As data becomes increasingly valuable, companies need to secure their IoT-enabled devices now, rather than wait until hackers find a way in.
Recently, attackers broke into an unnamed casino and stole data by compromising an internet-connected fish tank. If this were a plot device in a Hollywood thriller, the cyberattack method would likely be deemed far too implausible and left on the cutting-room floor — not to mention the preposterous idea that thieves find a better return on investment (ROI) in stealing data from a casino instead of stealing money. But both the method and “goods” targeted by the thieves are real.
As implausible as this scenario seems, increasing internet of things (IoT) adoption portends worse cybersecurity breaches unless businesses recognize the need to improve IoT components.
In the fish tank example, it is particularly ironic that the pun “phishing” evolved back to the original “fishing.” Phishing attempts to steal valuable information through deceit. An email, for example, elicits confidential information by pretending to come from a boss or colleague. Rather than attacking systems directly, phishing uses social engineering to prey on parts of computer systems that are traditionally far weaker: users. But in the weakest link contest, we have a contender rising quickly — IoT devices.
Unfortunately, IoT did not rise to the top of the weakest-link leaderboard because we the users all strengthened our security chops. Despite constant prescriptions for better user education, it is difficult to raise every user’s security prowess — and the resilience of a defense depends, by definition, on the minimum weakness. Instead, IoT devices may become the preferred path for attackers by creating far better ROI for attackers along an IoT path rather than a user path.
The use of “ROI” here is important. It’s tempting to think of security as a technical problem — one that we wish some smart technical folks would just solve. Despite many smart people working on it, this is highly unlikely. Instead, security is an economic problem — attackers are economic actors who will strike when benefits exceed costs and will turn their attention elsewhere when it doesn’t.
The “return” part of the attacker ROI is based on the value of data. The value of data has increased dramatically over the last decade. It stands to reason that the same data would be valuable to attackers as well. For example, transaction databases provide valuable insight on customer behavior, but our economy thrives on payment systems that rely on poorly kept secret numbers (for example, credit card numbers) that we must constantly supply to organizations in order to enable transactions. This “secret” information therefore has value to attackers, as it can readily be exchanged for goods and services. With IoT, the proliferation of devices offers numerous paths to that valuable data — even through a fish tank.
The “investment” part is where IoT currently lags. As businesses build and deploy weakly secured devices, attackers don’t have to exert significant effort to identify and exploit vulnerabilities. The effort to secure is out of balance with the effort to attack successfully. It is currently too hard for businesses to reduce attacker ROI.
With ROI like this, it doesn’t take Punxsutawney Phil or Carnac the Magnificent, much less fancy prescriptive analytics, to prognosticate that more stories like the casino fish tank are in our future. What can help change this future?
If securing devices is difficult or expensive, businesses won’t do it. The lure of features will divert from increased security. Instead, it needs to be much easier for business IoT deployments to demand more effort from attackers. We can then depend on business laziness and frugality to change the ROI. The difficult part is how.
We’ve been here before. For example, in the early days of computing, each program had to develop data and indexing routines. With each program, just building minimally reliable data storage diverted costly development resources away from improved features. But reusable routines emerged, followed by dedicated libraries available for purchase, then dedicated companies put considerable resources into reusable data storage systems (for example, relational databases or map-reduce clusters). Now every program can take advantage of millions of hours of development and refinement of sophisticated data storage algorithms, often at low or no cost.
With security, the situation is worse because security is so difficult to get right. As cybersecurity expert Bruce Schneier noted, “Amateurs produce amateur cryptography,” and most businesses are amateurs at securing IoT devices. Those developing security for their own devices are bound to make mistakes — unless they are a dedicated security company, as most, of course, are not. But even dedicated groups working openly on security make mistakes: In 2015, 4 million smart meters were found “rife with security issues” after deployment. Security is hard.
As a result, most businesses won’t be able to develop secure IoT devices on their own. They will need better components, both hardware and software, to build from. Societally, we cannot afford to have every organization grow their own devices through to mature products — the resulting security compromises will be staggering along the way as they mature. Components work because they allow economies of scale. They allow organizations dedicated to building secure components to acquire expertise, spend resources, and then be rewarded for their efforts.
Before getting too judgmental and thinking, “Who on earth needs an internet-enabled fish tank?” consider the benefits: The internet connectivity “allowed the tank to be remotely monitored, automatically adjust temperature and salinity, and automate feedings.” Remote monitoring, automated processes, reduced labor — these all sound like the benefits that most businesses desire from IoT.
It is exactly these benefits that technologies such as IoT and artificial intelligence promise. But unless businesses have secure components to build from, their data remains at risk.