At our peril: Innovating without security

While the benefits of IoT are undeniable, the reality is that security is not keeping up with the pace of innovation. US Department of Homeland Security, Strategic Principles for Securing the Internet of Things (IoT), Version 1.0, November 15, 2016

Any business or government must have security before it can have productivity. Google’s Chief Economist was quoted to say recently that if we don’t have a productivity boost from technology we’re in real trouble. A few days later, Google announced "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”

Not even the biggest company in the world is immune to the security problem every business and government is now facing.

Many are relying on the fourth industrial revolution to enter into the build out phase and generate new market opportunity and economic growth. However, technology productivity will fundamentally rely on a ‘security and safety’ platform. And although it’s occurring in pockets, the indicators globally and across the Asia Pacific suggests the road to the Internet of Things is going to be a long, rocky one – indeed, people are already being murdered, live, online.

In this issue, IoT & Technology Correspondent Morry Morgan reports on the three security columns for the Internet of Things. Risk Analytics is expected to become a US$26.32 billion market by 2020. Risk is big business, and the IoT phenomenon is likely to drive this industry well above those lofty predictions. Part of the reason is in the IoT’s rapid growth, estimated by McKinsey at 32.6% CAGR. The other is the lackluster attitude that many manufacturers of connected devices and IoT enabled products have towards security. And that’s because to date, there is no legal liability for manufacturers to secure their products.

Just this week, an Australian security company, Mercury ISS is reporting that it has created an exploit to access the software controlling more than 200 buildings, including sensitive government facilities, such as the Lucas Heights nuclear plant in Sydney and a Royal Australian Air Force (RAAF) base.

In Singapore, an INTERPOL-led operation targeting cybercrime across the ASEAN region identified nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals. The operation brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime situations in each country. Additional cyber intelligence was also provided by China. Analysis identified nearly 270 websites infected with a malware code which exploited a vulnerability in the website design application. Twelve of Singapore’s Top 50 sites were serving active code from risky “background sites” marked as Adult and Pornography, Gambling, Uncategorized Business and Economy or Content Delivery Networks. Visiting these top 50 sites resulted in active code from no less than 233 different background domains.

The Indian government is striving towards a cashless economy by expanding the scope of digitisation across all activities. Yet cases of banking frauds from phishing, cloning charge cards, cyber stalking, hacking accounts and databases, and identity theft are already on the rise in India. Less than a fifth of the cases registered with the cyber police have been solved over the last four years. In Mumbai, the financial capital of the country, as much as 80 per cent of the crimes registered in 2016 has remained undetected. But moving to a cashless society may still be a good thing. A vulnerability has been discovered in GMV's Checker ATM Security. The defect allows an attacker to remotely run code on a targeted ATM to increase their privileges in the system, infect it and steal money. The software is used in more than 80,000 cash machines worldwide.

The Trend Micro Forward-looking Threat Research (FTR) Team reported in February they have found tens of thousands industrial devices residing on public IP addresses, which could include exposed industrial robots, further increasing risks that an attacker can access and compromise them. The team found that the software running on industrial robots is outdated; based on vulnerable OSs and libraries, sometimes relying on obsolete or cryptographic libraries; and have weak authentication systems with default, unchangeable credentials. There were five classes of attacks that were possible once the team was able to exploit any of the several weaknesses that were found in the industrial robot architectures and implementations. The attack classes were Production outcome alteration or sabotage, Ransomware-type schemes, Physical damage, Production line process interference and Sensitive data exfiltration. Given industrial robotics will be used across critical systems such as transport, medical, defence and energy markets, you don’t need too much of an imagination to consider the security and safety implications if they can be readily compromised.

In this issue, we cover a wide array of topics across the security domain, including piracy, robbery, terrorism and cybercrime. Yet we have dedicated the cover feature to Tony Caputo’s ‘Welcome to the Future’ article, where he creates thought around where humanity has been and most importantly to us, in the here and now, where we are going. As Tony correctly points out, “the digital universe continues to engulf our existence, now exponentially with every passing year. If you do not have a digital strategy for digital transformation, and I’m not just talking about your company, I’m talking about you: you’re almost three decades behind.”

And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Chris Cubbage

Executive Editor