Cyber Security
The three columns of IoT security
R By Morry Morgan IoT & Technology Correspondent
32 | Asia Pacific Security Magazine
isk Analytics is expected to become a 26.32 billion US dollar market by 2020. Risk is big business, and the Internet of Things (IoT) phenomenon is likely to drive this industry well above those lofty predictions. Part of the reason is in the IoTs rapid growth, estimated by McKinsey at 32.6% CAGR. The other is the lackluster attitude that many manufacturers of connected devices and IoT enabled products have towards security. And that’s because to date, there is no legal liability for manufactures to secure their products. Last year’s Dyn attack by the Mirai botnet, that involved over 100,000 independent IP addresses – presumably from unsecured modems and digital video recorders with default passwords – caused hundreds of thousands of US dollars in lost revenue for the affected websites. But those companies that manufactured the IoT devices, escaped scot-free. This is worrying, because unlike IT, IoT extends from the digital realm into the physical. In innocuous uses of IoT, a digital app can turn on a physical ceiling fan, and a digital sensor can regulate a farmer’s physical water pump. In these examples, the liability resulting from poor security is somewhat limited. Where risks begin to mount, however, is within larger IoT ecosystems, like transportation. Next year, if the National Connected Multimodal Transport (NCMT) Test Bed in Melbourne is on track, a digital camera mounted on a tram will be able to change the physical traffic lights, to help alleviate congestion. Little imagination is needed to see the possible worst-case scenarios, should these IoT enabled traffic lights be hacked. Understandably, the NCMT
project is cautiously starting with a 5 square km zone within Melbourne, to mitigate this risk. The IoT Alliance Australia (IoTAA) understands the seriousness of unsecured IoT devices and are actively discussing how to plug this gapping neglect of duty hole by manufacturers, with a combination of shaming and litigation. But until the laws are written, it’s important to understand the risks and liability associated with a breach of any of the three cybersecurity pillars – Accessibility, Confidentiality, and Integrity – and how they relate to the emerging world of IoT. Accessibility Accessibility is about being able to access data when, where and however it is needed. In IT, a Denial of Service (DoS) attack can crash a digital website or company’s server. In IoT, a DoS attack can crash a car. In July 2015, hackers, Charlie Miller and Chris Valasek, digitally cut the transmission of a Jeep Cherokee driving on a busy US interstate highway. The result could have been disastrous, or even deadly, had the attack not been launched by ‘white-hat hackers’ and the driver not been a Wired journalist in on the experiment. Thankfully, only Chrysler’s pride was injured. But that doesn’t mean this vulnerability has been solved. Like many IoT devices, ranging from digital video recorders, refrigerators, and even dishwashers, the patch requires technical know-how, and in the case of Jeep, a dealership mechanic. For many Jeeps, or in fact any Fiat Chrysler cars with the ‘Uconnect’ cellular connected computer installed,