Security Challenges Increasingly Put Our Ride at Risk
As we move through each wave, the likelihood and impact of cybersecurity risk increases exponentially. Likelihood increases because we’ll be giving threat actors (and non-malicious actors) increased pathways to valuable targets that can help them achieve their financial and/or political objectives. Impact will increase because we’ll place important life and business necessities (e.g., banking, home security, oil refining) into a networked, inherently vulnerable grid. In the near term, we’ll see micro impacts (e.g., a manufacturing plant goes down, a car is “bricked” or functionally useless). Wave Three will usher in dramatic change. We’ll see macro impacts: smart buildings rendered non-functional, transportation systems in major cities grind to a halt, large-scale communication channel failures. The compromise of a single device may put the entire networked ecosystem at risk.
Recent real-world examples begin to illuminate the cyber-driven societal risk that will envelop us. In October 2016, the largest distributed denial-of-service (DDoS) attack to date struck Domain Name System (DNS) provider Dyn, causing major Internet outages across North America and Europe. Attackers used many Internet-connected devices (e.g., IP cameras, printers, digital recorders) that were infected with malware. In another case, the NotPetya wiper malware – which has destructive aims – recently spread across the globe with astonishing speed. It rendered infected systems useless by preventing the operating system from booting. Countless companies were affected, with many facing bottom line hits in the tens of millions of dollars.
Why are these risk scenarios plausible? What’s enabling the compromise of these intelligent things?
- Our Legacy Systems...Endanger: The majority of today’s deployed, connected devices are insecure because they weren’t designed with security in mind. Device makers are only now beginning to bake in security from the start.
- Our Help Desks...Disconnect: All devices have a limited technical support window. When they reach end of life, device makers no longer produce security updates. They are sitting ducks, for attackers, as users often keep them connected.
- Our Designs...Flawed: In product design, performance and functionality requirements outweigh security concerns. Often, these devices are not designed for easy, remote updating (they’re not easily “securable”). Manufacturers focus on commercial interests, rather than broader societal interests.
- Our Architecture...Vulnerable: The deployment of today’s architectures, such as how we mesh connected devices in a smart building, are not security-driven. As a result, this variety of device and network types creates exploitable gaps. Furthermore, device integrators are not thoroughly educated in cybersecurity practices, which only makes matters worse.
- Our Governance...Anemic: We’re in the early stages of normalizing intelligent things. Connected device makers naturally have their own agendas, and without higher-order policy, and pressures to incentivize the use of common technology standards, we’ll stay in this predicament. Organizations such as Open Connectivity Foundation and the Industrial Internet Consortium are developing standards. We’ll just need to entice manufacturers to adopt them.
How do we mitigate these risk scenarios? At the core, it’s about swift, proactive action.
Swarming Cyber Risk Proactively Can Ensure Our Future
We have an advantage right now; a small window of opportunity to secure intelligent things while they’re still essentially toys. History shows us that bad guys will inevitably devise new tactics and tools to circumvent existing defenses.
Getting ahead starts with the consumers: businesses and individuals that purchase and use these intelligent things. Consumers must demand security, and make purchasing decisions with device security as a required feature. When consumers demand, manufacturers will listen. Not only will they need to embed security into the core of new connected devices, but also find ways to patch deployed devices and adhere to evolving standards. There are a lot of tactical movements that device makers can and should bring to life (See Booz Allen's Field Guide to IoT Security).
It’s also important that industry coalitions rally around cybersecurity and actually establish these standards, and set new norms. The Automotive Information Sharing and Analysis Center (Auto-ISAC) is a great example of a coalition that recognized cyber as a shared need, and collaboratively developed baseline security practices to implement industry-wide. At Booz Allen, we’ve seen this success first hand, as we drove
Finally,
We’re in for an exciting experience as we ride the waves of connectivity throughout the coming years. But citizens, businesses, and governments must take proactive, vigilant action to reduce cyber risk, so our connected society dream becomes reality. Learn more from Booz Allen.
