IoT vendors can no longer ignore security compliance
On 4 November 2016, it was reported that the entire internet infrastructure of the African nation of Liberia had been knocked off-line after it was targeted by hackers using the same weapon that caused the largest cyberattack in history only last month.
The attack on Dynamic Network Services Dyn, a New Hampshire-based Domain Name Server DNS on October 21 was a massive distributed denial of service incident. This type of attack is not new, and is based on standard techniques where a network of infected computers, a botnet, are directed to bombard its target with traffic, overloading its servers.
The weapon used in the October attack, the Mirai botnet, was particularly effective because it harnessed infected, internet-connected devices, or so-called Internet of Things devices, which, ominously from an expanding cyber threat landscape standpoint, are finding their way into more households around the world.
The same weapon was reportedly used for several days in continued attacks on the West African nation of Liberia, where two companies that co-own the only fibre going into the country are being targeted. During the attacks, websites inside the country are rendered unavailable.
At this stage it is unknown who is wielding the Mirai botnet against Liberia, or whether it is a state actor or independent hackers. The attack on Dyn last month already raised a number of serious concerns regarding the evolution of DDoS attacks, and their massive real-life consequences given the increasing interconnectivity in a rapidly digitising world.
This latest incident raises alarm even further.
#1 The national level impact of the attack on Liberia, which could affect the functioning of critical national infrastructure, which could in turn have devastating real-life consequences, even resulting in the loss of life.
#2 The particular Mirai botnet that is attacking Liberia, officially named Botnet 14, has a Twitter account and is open source, meaning it can and is being shared, and anyone with the requisite technical skill can use it.
#3 DDoS are successfully targeting connected devices with lower cyber security postures to gain access to high-value networks and targets, with severe consequences.
Given the relentless rise of the Internet of Things and the fact that the very devices that are being hacked to orchestrate these types of incidents, are the same ones finding their way into our lives at an ever-expanding rate. The cascading effects of this latest attack have implications at every level of digital transformation.
It has been previously predicted that the rise of IoT will prompt similar attacks in the future as inadequately secured IoT devices will continue to be an engine to facilitate breaches.
Protecting digital environments in the age of the IoT and ultimately Internet of Everything requires a new type of standardisation and regulation approach to be adopted, which ultimately penalises the vendors flooding the market with insecure devices.
It is far harder, if not impossible, to attempt to dissuade the threat actors from pursuing their chosen course of action, and it is not an ideal scenario to look to manage the effects of an attack after it has already occurred. The area in which the greatest pressure can be brought to bear in order for a more robust cyber security position to proliferate in IoT environments is at the device level, and more specifically the manufacturers of those devices.
At present there is no regulation or standardisation requiring a base-line security standard for IoT, meaning there is little incentive to make device manufacturers meet any minimum criteria of security, as there are few, if any commercial repercussions for not having done so outside of successful third-party litigation.
For as long as device manufacturers are removed from the negative financial and logistical impacts triggered by the compromise of poorly secured devices, we will continue to count the escalating costs of botnet attacks through IoT devices.
Minimum cyber security levels should not be an optional feature for IoT device manufacturers. Rather there should be mandatory standards and controls introduced, and high commercial sanction for vendors that fall short of them, given that such oversights jeopardise the security of the digital eco-system for all connected stakeholders.
Harshul Joshi is Senior Vice President of Cyber Governance, Risk and Compliance at DarkMatter.