How smart are the risks we're taking?
The proliferation of new technology is raising the stakes for critical infrastructure and leaving entities vulnerable to distributed denial-of-service attacks.
The proliferation of connected consumer electronics, IoT and “smart devices” has left us vulnerable in ways we’ve only begun to imagine.
We’ve already seen examples of how connected but unsecured “smart” devices can be used in massive distributed denial-of-service (DDoS) attacks. And while information security is somewhat in its infancy as a discipline, I’m puzzled and frustrated that, as a society, we’ve allowed ourselves to end up in this position.
Now, the stakes are higher. We’ve exposed our critical infrastructure, including our water, electrical grid, financial, and communications systems to the internet, and with it, an army of baby monitors, DVRs, security cameras, and other connected consumer devices, referred to as botnets, with deep and wide-ranging implications for our security.
So far, the impact of even the largest security events has been relatively small, contained to perhaps a business, a region, or maybe an industry or government. Even the largest hacks, in which millions of people’s information were exposed, have not led to widespread chaos or the significant breakdown of society. Yet.
These risks are not necessarily new, but the ease and opportunity to do large-scale damage have grown exponentially. As history has shown, when there are opportunities to exploit the vulnerable, it’s not a question of if, but of when.
When you consider the number of humans, devices and homes with internet access, it adds up to a huge amount of potential firepower for attackers. Consider:
- The average global connection speed was 5.1Mbps in 2015, according to Akamai.
- Gartner projects there will be 8.4 billion connected “things” in use this year and, and by 2020, we could reach 20.4 billion.
- With the total human population estimated to be 7 billion in 2020, according to Our World in Data, that means there will be roughly 2.6 devices per person.
- Even accidental actions can lead to severe consequences and add new levels of risk.
Though progress has been made to secure these devices, they are still somewhat inherently insecure. Even when they are secured, they may be connected to unsecured networks. These devices will connect to or replace almost anything with a plug and will be accessible – and exploitable – from anywhere in the world.
How smart are cheap IoT devices?
While “cheaper” is a compelling market driver, its potential consequences are often under-considered. Take smart meters, for example. Today there are over 100 million electrical smart meters deployed around the world. Imagine poorly secured meters being compromised and the resulting damage to homes and property from manipulation of supply, or disablement of alarms. There are opportunities for a new type of ransomware, as hackers demand payment to turn the power back on. Or even hackers looking to cause blackouts across large geographical regions.
All of these risks are real.
In security, we often say that it takes a major event before we take security seriously. Of course, by then, it’s too late. Money has been lost, reputations damaged, and sometimes far worse. We need to change our practices. Every time a new technology is introduced, its potential risks need full assessment, and all of the right people need to sign off on pushing forward.
Now standards and frameworks can help with the needed assessment and mitigation, but only if they are adopted and used effectively. Suppliers should be incentivized to follow these standards and be held accountable for device security.
We are gaining a better understanding every day of the scope of financial and social consequences that not making security an essential component of any technology represents. What will it take for us to act?
John Germain is chief information security officer at Duck Creek Technologies. Contact him at john.germain@duckcreek.com.
Related: