Defending against the dark side of the Internet of Things

When it comes to the benefits and pitfalls of technology, a lyric from Bachman-Turner Overdrive comes to mind: “You ain’t seen nothing yet.”

The already-speedy evolution of technology is only going to get faster, more ubiquitous, and chronically game-changing. In lockstep with emerging technologies—artificial intelligence, FinTech, RegTech, and Blockchain, to name a few—there are risks to contend with, and it will be harder for the day for corporate risk mitigation to keep up with moving targets.

Regulators and watchdogs are also challenged when it comes to stetting standards for data security because the worlds of technology and threat assessment are constantly—and dangerously—in flux.

A frontrunner in technological advancement is the so-called Internet of Things, the linkage of embedded sensors and communications devices to a home base or servers.

Watches can report in to a central database to help monitor health and serve up wellness alerts. Self-driving cars are on the horizon, along with diagnostics, traffic route assistance, and other benefits of onboard, built-in devices. Utility companies can track thermostats and lamps to estimate power usage and react accordingly. The possibilities—from toys to industrial tools—are nearly infinite.

Unfortunately, IoT is also rife with the ill effects of data breaches, privacy mishaps, and distributed denial of service attacks. Each device in the network is a potential entry point for malicious hackers. Even “innocent” data usage by manufacturers and consumer goods companies can be fraught with international regulatory peril.

As it becomes more prevalent in our daily lives, both at home and at the office, the associated security risks evolve and expand even more. Worldwide DDoS attacks utilizing IoT devices have ushered in a new era of risk that requires businesses to, more than ever before, manage this growing threat.

At the recent Compliance Week 2017 conference in Washington D.C. experts from the frontlines of cyber-security addressed how IoT is a force to be reckoned with.

To stay ahead of the disruption curve, internal audit and compliance must quickly discern the vital signs of change and the related implications to the business model of their organization.

“The thing about IoT is that it is an ill-defined term,” said David Coher, cyber-security and compliance risk advisor for Southern California Edison, an electric utility providing power to approximately 14 million customers. “The definition depends upon what you are talking about and the business you are in.”

Perhaps most frequently, IoT is associated with consumer devices, including smart watches, wearables, and smartphones. Online linkages also power point-of-sale devices, an obvious concern and risk for retailers.

Companies may also need to be wary of home routers. “If you have employees working from home, that one router is now a portal into your network by nature of having the employee at home connecting into your network,” Coher says.

His direct concerns are on the connection between connected devices and industrial controls. “They bring us lots of great data to a centralized location, but of course it creates lots of potential problems, he said. “Connectivity brings risk.”

Coher’s touchstones of ensuring good cyber-health: maintaining the confidentiality of data, limiting who has access to it, maintaining its integrity, and ensuring availability.

It goes without say that regulators around the world keep a steady eye on privacy protection. A system intrusion or shutdown though a DDoS attack can also cripple or confuse important databases. That may mean that a retailer’s point of sale system, for example, becomes useless and the company cannot process credit cards transactions and maintain e-commerce activities.

Recent malware attacks and “ransomware,” such as the WannaCry virus, have drawn renewed interest to the availability of data. The attacks, often spread through insecure e-mails, hold company data hostage for an established ransom paid in Bitcoin.

Coher described some widespread security flaws and weak points that help facilitate ransomware and related attacks. Many devices are built around common chip sets, many of them coming from the factories overseas. “If everybody is using the same thing, and there is a flaw in that thing, then the problems begin,” he said, suggesting the need for efforts to create a uniqueness among products “so you don’t have that common exploit.”

“Just practice. It is amazing. You realize what you don’t know. You don’t know how you would react until you are sitting there gaming it out in real time.”

John Delmore, Assistant GC, Cyber-Law Unit, Federal Bureau of Investigation

IoT is incredibly broad. How can the federal government possibly get its arms around it? That was the question asked, and answered, by John Delmore assistant general counsel for the Federal Bureau of Investigation’s Cyber Law Unit.

“It is bigger than any one agency, so you have multiple agencies looking at the problem and approaching it from their separate perspectives,” Delmore said. Companies would do well to pay close attention to those agency responses to problems and concerns.

Among the agencies with the largest overarching view is the Department of Commerce, he said. Its efforts can help provide an overview from the federal government’s perspective and offer hints about where its efforts will focus next.

