Just a few years ago, Samsung’s first push into providing smart solutions was marked by an expensive and complex “Internet of Things City” at the vast Consumer Electronics Show (CES) in Las Vegas. Digitally-powered innovations were prominently featured. Samsung has continued to showcase new products and services at CES each year, alongside hundreds of other companies, to the evident delight of many of the 180,000 attendees gathered in Vegas.
CES in 2020 was no different, although this year there were some strong notes of hesitation. Why do so many seem so worried? The answer, in one word, is “security” – including the security of “IoT endpoints” and connected devices, the security of smart data transport from the edge to the cloud and much more.
Despite the hype that “anything IoT” has prompted over the years, a growing number of organizations in government and industry have begun to show genuine hesitation before diving right in. This is largely due to growing awareness of IoT’s unique security threats. Organization leaders now know that they must understand how to secure IoT endpoints and devices while enabling data transport from the edge to the cloud – with insights delivered to customers at the end of the process.
DDoS attacks are defined by Cloudflare as “a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.” The second biggest DDoS attack occurred in October 2016, directed at Dyn Corp., a big US-based DNS provider. As summarized by Cloudflare’s executive team, the attack was “devastating and created disruption for many major sites, including Airbnb, Netflix, PayPal, Visa, Amazon, The New York Times, Reddit and GitHub”. This was done using a malware called Mirai. It creates a botnet out of “compromised IoT devices such as cameras, smart TVs, radios, printers and even baby monitors. To create the attack traffic, these compromised devices are all programmed to send requests to a single victim”.
What approach should tech leaders take in response, especially as they work with the varied kinds of organizations, large and small, that become cyber-targets – companies, governments, universities, hospitals? Each of the major tech companies has a white paper that aims to answer that question.
A group of world-class experts have been consulted to share their views. Here are a few of the key insights that we learned from them.
Are we “outdriving our headlights”?
A former deputy director of cybersecurity at the U.S. Department of Homeland Security’s Science & Technology Division, Scott Tousley now serves as Splunk’s senior executive, cyber programs. Tousley is concerned about the risks associated with “these needed new capabilities, because of lagging governance practices.” He thinks that “security governance approaches are not now quick enough, or adaptable enough, to support effective identification, management and reduction of risk, as these new capabilities develop and deploy.” Tousley predicts that “we will continue to see many different threats actively attack these distributed and often haphazard environments”. Why is he so worried? “Because the tech industry has created environments that are governed by different organizations and technologies and approaches,” he says. Tousley sees a situation wherein we are all “outdriving our headlights” because the industry “designs and deploys and operates more rapidly than our risk understanding and governance can keep up with.”
There are a host of different threat organizations working every day, out there in the real world. Some are small, and some have larger teams and organizations. They’re based out of many different countries and regions.
All these actors are actively conducting reconnaissance to aid them in deciding what targets to go after. These actors then choose their target, attacking in ways that are increasingly sophisticated. Tousley thinks that these attacks will increasingly focus on “IoT environments, which are not very tight/defined enterprise environments.” Tousley considers these to be “more distributed, haphazard, ad-hoc, normally governed by different organizations and technologies and approaches.”
In military terminology, these different threat organizations see a “target-rich” environment – and retain what Tousley calls the “advantage of initiative”, insofar as they can choose when and where to go after particular targets.
Considering the human factor
Kim Zentz, Urbanova’s Executive Director, is deploying IoT devices in the field in Spokane, Washington. She thinks the real threat to enterprise security, “in any type of field deployment of technology, rests with the clear, consistent and factual communication with all of the people involved. This includes the employees in the office and in the field as well as customers or clients and those who may interface with the technology in a tangential or sporadic fashion.”
As Zentz and Urbanova push forward, they’ve concluded that people are now ready and willing to adopt change at varying paces: “Technology deployments must build the human factors into the schedule. These steps cannot be rushed without compromising the security of all involved," she says. Zentz and her Urbanova team believe that it’s best to start at a manageable scale: “Adapt to the lessons learned before expanding the deployment.” It’s noteworthy that this approach is driven as much by security concerns as it is by other considerations.
Crowds gather at a presentation at CES 2020 in Las Vegas earlier this year. Is there a growing reticence within the industry to dive headfirst into IoT? Credit: CES®
According to Nima Baitai, Lenovo’s director of cybersecurity solutions in their Intelligent Devices Group, IoT – and connectedness to the digital network – “continually shapes and touches every facet of our lives and how we interact and experience the world around us. The security implications of IoT mean that malicious actors can leverage these devices for attacks with far-reaching impact.” Baitai thinks that the 2016 Mirai botnet was a watershed moment for IoT security. Baitai is focused on the continued growth of IoT devices both in the consumer and commercial arenas, wherein “the potential impact of such attacks continues to grow. As such, it’s incumbent on organizations to increase their diligence of ensuring they have visibility into what devices are connected to their critical networks and to apply security controls to those devices.” One of the great challenges can be, as with Mirai, that the “concerns reach beyond the devices connected to our own networks but also to how we mitigate risks posed by the potentially billions of devices outside our organization that can be compromised and used against critical networks,” says Baitai.
