How can we ready ourselves in the face of cyber attacks?
"Proactive holistic security planning enables a manufacturer to manage cybersecurity risk and regulation while avoiding costly recalls, design changes and heavy penalties."
Thursday, November 22, 2018
There is good reason why sales of cyber security products are growing at twice the rate of GDP. In the age of the Internet of Things (IoT) every connected consumer device, from homecare monitors to kids’ toys, is a potential threat to data security and privacy.
Gartner estimates that over 7 billion consumer IoT devices have been installed by 2018, and the number is projected to grow to nearly 13 billion by 2020. For manufacturers, the growth of consumer IoT markets is a unique opportunity to develop new software and service-based revenue models. Unfortunately, the market’s growth is being matched by the cost of cybercrime which is projected by Cybersecurity Ventures to reach $6 trillion globally in 2021.
The cost of cybercrime extends far beyond stolen money. It includes the destruction and theft of data or intellectual property, as well as fraud or lost productivity due to the disruption of business, worsened by lengthy forensic investigation, complex restoration of compromised systems, and subsequent brand damage.
The question then is: Are manufacturers doing enough to mitigate the risk of cybercrime and embed data protection? Preventative security measures should be both end-to-end across the technology stack and integrated across the product life cycle and IoT ecosystem, from design and manufacturing through to implementation and product obsolescence. GDPR has heightened the importance of taking such measures due to the implications of not complying to the regulatory framework. Previously your brand’s reputation may have been on the line for not taking such measures; now the most serious violations of GDPR can lead to fines of up to €20 million or 4 percent of revenue (whichever is greater) as well.
As such, proactive holistic security planning enables a manufacturer to manage cybersecurity risk and regulation while avoiding costly recalls, design changes and heavy penalties.
Every coin has two sides. The same technologies that enable value creation in an IoT product also create attack vectors. Common attack vectors include weak passwords, vulnerabilities in sub-components or integrated libraries, lack of encryption, Internet exposure, and hidden “backdoors” that are designed in by device manufacturers. These vectors are used to carry out several common types of cyber attacks.
IoT botnets have been used in some of the most prominent Distributed Denial of Service (DDoS) attacks. A DDoS attack overloads a network with traffic. Hackers create botnets from IoT products ranging from connected cameras to baby monitors by scanning the internet for devices with easily compromised passwords. DDoS has become so pervasive that the software can be rented hourly on the dark web to carry out attacks using IoT botnets.
Ransomware is another attack that is growing in frequency. In a traditional ransomware attack, hackers encrypt critical data. The decryption key is shared after the victim has paid a ransom, typically in Bitcoin. White hat hackers from security firms Senrio and Pen Test Partners recently showed that they could remotely infect a smart thermostat with ransomware. Imagine being on a business trip and being told that your thermostat was hacked and set to the maximum temperature. Would you pay a ransom to save your heating bill, cat, and house plants? Device availability can be critical in many such scenarios. Although devices can be reset, it is often a challenging process for a typical customer, and the loss of data and settings can be annoying at best and quite problematic. If the attack is not noticed soon enough, the encrypted data will be backed up (if any backup exists) and the relied upon backup will eventually be rotated out, preventing any data recovery.
There is a third type of attack that is exclusively in the IoT domain - device remote control. Imagine hearing a stranger’s voice coming from your 2-year-old daughter’s room and realising that your baby monitor had been hacked. Dr. Yossi Oren, a lecturer at Ben-Gurion University in Israel, found that many baby monitors remain easy to hack in 2018 despite publicity following numerous prior incidents. As device connectivity becomes pervasive, there is a growing risk of physical harm caused by remote control of vehicles, ovens, healthcare devices, and other consumer products.
End-to-end cyber security decisions entail trade-offs between security level, system complexity, time-to-market and cost. This process begins with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the security requirements of individual technology components or of the IoT system as a whole.
After risks are understood, the next step is to evaluate the technology stack. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security cannot be installed as a software add-on after product development. Every level of the stack must be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. Following component testing, an end-to-end assessment should be performed to determine how the components interact in diverse situations across the entire product lifecycle management (PLM) process, including after the point of sale. Finally, a process of security validation for updates during the lifecycle of the product can be embedded.
Mature consumer IoT companies go beyond embedding security into their products, they study customer behaviour to identify and minimise user-generated risks. Product companies cannot pass sole responsibility for security to their customers. Thinking through the mistakes that your customer can make, or the best practices that your customer can neglect, will go a long way towards building a product that is ‘secure by default’.
Many consumer product manufacturers, whilst having internal security capabilities, will nevertheless benefit from working with external advisors who have wider exposure to assessing various types of organisations, systems and IoT products and are therefore better equipped to help manage threats. Building a network of trusted partners is a strong first step towards planning cost effective end-to-end security.
TÜV SÜD is a technology agnostic partner of choice for testing and ensuring safety and security of consumer products. We help manufacturers and partners with consumers to evaluate and secure your IoT ecosystem and technology requirements by running software and penetration tests and certifying products to mitigate legal liability. We can help you test the security of your IoT product as well as the complete IoT ecosystem, including:
Tackling the problems of cyber security risks can, after all, only be realised by comprehensive planning, periodic evaluation, updates and monitoring - from design through to obsolescence.