We must work to minimize attackers’ incentive and opportunity while maximizing their risk.

Steve Grobman, Chief Technology Officer at Intel Security

May 17, 2016

5 Min Read

With the growth of the Internet of Things (IoT), we are rapidly approaching 50 billion connected devices (with varying degrees of security) that are becoming more and more valuable to attackers. We have already seen the beginnings of this shift, as cyberattacks against physical assets -- from cars to electric power stations -- move from science fiction to reality.

Cyberattackers, like anyone, are driven by incentives, and the greater the incentive, the more likely someone is to attack a particular target. We can express the probability of an attack against any particular target as the incentive times the opportunity, divided by the risk. 

Grobman-PP-image.jpg

Over the past few years, we have watched the variables in this equation change in value. Credit card data was an early opportunity, stolen and then quickly utilized before the numbers were cancelled. As companies increased their protection efforts, the incentive and opportunity decreased. Attackers explored other types of data theft, trying to find a new and valuable resource, with varying success.

This year, ransomware has been on the rise, delivering the promise of an even bigger payout. Instead of stealing credit card data and being burdened with figuring out how to monetize the asset, attackers have moved to a system where they can charge an immediate fee directly.  Through ransomware, cybercriminals encrypt data on a user’s device and simply make it unusable until the owner pays a ransom. The advent of Bitcoin and other crypto-currencies that support anonymous transactions further lowered the attackers’ risk.

Fueled by meaningful incentives and minimal risk, attackers looked for greater opportunities with larger payouts. We see ransomware actively moving from the consumer space -- charging a few hundred dollars to retrieve one’s photos or personal files -- to larger soft targets such as hospitals and universities. In recent news, we saw attackers charging these organizations (and being paid) thousands of dollars to get access back to critical business data. With this trend growing, large enterprises and IoT are just over the horizon as targets for ransomware attacks.

Incentive And Opportunity

The number and diversity of IoT devices rapidly becoming connected create an intriguing opportunity in the cyberactivity equation. We’ll soon have tens or hundreds of millions of potential targets, connected to physical assets such as water, energy, automobiles, and machinery, with many times the value of digital records. Incentive and opportunity both increase substantially. And the outcome of successful cyberattacks can literally be life-threatening.

Strategically, we need to approach IoT differently than we do the PC. In PC security, we work aggressively to prevent an attack, and fall back to quickly detecting an infiltration and remediating when necessary. With IoT, once an attacker perpetrates a successful exploit, it may be too late. Detecting an intrusion after your car has been driven off a cliff, electricity shut off, or factory machinery damaged is only so useful.

IoT requires a different approach than is used to defend traditional business systems. The current model, where the security industry is separated from the solutions industry (in the case of business, OSVs, ISVs etc.), does not scale to the diverse architectures that exist in the IoT landscape. Additionally, network opacity (most network traffic is becoming encrypted) restricts a network security approach to focus on only a small subset of threats. A new model is required where the security industry and IoT industry recast solutions architecture to enable both to contribute elements that they have expertise in.

We need to be forward-looking and purposeful with how we architect security in the burgeoning world of IoT. There are four steps we can take to affect the IoT cyberattack equation:

  1. Design with security in mind. All devices and solutions built around IoT have to be designed thinking about security from the outset. One example is using the concept of least privilege to minimize attackers’ opportunity: Devices, systems, and applications should have access to the bare minimum capabilities required to perform their function. Developers must understand the full lifecycle from shipping to decommissioning, follow coding best practices, and leverage the many hardware and software security capabilities available (hardware separation, ASLR etc.).

  2. Look at security from different levels of zoom. Valuable data is vulnerable and security breaches possible at all levels, from an individual sensor to a connected device to the overall system. System-level infiltrations may deliver the highest incentive to attackers, but breaches are possible at the sensor or device level. IoT security means understanding the full context of the system, as well as the individual components.

  3. Support the academic industry in producing more cybersecurity professionals. Ultimately, the security and IoT industries need to evolve and collaborate, from education to deployment. Cybersecurity should become a core discipline of engineering, alongside calculus, physics, and chemistry. Development lifecycles must include a security component, similar to the quality component. All of this must be researched, taught, and reinforced, from undergraduate programs to professional continuing education. 

  4. Think like the adversary to anticipate exploits and address them in advance. Finally, we need to continue to think like our adversaries, refining threat-agent profiles, identifying digital assets, and assessing weaknesses. Deployment processes must evaluate how to minimize the incentive and opportunity for attackers, while maximizing their risk.

We have adapted in the past as we learned about new threats, and we will have to again. But this adaptation is a big one for IoT because without it, a major evolution of our technology infrastructure is at serious risk of failure. 

About the Author(s)

Steve Grobman

Chief Technology Officer at Intel Security

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security assets.

 

Grobman joined Intel in 1994 as an architect in IT and has served in a variety of senior technical leadership positions during his Intel career. Before assuming his current role in late 2014, he spent a year as chief technology officer for the Intel Security platform division. Prior to that role, he spent two years as chief technology officer at Intel's subsidiary McAfee to integrate security technology from the two companies.

 

In prior roles, Grobman served as chief security technologist for the Intel Atom processor system-on-chip design group and spent seven years as chief architect for Intel vPro technology platforms. In the latter position, he led work on the solutions architecture that resulted in a business platform with unique hardware-based management and security capabilities.

 

Before joining Intel, Grobman spent four years at IBM as a solutions programmer and developer. Grobman has published a number of technical papers and books, and holds 20 U.S. and international patents in the fields of security, software, and computer architecture, with about another 20 patents pending. He is also the recipient of two Intel Achievement Awards, the first earned in 2005 for the invention, initial architecture, and strategy of the first PC embedded appliance; and the second in 2007 for the success of the Intel vPro technology platform.

 

Grobman earned his bachelor's degree in computer science from North Carolina State University

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights