A series of distributed denial-of-service (DDoS) attacks powered by the malware botnet Mirai on October 21, 2016 disabled Dyn, the domain name system provider for hundreds of major websites, including Netflix, Twitter, and PayPal. The malware infected and spread through systems with the help of hacker-compromised web-connected cameras and digital recorders in consumer households, and security experts expressed their concerns about new threats from home electronics and the Internet of Things (IoT).
Big data leaders should take particular notice of this recent attack, because it highlights why security needs to be top of mind when incorporating IoT into analytics projects.
SEE: Dyn DDoS attack: 5 takeaways on what we know and why it matters (TechRepublic)
Research firm Gartner projects that 26 billion IoT devices will be installed by 2020. These IoT devices and sensors will be connected to freight containers, facility alarms, data centers, HVAC environmental monitoring equipment, hospital operating rooms, etc., and companies will be expected to do something with the information collected from these devices.
IoT applications that are already in the field include smart meters used by electric and gas utilities. Estimates are that by 2020, there will be over 900 million of these smart meters installed globally, with Asia leading the transition to smart energy grids, followed by Europe and North America. The cost of installing these smart meters is over $100 billion, but the projected financial benefits will reach $160 billion. So the return on investment (ROI) is there, but what else do companies have to worry about?
With smart meters, we’re looking at millions of devices with physical exposure and the ability to inject software attacks from multiple points of entry. To a greater or lessor degree, this IoT exposure also applies to manufacturing, logistics, and other companies operating IoT devices at the edges of enterprises, and even to highly centralized companies where malware could leak in through an IoT-monitored HVAC or environmental monitoring device.
More about IoT security attacks and vulnerabilities
In December 2015, 30 of 135 power substations in the Ukraine were taken out for nearly six hours by a cybersecurity attack. Initially, hackers used malware to direct utilities’ industrial control computers to disconnect the substations; then, they inserted a wiper virus that made the computers inoperable.
In September 2016, IoT devices and around 150,000 CCTV cameras were used as part of a botnet to attack the infrastructure of a French web hosting company, also compromising IoT devices. At one point, 1.1. Tbps were being dumped on the firm’s networks.
“We’ve speculated about malicious use of IoT devices before, but this appears to be one of the first large DDoS attacks that can be directly attributed to compromised IoT,” said Ken Munro, a partner of Pen Test Partners, told Internet of Business.
Munro is also quoted as saying in the September 2016 Internet of Business post: “We find vulnerable IoT devices with huge installed bases every week. Just this week we’ve privately disclosed to the vendor a remote code execution vulnerability on a domestic IoT device with at least 300,000 units installed. That RCE could be used to trigger a large number of requests, leading to DoS. That’s just one device type in just one country…. Hence, we don’t think the limits of IoT-derived DDoS have been seen at all.”
SEE: Security Awareness and Training Policy (Tech Pro Research)
What IoT security steps you can take
One problem facing companies that use or are planning to use IoT with their big data plans is that there currently is no consensus on how to implement security in IoT on a device. This lack of consensus is an issue for standards committees to resolve, not for corporate IT to address. So what do you do if your company is using or planning to use IoT? Follow these steps.
First, identify all of your IoT exposure points for hacks and breaches, and write and enact a plan for regularly monitoring them. This monitoring should occur at two levels: regular physical inspections of devices and continuous software-based monitoring and logging of emissions from these devices that are conducted by a network-based system. If unusual activity from a device is detected at any time, there should a way to immediately shut down that device.
Second, if your plan is to immediately shut down a device if unusual activity is detected, you should also have disaster recovery and failover procedures in place so your plant, environmental monitoring systems, or any other IoT applications can keep running.
Third, you should meet with your liability insurance provider. As you implement IoT, you should anticipate increases in liability insurance premiums in your budgeting, too. Your liability insurer doesn’t want to see data breaches, compromises, and damages costs go up, either. Your insurer likely has a list of best practices for clients that it can recommend and that can help you in your IoT planning and mitigation strategies.
Last but not least, meet with your prospective IoT vendors about security. What security technology and best practices come with their products? What security warranties and protections are they willing provide? In the case of a security breach, what levels of incident escalation and support do they provide?
SEE: 3 inexpensive steps to secure IoT (TechRepublic)
The good news
IoT is still an infancy technology in most companies’ big data plans. As your company evaluates where IoT best fits in its operations and strategies, you should also plan for security, failover, and mitigation practices. You have to, because the hackers will surely be out there.