For Baitai, and his team at Lenovo, “having network redundancies, continuity plans and proper segmentation are vital. Ultimately, we, as consumers, must also look to the device manufacturers to place greater emphasis on building-in security to these devices. That is economically challenging given the hunger of consumers for more and more devices at lower and lower prices. There is no silver bullet. It will take a concerted effort across vendors, regulatory agencies and organizations working together to address the security challenges of IoT.”
Your thermostat is now a security vulnerability
For a somewhat different point of view, consider the perspective of Craig Williams, director of outreach at Cisco Talos. He thinks that “the biggest threat to IoT deployments is the fact that these devices - our cameras, our thermostats, our dishwashers, our smart refrigerators, and even the locks that secure our homes are now computers. Like any computer these have security issues which will be discovered and exploited by hackers. Cisco Talos has discovered these types of issues and worked with venders to patch them so that attackers lose the safe haven they could otherwise utilize to move laterally throughout the network with relative ease. Everyone considers security a priority until it adds $20 to the cost of a device - then suddenly the one on sale no one has heard of looks more compelling.”
Benson Chan, senior partner at Strategy of Things, notes that IoT networks deployed in the field are vulnerable to a variety of security threats: “Many of these threats breach the devices in order to gain access to the network. But another equally dangerous type of threat involves ‘hacking the algorithm’ behind the devices without breaching the device itself.” These attacks are designed to create uncertainty and mistrust in the algorithms. Once such trust is lost, you wouldn’t use that device in critical situations. Chan concludes that “a cyberattack doesn’t always have to cripple the network, sometimes all it needs to do is to slow someone down temporarily or take away someone’s competitive capabilities.”
Analogous to this type of attack would be painting over the words “Stop” as it appears on common stop signs on busy streets. An autonomous driving vehicle, equipped with a variety of IoT sensors, is programmed and trained to stop the car at an intersection when it detects the word “Stop” on a red octagon sign and on the street. However, this simple hack tricks the sensor into misclassifying the intersection as “no stop”.
Chan thinks that defending against these types of threats is not easy. “A company deploying an IoT network needs to consider possible algorithm hacking scenarios and implement alternative countermeasures strategies in the algorithm design and testing.” In the stop sign scenario, one possible countermeasure is to look for a stop sign on the opposite intersection. If one is detected, it is highly likely that this is a “stop” intersection. That said, Chan believes that “there are many ways an algorithm can be hacked (some known, but most unknown), and companies would be advised to set up a rapid deployment capability in order to respond quickly to these hacks, as they arise, and mitigate them in near real-time.”
IoT is not a fairy tale
Rob van Kranenburg, founder of the IoT Council, says that the biggest threat to IoT applications is the “miseducation of the general public”, fueled in part by gadget reporting. He worries about the fact that “the security industry has a stake in hyping security issues”, since this is part of their business model. van Kranenburg argues that “IoT is an enabler of a transparent society that gives individual good and timely feedback on their immediate condition and surroundings” – see the development of wearables as evidence of this. IoT provides for smart and cheap resource management in our homes, for better public and private transport using our connected bikes and cars, for downsizing of overhead and for coordinated collaborative smart procurement in cities.
van Kranenburg says that “this is not a fairy tale”. In fact, he sees an unfortunate reality, “The one biggest threat to IoT applications is IoT applications”. He argues that it’s vital for engineers to protest against the loss of privacy, but that they must stop merely lamenting this – and they must start to join forces, in order to build the best possible connected worlds. van Kranenburg concludes by saying that “it’s perfectly possible to build the ideal balance between national/regional centralization of infrastructure, full decentralization of services and data staying with people”. This would mean a kind of “edge environment”, one where the router becomes an important and highly secure element in validating assets and devices connecting with and through the router.
Is there some good news out there, especially for those in tech who’re undertaking IoT deployments? One small sliver of light emerged in January 2020, when the US Senate passed what some consider to be the very first Federal bill focused on IoT.
About the author: Gordon Feller is a Senior Advisor to tech firms and universities, since 1983; Founder: Meeting of the Minds, non-profit; Global Fellow: US Smithsonian Inst.; Appointed Member, US Federal Comm. on emerging technologies; Board Member, Alliance for Innovation; Board Member: Urbanova; Author: 400+ magazine articles on tech. email: Gordon@GordonFeller.com; Twitter: @GordonFeller