. Corporate leaders are making some strides in this area. In PwC’s survey, 46% of respondents said they plan to invest in security for the Internet of Things over the next 12 months. Further, 35% of respondents said they had an IoT security strategy in place, and 28% said they were implementing an IoT security strategy. Respondents said top priorities for implementing IoT policies, technologies and people skills include new data collection, retention and destruction policies (37%); assessing device and system interconnectivity and vulnerability across the business ecosystem (35%); employee training on IoT security practices (35%); and uniform cybersecurity standards and policies for IoT devices and systems (32%).
However, there is still significant room for improvement. Organizations relying on IoT devices — particularly those in critical infrastructure sectors — need to work to understand the scale of the problem by taking an inventory of the devices in use and determining how best to allocate investments to improve security and mitigate risks. This is particularly important given hackers can spot IoT devices using an online searchable registry. The stakes are high for the healthcare sector, for instance, which has adopted medical IoT on a massive scale. Our research has shown that provider organizations have between three and 10 connected devices per patient room. Remediating vulnerabilities in existing or legacy devices is challenging. For new devices, however, it is possible to implement over-the-air patching, application and firmware updates that utilize encryption and code signing.
Device security: Third, developers of IoT devices need to do a significantly better job of designing with security in mind. Designers should make it simple and inexpensive for device users to obtain security upgrades as needed. Devices should not include embedded passwords at the firmware layer than cannot be overwritten or decommissioned. They should include forensic logging and evidence capture capabilities, making it possible to determine indicators of compromise. Further, connected devices must be designed to operate in a hostile environment and to fail safely in the event they are infected with malware. Adversarial testing in the development process should be the norm. Secure engineering practices should be integrated into product lifecycle management. In addition, IoT security efforts must be applied across the entire supply chain. Further, devices should be designed to prompt users to change factory-default passwords that otherwise present easy targets for hackers. In addition, users need to take the initiative to change such default passwords when possible.
Nascent efforts to rate the security of software and systems could provide helpful pressure on the marketplace to develop secure designs. The Defense Advanced Research Project Agency is funding such a project. In addition, the White House’s Cybersecurity National Action Plan notes that the Department of Homeland Security is collaborating with industry to develop a Cybersecurity Assurance Program to test and certify networked devices within the IoT. Further, DHS plans to release a set of strategic principles on IoT security and the Commerce Department recently launched a new multistakeholder process on IoT security. The European Commission is also reportedly drafting cybersecurity rules for IoT devices.
In summary, the recent attacks should serve as a call to action for corporate leaders. Threats to the security of the Internet of Things can no longer be ignored or dismissed as mere nuisances. In the case of critical infrastructure, the stakes are particularly high. President Obama’s National Security Telecommunications Advisory Committee warned in a 2014 report that there was “a small and rapidly closing window to grasp the opportunities of IoT in a way that maximizes security and minimizes risk.” The nation “will be coping with the consequences for generations” if it fails to address these issues, according to the report, which cautioned that hackers might “use remote access to cause physical destruction.”
The Electricity Information Sharing and Analysis Center’s white paper calls the recent IoT-related DDoS attacks “game-changing threats in terms of cybersecurity” because they have “the potential to use the immense scale of the IoT against a victim or multiple victims with vulnerabilities at high throughput rates.”
Organizations clearly need to better understand and address emerging IoT-related risks. That will require looking both inward and outward given the interconnected nature of the digital economy, industry’s reliance on third parties and the global nature of today’s supply chains.
Principal, Cybersecurity and Privacy, PwC US
Managing Director, Cybersecurity and Privacy