Page 67 - Cyber Defense eMagazine - September 2017
P. 67

Challenges and Opportunities in Securing the IoT


               By Sudarshan Krishnamurthi, head of business strategy for Cisco’s education services


               IDC estimates the economic value of digital transformation to be $20 trillion, or more than 20
               percent  of the global gross  domestic  product. While the  business  opportunity  is  tremendous,
               digital  transformation  has  not  yet  become  status  quo  for  companies.  Of  more  than  1,600
               companies  IDC  studied,  67  percent  are  in  the  early  stages  of  their  transformation  as  “digital
               explorers” or “digital players,” and fewer than 5 percent of companies are fully transformed.

               Digital  transformation  in  general,  and  IoT  in  particular,  can  help  organizations  become  more
               efficient and more responsive to their customers. It also can allow businesses to expand their
               operational models from one-time product sales to models that generate recurring revenue.

               So, while digital transformation is what accelerates business opportunity, implementing IoT itself
               has challenges. These include figuring out how to secure connected devices, networks and the
               data they handle.

               Complex Security Questions
               IoT devices pose a “double agent” risk: they can bring tremendous value to an organization but
               can  also  be  enlisted  to  help  stage  attacks.  The  rapid  and  wide-scale  adoption  of  connected
               sensors and IoT devices in manufacturing, finance, telco and utility industries means that the
               global economy’s critical infrastructure is increasingly vulnerable to these attacks.

               In October 2016’s Mirai botnet attack, hackers leveraged an army of insecure IoT devices to
               deploy  a  Mirai  denial-of-service  (DoS)  attack  on  an  internet  infrastructure  company.  Tens  of
               millions  of  connected  devices,  including  closed-circuit  television  cameras,  DVRs  and  routers
               owned by a range of companies and individuals who were unaware of the attack, were used.
               And  many  high-profile  online  services  and  websites  were  attacked  and  incurred  system
               downtime as a result.

               The  internet  infrastructure  company  targeted  in  this  case  said  it  commonly  sees  distributed
               denial-of-service  (DDoS)  attacks.  But,  it  added,  the  use  of  internet-enabled  devices  is  now
               opening the door to a whole new scale of attack.

               One challenge to securing these environments is that many IoT endpoint manufacturers simply
               have  not  built  security  into  their  products.  Even  controllers  that  operate  in  every  industrial
               environment lack basic security protections like authentication and encryption. This means most
               industrial control system (ICS) attacks do not need to exploit software vulnerabilities. Hackers
               just need access to the controllers to change configuration, logic and state.

               Also, connected devices frequently have easily exploited vulnerabilities, like default passwords
               that never get changed, remote access backdoors meant for use by field service technicians
               (which can also be an “in” for hackers) and weak authentication. Some device manufacturers

                    67   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   62   63   64   65   66   67   68   69   70   71   72