The power of disruption: Solving the Internet of Things security puzzle
29 November 2016 |
The Internet of Things has a security problem that threatens the both the internet and our cities' connected infrastructure, and cyber security experts are divided over the best way to solve it.
Peter Tran, general manager and senior director at RSA's Worldwide Advanced Cyber Defense Practice, argues that the distributed denial of service attack on DNS provider Dyn was just the start of a worrying trend that will continue unless devices are better secured.
"The new wave of cyber attacks is around disruption," he tells Business Reporter at the RSA Conference 2016 in Abu Dhabi, noting that the recent cyber attack on Dyn came as "a shock around the world". "That was an example of the power of disruption to attack our infrastructure. Anything that is internet-enabled is a risk."
And with analysts predicting there will be 50 billion connected devices by 2020 - devices Tran describes as "non-standard", "disparate" and "intrinsically insecure" by their function - it seems something must be done to improve security and stem the rising tide of attacks using botnets of infected Internet of Things (IoT) hardware.
"The Dyn attack shows the possibilities at scale," Tran says, highlighting the knock-on effect that such disruption can cause for businesses and consumers alike. "Google goes down for five minutes and 45 per cent of the internet is affected."
There is no question that there is a problem, but there are differing views on how to solve it.
Industry-led change, awareness or regulation?
One possible outcome is that incidents like the Dyn attack will be a wake-up call for manufacturers. After all, Tran reasons, no business wants to see its products’ names in the news after they were used as part of a cyber attack.
“We do not want to be the ones who have taken down Google or a power grid system,” he says. “A lot of manufacturers are going to think twice before taking a product to market.”
But despite previous warnings and reports of attacks, manufacturers continue to release insecure connected devices. Some cyber security experts suggest increased consumer awareness could force change, but this could be a long time coming.
“Consumer awareness is a fact, but at the same time there’s a collaborative effort,” Tran argues. “The consumer should not bear 100 per cent of the burden.”
With some manufacturers refusing to play ball, he says regulation of the IoT is “a necessary step”, and suggests that new rules could include ISO-like standards for connected devices – for example, one requiring them to output security data.
“Do you have the output necessary for security monitoring?” Tran suggests regulators might ask manufacturers of their products. “Secondly, the IoT device itself, from a compliance and regulatory perspective, needs to follow classification guidelines.”
To make the job easier, he proposes that the IoT is divided into categories – for example, home, healthcare, automotive and banking – which would allow for appropriate regulation and monitoring of devices based on their functions and levels of sensitivity.
“If you do not have a strategy to do that at scale, you will have a pretty chaotic environment,” Tran says. “You have to work to standardise the Internet of Things.”
A growing cyber security problem
Whatever the solution, it needs to come sooner rather than later as connected devices continue their unstoppable move into our homes, workplaces and hospitals.
In the United Arab Emirates, where the RSA Conference is held, the police and fire services use drones in their work – something Tran calls “a risk factor itself” – and other governments are running schemes to introduce hardware like connected energy infrastructure, which he says is “prone for disruption” by cyber criminals if not properly secured.
“The new systems coming online are smart, connected and somewhat automated,” he says of the initiatives. “A lot is going to depend on the data coming out of that.”
The Dyn attack came as a surprise for many, and for now seems to represent the path that the technology world is leading businesses and consumers down. However, Tran says that with hard work and rules in the right places, the industry will be better equipped to anticipate future attacks and work on preventing them before a more damaging incident occurs.
“We need to have security at the highest visibility that we can, leveraging data analytics to determine what ‘bad’ looks like before an event can happen,” he says.