With the growth of the Internet of Things (IoT), we are rapidly approaching 50 billion connected devices (with varying degrees of security) that are becoming more and more valuable to attackers. We have already seen the beginnings of this shift, as cyberattacks against physical assets -- from cars to electric power stations -- move from science fiction to reality.
Cyberattackers, like anyone, are driven by incentives, and the greater the incentive, the more likely someone is to attack a particular target. We can express the probability of an attack against any particular target as the incentive times the opportunity, divided by the risk.
Over the past few years, we have watched the variables in this equation change in value. Credit card data was an early opportunity, stolen and then quickly utilized before the numbers were cancelled. As companies increased their protection efforts, the incentive and opportunity decreased. Attackers explored other types of data theft, trying to find a new and valuable resource, with varying success.
This year, ransomware has been on the rise, delivering the promise of an even bigger payout. Instead of stealing credit card data and being burdened with figuring out how to monetize the asset, attackers have moved to a system where they can charge an immediate fee directly. Through ransomware, cybercriminals encrypt data on a user’s device and simply make it unusable until the owner pays a ransom. The advent of Bitcoin and other crypto-currencies that support anonymous transactions further lowered the attackers’ risk.
Fueled by meaningful incentives and minimal risk, attackers looked for greater opportunities with larger payouts. We see ransomware actively moving from the consumer space -- charging a few hundred dollars to retrieve one’s photos or personal files -- to larger soft targets such as hospitals and universities. In recent news, we saw attackers charging these organizations (and being paid) thousands of dollars to get access back to critical business data. With this trend growing, large enterprises and IoT are just over the horizon as targets for ransomware attacks.
Incentive And Opportunity
The number and diversity of IoT devices rapidly becoming connected create an intriguing opportunity in the cyberactivity equation. We’ll soon have tens or hundreds of millions of potential targets, connected to physical assets such as water, energy, automobiles, and machinery, with many times the value of digital records. Incentive and opportunity both increase substantially. And the outcome of successful cyberattacks can literally be life-threatening.
Strategically, we need to approach IoT differently than we do the PC. In PC security, we work aggressively to prevent an attack, and fall back to quickly detecting an infiltration and remediating when necessary. With IoT, once an attacker perpetrates a successful exploit, it may be too late. Detecting an intrusion after your car has been driven off a cliff, electricity shut off, or factory machinery damaged is only so useful.
IoT requires a different approach than is used to defend traditional business systems. The current model, where the security industry is separated from the solutions industry (in the case of business, OSVs, ISVs etc.), does not scale to the diverse architectures that exist in the IoT landscape. Additionally, network opacity (most network traffic is becoming encrypted) restricts a network security approach to focus on only a small subset of threats. A new model is required where the security industry and IoT industry recast solutions architecture to enable both to contribute elements that they have expertise in.
We need to be forward-looking and purposeful with how we architect security in the burgeoning world of IoT. There are four steps we can take to affect the IoT cyberattack equation:
We have adapted in the past as we learned about new threats, and we will have to again. But this adaptation is a big one for IoT because without it, a major evolution of our technology infrastructure is at serious risk of failure.Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security ... View Full Bio