The New Battleground

There is a reason why cyber security products are selling at twice the rate of military equipment. In the age of the Internet of Things (IoT), every connected 'thing' from cars to cuddly toys could become a security threat. Even Blockchain, with all its hype, cannot mitigate risk. And although data hacks have occurred since France rolled out the first Telecommunications systems across Europe in the early 1800s, their scale and frequency is set to increase - indeed they already have. IoT Analytics estimates there are currently over 7 billion devices that can be connected to the internet. This will only grow. And with it, so too will the impact of cyber-related threats.

Companies must therefore embed preventative and predictive security measures across the product life cycle, from design and manufacturing through to disuse. If there is a human element, as there often is, education of employees and consumers (i.e. end users) must accompany the development and implementation of more advanced hardware and software. User safety and security must be paramount even after the point of purchase. This is particularly important to note as the implementation of legislative frameworks are often slower than technological advancements. Connected devices can never be completely secure, but taking pragmatic steps will help mitigate risk to your brand, privacy and bottom line.

Balancing act

With all the benefits IoT will bring - such as being able to determine problems, utilise resources more effectively and take action remotely - the opportunity comes with a cost: potential cyber attacks. You need only to skim the news to see how cyber warfare is increasingly contentious between countries and companies.

A popular attack carried out by hackers includes Distributed Denial of Service (DDoS), where devices can be controlled by so-called ‘botnets’ that overload and crash your network, leaving it vulnerable. Mirai, an example of such botnet software, scans the internet for devices that have not had their username or password changed from the default factory settings. Hackers have proven that they can override the controls of connected devices from toys to pacemakers. The fact that unauthorised personnel can access and control consumer products from a remote location, is a serious potential threat. Vision, recording and tracking devices embodied in products, for example, can be taken over and monitored. Medical devices vital to keeping patients alive, can be interfered with.

This tactic of overloading the network to control settings or steal data can also be used to hold companies and consumers to ransom. This occurs when sensitive data is stolen and can’t be accessed until the perpetrators of the attack are paid off. The cost of such Ransomware is probably more serious than reported, because of the potential embarrassment from embezzlement. In 2016, the central Bank of Bangladesh lost 81 million USD in such an attack. The number would have been far higher were it not for clerical error. For an individual or public company, the cost of such an attack could have been devastating, as bank deposits are depleted and shareholders flee. A spanner in the works is that these attacks can be instigated by non-technical people. DDoS and Ransomware software can be rented by the hour, meaning anyone can launch cyber attacks at a relatively low cost. Even simple hardware, such as USBs, can be utilised for surprisingly simple but effective attacks. This explains why Dharmesh Ghelani, Symantec's Global Head of IoT, emphasises that companies must embed security into their products and the entire production process, such as across the factory floor.

Fitbit, as well as embedding privacy, communicates to users the absolute necessity of changing the default settings on purchasing a connected device - as you would with a personal computer or mobile phone. This education is essential, particularly when products are increasingly global in make-up, meaning different parts are often manufactured by different companies with different capabilities in different countries with different regulatory standards. This makes it difficult for companies to have a complete overview of the (lack of) security capabilities embedded in their product.

It's the Ecosystem, stupid

Designing a 3-tiered security approach with key stakeholders in the supply chain will help. Firstly, legislators can help mitigate risk by drafting policy that sets the ground rules and encourages those affected to report cyber attacks. This will help the threats become more widely known and therefore understood. Secondly, manufacturers should integrate hardware solutions that make it physically harder to hack connected devices, as Intel does with its chips; IBM has developed cryptography hardware that accelerates software processing. Thirdly, software solutions must be implemented to complement the first two layers of defence.

Decision makers working on developing connected devices should therefore collaborate with partners that are able to deliver on the high-priority elements of end-to-end security, including (but not limited to):

1. Encryption
2. Authentication
3. Public Key Infrastructure (PKI)
4. Application Program Interface (API)
5. Network Security
6. Security Analytics

The aforementioned Symantec is a leading provider of encryption and authentication solutions. Encryption is vital to protecting your transactions, for example, and authentication to accessing online information. The firm has patents in predicting and responding to attacks and protects cloud-based PKI and secures communication between IoT devices. CA Technologies specialise in making sure devices are connected safely through API security and Darktrace, a cyber security firm set up by former MI6 agents, utilises Artificial Intelligence to act as an immune system for your network in real-time. There are many more service providers that can help tackle ever more security threats, including companies that hack your network for you as a way to determine vulnerabilities. It's just a case of navigating and analysing who and how they can best help.

Evidently, there are increasingly sophisticated offerings on the market that can help you integrate security measures across the product life cycle. The increased frequency and threat that cyber security poses to manufacturers, businesses, governments and consumers, helps to explain the growth in cyber security related-products and services that are - for the first time in history - selling at a much faster rate than military hardware. There is a plausible reason for this: It is essential for decision makers to start embedding security into their business, if not already. It’s success may well depend on it.

About

Nathan is a consultant at IoT ONE, a China-based consultancy that provides insight and advisory services that help companies manage the threats and opportunities brought about by the Internet of Things and 5G Technology.