As data becomes increasingly valuable, companies need to secure their IoT-enabled devices now, rather than wait until hackers find a way in.

Recently, attackers broke into an unnamed casino and stole data by compromising an internet-connected fish tank. If this were a plot device in a Hollywood thriller, the cyberattack method would likely be deemed far too implausible and left on the cutting-room floor — not to mention the preposterous idea that thieves find a better return on investment (ROI) in stealing data from a casino instead of stealing money. But both the method and “goods” targeted by the thieves are real.

As implausible as this scenario seems, increasing internet of things (IoT) adoption portends worse cybersecurity breaches unless businesses recognize the need to improve IoT components.

In the fish tank example, it is particularly ironic that the pun “phishing” evolved back to the original “fishing.” Phishing attempts to steal valuable information through deceit. An email, for example, elicits confidential information by pretending to come from a boss or colleague. Rather than attacking systems directly, phishing uses social engineering to prey on parts of computer systems that are traditionally far weaker: users. But in the weakest link contest, we have a contender rising quickly — IoT devices.

Unfortunately, IoT did not rise to the top of the weakest-link leaderboard because we the users all strengthened our security chops. Despite constant prescriptions for better user education, it is difficult to raise every user’s security prowess — and the resilience of a defense depends, by definition, on the minimum weakness. Instead, IoT devices may become the preferred path for attackers by creating far better ROI for attackers along an IoT path rather than a user path.

The use of “ROI” here is important. It’s tempting to think of security as a technical problem — one that we wish some smart technical folks would just solve. Despite many smart people working on it, this is highly unlikely. Instead, security is an economic problem — attackers are economic actors who will strike when benefits exceed costs and will turn their attention elsewhere when it doesn’t.

The “return” part of the attacker ROI is based on the value of data. The value of data has increased dramatically over the last decade. It stands to reason that the same data would be valuable to attackers as well. For example, transaction databases provide valuable insight on customer behavior, but our economy thrives on payment systems that rely on poorly kept secret numbers (for example, credit card numbers) that we must constantly supply to organizations in order to enable transactions. This “secret” information therefore has value to attackers, as it can readily be exchanged for goods and services. With IoT, the proliferation of devices offers numerous paths to that valuable data — even through a fish tank.

The “investment” part is where IoT currently lags. As businesses build and deploy weakly secured devices, attackers don’t have to exert significant effort to identify and exploit vulnerabilities. The effort to secure is out of balance with the effort to attack successfully. It is currently too hard for businesses to reduce attacker ROI.

With ROI like this, it doesn’t take Punxsutawney Phil or Carnac the Magnificent, much less fancy prescriptive analytics, to prognosticate that more stories like the casino fish tank are in our future. What can help change this future?

If securing devices is difficult or expensive, businesses won’t do it. The lure of features will divert from increased security. Instead, it needs to be much easier for business IoT deployments to demand more effort from attackers. We can then depend on business laziness and frugality to change the ROI. The difficult part is how.

We’ve been here before. For example, in the early days of computing, each program had to develop data and indexing routines. With each program, just building minimally reliable data storage diverted costly development resources away from improved features. But reusable routines emerged, followed by dedicated libraries available for purchase, then dedicated companies put considerable resources into reusable data storage systems (for example, relational databases or map-reduce clusters). Now every program can take advantage of millions of hours of development and refinement of sophisticated data storage algorithms, often at low or no cost.

With security, the situation is worse because security is so difficult to get right. As cybersecurity expert Bruce Schneier noted, “Amateurs produce amateur cryptography,” and most businesses are amateurs at securing IoT devices. Those developing security for their own devices are bound to make mistakes — unless they are a dedicated security company, as most, of course, are not. But even dedicated groups working openly on security make mistakes: In 2015, 4 million smart meters were found “rife with security issues” after deployment. Security is hard.

As a result, most businesses won’t be able to develop secure IoT devices on their own. They will need better components, both hardware and software, to build from. Societally, we cannot afford to have every organization grow their own devices through to mature products — the resulting security compromises will be staggering along the way as they mature. Components work because they allow economies of scale. They allow organizations dedicated to building secure components to acquire expertise, spend resources, and then be rewarded for their efforts.

Before getting too judgmental and thinking, “Who on earth needs an internet-enabled fish tank?” consider the benefits: The internet connectivity “allowed the tank to be remotely monitored, automatically adjust temperature and salinity, and automate feedings.” Remote monitoring, automated processes, reduced labor — these all sound like the benefits that most businesses desire from IoT.

It is exactly these benefits that technologies such as IoT and artificial intelligence promise. But unless businesses have secure components to build from, their data remains at risk.

1 Comment On: Safeguard Your Organization’s IoT Initiatives

  • Muhammad Moroojo | September 30, 2017

    Interesting article, there will always be risk of stealing associated where ever the data is being collected and processed. The big data today is like an oil which was found back in past, whoever have access and right leverage to gain profit out of it is going to make a lot of money. “Internet of things” (IoT). “The Internet of Things revolves around increased machine-to-machine communication; it’s built on cloud computing and networks of data-gathering sensors; it’s mobile, virtual, and instantaneous connection; and they say it’s going to make everything in our lives from streetlights to seaports “smart.” We will be having smart devices all around us. Sensors installed not only in devices but even in the cement will be collecting information and communicating with human and other devices. This will not only increase the efficiency but also the safety for human kind. It seems like we are soon going to enter in the world of “Matrix”, IoT is disrupting the physical world. Imagine sensors installed in cars communicating with driver and smart roads! This will solve our problem of heavy traffic on the roads this means less pollution in the environment.
    According to Nate Williams (2017) The city of Barcelona saves $37 million a year, thanks to smart lighting. Intel forecasts 200 billion connected devices by 2020, nearly 25 connected devices for every person on earth. IBM believes that making sense of data embedded in intelligent devices is creating a significant market opportunity that is expected to reach $1.7 trillion by 2020. McKinsey & Co. estimates a potential economic impact of IoT systems of as much as $11.1 trillion per year in 2025. Approximately 70% of the value is derived from B2B applications.
    According to an article by Maciej Kranz (2017) in Harvard Business Review, companies who are willing to take advantage from implementing internet of things will have to change their traditional ways. They will have to develop a partner eco system where interconnectivity is not only among devices but partners, customers and suppliers. They need to change the talent management strategy like Siemen a German giant company, which is offering a four-year degree in mechatronics and on job training. And companies will have to focus on business challenge not the technology, Like Harley Davidson which formed a unified team from IT and operations created a fully IoT-enabled plant. This allowed the company to shrink a fixed 21-day production schedule for new orders down to just six hours, reduce operating costs by $200 million, improve production efficiency, and reduce downtime. Plus, build-to-order cycle times sped up by a factor of 25, allowing the company to respond to customer desires far more quickly and efficiently.

    Amin Moroojo

    References
    Kranz, M. (august, 2017). Success with the Internet of Things Requires More Than Chasing the Cool Factor. Harward Business Review. Retrieved September 29, 2017, from https://hbr.org/2017/08/success-with-the-internet-of-things-requires-more-than-chasing-the-cool-factor.

    Williams, N. (2017, September). Keep calm and automate to unlock the opportunity in the vertical Internet of Things. Retrieved September 29, 2017, from https://techcrunch.com/2017/09/28/keep-calm-and-automate-to-unlock-the-opportunity-in-the-vertical-internet-of-things/

    Burrus, D. (2017). The Internet of Things Is Far Bigger Than Anyone Realizes. Retrieved September 29, 2017, from https://www.wired.com/insights/2014/11/the-internet-of-things-bigger/

Add a comment