Australia is in the midst of an IoT revolution. Recent research from the IoT Alliance Australia indicates that IoT technologies will create a potential $120 billion boost to the Australian economy by 2025. What started as a vanity accessory for early adopters and fitness fanatics has turned into the next national tech boom.
For CSOs, the considerations can be a minefield. As cheaper and simpler IoT devices flood the market, security is becoming an urgent and imminent threat. Due to the lack of security, these devices are becoming the access point of choice for hackers looking to compromise and weaponise them.
In the near future, when the majority of the world is online, early and late adopters alike will be living in smart cities filled with smart homes, bursting with dozens of Internet-enabled devices. At that point, IoT thingbots could threaten global stability if we don’t start doing something about it now.
The rise of the thingbot:
Traditional cybersecurity involves building a fortress around your network and engaging in a cat and mouse game with hackers to try to close off as many access points as possible. The rise of IoT is complicating the situation.
Distributed Denial of Service (DDoS) attacks can be directly linked to the increased adoption of IoT devices. The Mirai attacks, which started in 2016 but continue today, leverage a network of low security IoT devices and turned them into thingbots. From there, this army of compromised devices was used to form a botnet, which overwhelmed companies’ IT infrastructure with junk and malicious traffic.
This is a growth industry. Recent research by F5 Networks found that Telnet brute force attacks against IoT devices rose 249% year over year (2016–2017). It is also a global issue. The destinations of attack traffic span the globe, presumably without bias. Wherever vulnerable IoT infrastructure is deployed, attackers are finding it. The most attacked countries were the U.S., Singapore, Spain, and Hungary.
There are more IoT devices entering the market every day and hackers are refining their craft by experimenting with new Mirai derivatives. This means that IoT security will rapidly become a key investment priority for businesses as they rush to support the demand for smart devices now flooding the market.
Setting the networks up for success
As businesses continue to face the threat of IoT, CSOs must ultimately foster IoT-ready environments or risk being besieged by IoT thingbots. However, outside of targeted attacks, IoT devices can threaten a network just by their very existence. If a company’s network isn’t set up with the growth of IoT in mind, the influx of connected devices could cripple its infrastructure. Making sure your system is set up to handle IoT ensures benefits will be realised without compromising on the operational governance required to ensure availability and security of IoT network, data, and application resources.
As IoT devices become cheaper and therefore more accessible by the day, there will be a deluge of new devices into the market. As a result, it will be increasingly difficult to manage the security of devices that don't have it built in.
Whatever way an IoT ready infrastructure is constructed, it is a transformational journey for both IT and the business. It is not something that should be taken lightly or without a long-term strategy in place. When done properly, IoT ready infrastructure can bring significant benefits to an organisation and its people.
My advice to CSOs is that you need to have a DDoS strategy in place to keep your applications up and running under a thingbot attack. Set yourself up for success by planning for contingencies for critical services to ensure that you are agile in the face of chaos. Conduct regular security audits of IoT devices – the set and forget approach to security just isn’t an option any more. Finally, as always, educate your employees on the threat of IoT. Security awareness training is critical to limiting the number of insecure IoT devices that get deployed and please do me a favour by changing the default password.