On Oct. 21, hackers conducted a distributed denial of service (DDoS) attack against domain name server provider Dyn, causing an internet outage across the country and the world. To launch the attack, the hackers relied on internet connected devices to exploit default passwords.
The massive DDoS attack was a harbinger of bad news, according to TCE Strategy CEO and cybersecurity expert Bryce Austin. It is a prime example that the IoT makes cybercriminals increasingly capable of creating a tremendous amount of havoc without a whole lot of effort, Austin said.
“Your IoT devices are just like having a defensive weapon in your home,” he said. “If you can hack thousands of people at the same time and have those devices do something that they otherwise shouldn’t … or use them for a complete unrelated purpose like the DDoS attack, you have an interesting target.”
Speaking at a session on IoT security at the recent SIMposium 2016, Austin emphasized that it is crucial to fuel discussions to help drive organizational changes that prevent such incidents. Technology leaders are responsible for finding ways to make their systems safer and more secure, including initiating measures to enhance security of internet-connected devices, he told the audience.
Austin said the formation of groups like the Industrial Internet Consortium that was launched to drive standards for IoT devices is a step in the right direction.
“When you are on the internet … things are difficult to anticipate,” he said. “But if you develop programs and you develop processes that are designed to be resilient to those kinds of things, you are going to have a better chance of having these incidents never become a disaster recovery scenario.”
As IoT devices proliferate, it’s becoming hard to even avoid using such devices even though they are not always the most secure choice, Austin said. Consumers are responsible for their security as well, and it is important for them to choose internet-connected devices that do not have any obvious security flaws, he stressed. Adversaries could hack into an internet-connected thermostat and use it to turn the temperature down to freeze water pipes, for example.
Organizations should also have cybersecurity checks and balances in place, whether they are procedural or technical, he advised. Systems should be built to monitor IoT devices to ensure they are not doing something unusual, for example, and be equipped to mitigate damage if a hack occurs.
Developers can do their part too, and build IoT devices to be more resilient to hacks, Austin added. When the marketing team proposes a new internet-connected product, organizations should have their cybersecurity team run a quick check on Google or on the dark web to see what potential financial costs there could be if there’s a cybersecurity flaw in the system, he said.
Companies should consider renegotiating service level agreements and user level agreements with vendors to enhance security in IoT devices, he said. Organizations should also initiate processes like data encryption and/or tokenization to further safeguard data.
“If we are working with an internet of things provider or a service hosting provider and we want them to care… we want to have to ask them to have some skin in the game,” Austin said.
Organizations also typically do not allocate enough money for cybersecurity in their budgets, which is another cause for concern, Austin said.
“Security and maintenance are processes, not events,” he stressed. “There has to be a budget [for cybersecurity] that has to go on every single year, for every single system you have.”