Why Security is Critical for IoT
There are multiple forces behind the accelerating adoption of Digital Business – and the need to secure trust across hyperconnected physical and IT systems. The problems of security are fundamentally human created and have become increasingly urgent as more critical processes become automated between machines. With the declining costs of sensors, increasingly flexible connectivity options and the rise of ever more powerful analytics and machine learning, there will be more potential vectors for attacks.
IoT Security is a subset of the broader IT Security market – it has been forecasted to grow at a 16.5% CAGR to $20 billion market by 2020, over 2X the growth of the security market overall. In 2016 IDC estimated that IoT Security represented ~28% of the market, and this is expected to be over 40% by 2020.
Moore’s Law - Not Just for the Good Guys
The declining cost and increasing power of computing and connectivity enables extraordinary innovations to take place – but the challenge is that Moore’s Law doesn’t just apply to the good guys – cyber-criminals also benefit from these dynamics and we have “Moore’s Outlaws”. Some of the best innovation in technology is used for illegal purposes. Juniper Research estimated that cybercrime will cost $2 trillion in losses by 2020, and the 2017 hack of Yahoo impacted between 500 million to 1 billion people – put in other terms, 1/7th of the population of the planet was a victim of a crime.
There has been exponential growth in crimes with no signs of slowing. A Russian team of hackers amassed over 1 billion passwords that they used to perpetrate financial crimes. The notorious Carbanak attack stole $1 billion from 100 banks in 30 countries – attackers spent 2 years in stealth mode inside bank networks, then they executed an unprecedented $1 billion theft. The calculation for cyber criminals is far more attractive given there’s very little chance that online thieves are arrested (especially across borders) and the ability of law enforcement to keep up is limited. The average bank robbery gets away with $4300 and the perpetrator risks life in prison - versus $1 billion in online theft with almost no chance of being caught.
With the rise of AI tools and techniques there’s growing danger from automated tools that evolve automatically to evade detection systems. There are many hacker toolkits available online in black markets that allow cyber criminals with limited training to do a lot of damage. Cyber weapons do not die once they have been used – they are repurposed and used over and over again.
We highlight a few notable instances of big security attacks that have targeted physical systems:
StuxNet - the first big “Digital Weapon”
The StuxNet worm was first identified in 2010, and was responsible for substantial damage to Iran's nuclear program. The worm targets programmable logic controllers (PLCs) and sent instructions that could degrade machines slowly – in particular the centrifuges used to create nuclear fuel. The code targeted machines using the Windows OS and networks, seeking out Siemens Step7 software. Interestingly, the design and architecture were not domain-specific – the code could be tailored to attack supervisory control and data acquisition (SCADA) and PLC systems.
The worm was introduced to the target environment via an infected USB flash drive. There were three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a root-kit component responsible for hiding all malicious files and processes, preventing detection. All in all, StuxNet was a turning point creating greater awareness of the need for protection of industrial systems.
The big DDoS Attack – the Mirai Botnet
In late 2016 there was an attack with hundreds of thousands of IOT devices compromised – DVRs, cameras, routers, printers etc. The Mirai Botnet compromised devices from Dahua, Samsung, RealTek, ZTE and many others, and commandeered them for Distributed Denial of Service (DDoS) attacks. The Mirai Botnet was was responsible for attacks on Krebs on Security, the domain service provider DYN (taking down AWS, Netflix, Reddit and other sites), Deutsche Telekom and attacks on colleges.
The Mirai Botnet code had two functions: locate and compromise IoT devices and execute distributed denial of service (DDoS) attacks. The code guesses passwords and uses common protocols to connect and direct attacks. Only a small fraction of vulnerable devices had been recalled out of hundreds of thousands of vulnerable targets. The Mirai code has been released as open source, propagating the threat globally. For manufacturers and consumers of connected devices, it is imperative that security be built into systems – and Mirai highlighted the extent of the problem.
WannaCry Ransomware Attacks – Spook Code goes Rogue
The WannaCry code was initially an NSA tool that was turned into Ransomware. Shadow Brokers got access to the NSA tools and released them, wreaking havoc on systems across Europe. WannaCry hit trains in Germany, Britain's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were among the victims. Surgeries were cancelled. Renault had to stop production in France.
Ransomware works by encrypting files, giving users 48 hours to pay with Bitcoin or lose their files forever. Ransomware took over the Muni System in in LA - so they had to let everyone in for free for the day. Other more recent attacks targeted city governments in Atlanta, Baltimore and other cities. WannaCry is an example of the risks when government developed code is leaked and acquired by bad actors.
Want more on the risks and challenges in IoT security? Join us for a webinar presentation, Enterprise IoT Security: Connect and Protect on Thursday, October 10th where we will examine the security issues of today.
Momenta Partners encompasses leading Strategic Advisory, Talent, and Venture practices. We’re the guiding hand behind leading industrials’ IoT strategies, over 200 IoT leadership placements, and 25+ young IoT disruptors. Schedule a free consultation to learn more about our Connected Industry practice.