A starting point for learning more about the agency’s efforts can be found in a January 2017 “green paper” the National Telecommunications and Information Administration produced. The goal of the paper was to “set forth a series of issues that should be considered in any future discussions related to the possibility of a national IoT strategy.” It was accompanied by an ongoing public comment process.

The Department of Homeland Security, Delmore said, is another source of government insight, he said. The National Institute of Standards and Technology, a non-regulatory agency of the Department of Commerce that forges partnerships between the government and private sector to promote innovation and industrial competitiveness, has published guidance on evaluating cyber-security risks of IoT devices.

The latter is just one effort to “define a common language and common terms,” Delmore said. If everybody is talking about the same things, in the same ways, across government agencies, industries, and internationally, information sharing will be easier and more effective.

One challenge for the FBI, Delmore said, is that most current legal statutes are designed primarily for smartphones and communications devices.

When the conversation turns to an IoT device like the Amazon Echo, “how do search and seizure laws apply?” he asked. “Are companies going to be willing to work with law enforcement when we approach them, or are we going to get the response, ‘No, the Electronic Communication and Privacy Act does not apply to this particular device and we are not going to provide the information to you. Go to Congress and get the law changed.’ There are both opportunities and challenges to be overcome.”

Stan Byers is senior advisor for Technology for Global Security. T4GS, as it is commonly known, is a non-partisan, non-political network whose goal is to bring game-changing technology applications to the world’s most challenging security problems.

Byers served on the White House National Security Council and, most recently, he was a leader of EY’s cyber-economics team that focused on the geopolitical and economics aspects of cyber-security.

He stressed that new technology, notably artificial intelligence, “is moving very quickly and much faster than what the government and regulatory agencies are able to do.” The mission before his and likeminded groups is to “bridge the gap between the technology community and the policy community in Washington.”

Expect more DDOS attacks thanks to IoT adoption. With thousands, perhaps even millions of centrally connected nodes, their collective power can target and overwhelm a targeted system. “You are multiplying the attack many times over,” he said. “It can also make it very difficult to track.”

The next battlefield, Byers predicts, pits computer against computer as constantly learning artificial intelligence is leveraged for malice. “In the near future, it will become an AI vs. AI war, and these systems will be leveraging the power of greater and greater higher bandwidth,” Byers said.

What makes IoT attacks so unique is the amplification of individual attacks. “You can take control of one person’s router or connected device and point it at [a corporate Website] and it is not going to slow it down,” Coher said. “Multiply the attack by 100 million and it will start to cause problems.”

How can companies protect themselves? Some of the advice is both commonsense and complicated. “Changing the default password on your home router is a relatively simple task to perform,” Coher said. The problem: getting millions of people to all do it.

“There is a lot that companies can be doing on their own that can mitigate a lot of this damage,” Byers said. “A lot of it is about thinking strategically.”

C-suites and boards need to think differently about cyber-risk and join the fight, he said. Among the efforts requiring their refreshed focus is testing and monitoring.

“Prepare for when attacks do come,” Byers said. “You can decentralize some operations so there is not one single target for hackers to go after. You can increase the capacity of the systems that you have, so if there is an attack it doesn’t overwhelm you.”

“It may make sense to have offline versions of sites, so if you do go down for a while your customers still have someplace to go,” he said. “Have a response strategy and think through what happens if you get attacked.”

 How are you going to determine what type of attack it was? Who is going to do what? Who is going to go out and face the public and be a spokesperson. What are they going to say?

“You can mitigate a lot of the damage to your company just by being able to talk things through so that everyone is clear about what to do,” he said.

Coher stressed the importance of “lowering the incentives” for hackers. Backing up data to an offline site and having redundancies can mean that those encrypting data through an attack are not going to collect a ransom.

“For us it is important not to have a situation where one attacker can get in and take down the whole of our grid,” he said. “You are going to have to come up with many different means of attack and, by that time, hopefully, we can stop it.”

Delmore also stressed the importance of tabletop exercises, simulations, and roleplaying.

“Practice what is going to happen if you have an event,” he said. “Gather all of the people that are actually involved. It adds cost, but get your board there, the actual board members and not just stand ins for them. Bring together all the C-suite people and all of the managers. The IT folks should be involved. Bring everybody together for a simulation of what may happen.”

“Just practice,” he added. “It is amazing. You realize what you don’t know. You don’t know how you would react until you are sitting there gaming it out in real time.”