Cyber Security
they will remain vulnerable indefinitely. And that risk is not limited to the individual drivers. The economy of a city, with hundreds or even thousands of vulnerable vehicles on its roads, is at the mercy of hackers and could potentially be held to ransom. On a smaller scale, suppliers of IoT enabled hardware could be liable, if a DoS attack results in a lack of accessibility that contravenes the vendor’s Service Level Agreement (SLA). Damages for loss of business and even damage to reputation are a potential liability. Confidentiality With IT, you might have your credit card numbers stolen. But with IoT your whole family might be starring in their own public ‘Big Brother’. Since its creation in 2009, the website Shodan, which touts itself as ‘the search engine for the Internet of Things’, has highlighted the thousands of vulnerable unsecured IoT devices, many of which are home webcams and baby monitors. While Shodan itself is not malicious in nature, it highlights how IoT has infiltrated our lives and is a serious threat to our privacy, particularly for the non-tech savvy. Take, for example, CNET’s warning in February 2015 that the newly launched Samsung Smart TV’s privacy policy states, “if your spoken word include your personal or other sensitive information, that information will be among the data captured and transmitted to a third party”. This threat to confidentiality barely made technology magazine headlines, but that all changed this year when a cache of Wikileaks documents accused the CIA and UK’s MI5 of conspiring to use this feature for their own clandestine operations. Most worrying was the general lack of outrage, which is a reminder of how laissez-faire the general population has become regarding confidentiality. Integrity Data doesn’t need blocked or stolen to be a security issue. It can also be modified, without the owner’s knowledge. In 2010, the Stuxnet cyber-weapon infiltrated the Iranian nuclear program. Rather than crashing targeted computers or searching for classified information, it escaped the digital realm to wreak physical destruction on a number of centrifuges. Instead of just spinning the uranium enrichment centrifuges at 63,000 rpm, Stuxnet modified speeds ranging from 120 to 84,000 rpm. In doing so, the centrifuges passed through critical speeds, also called harmonics, that resulted in slight, and damaging vibrations. The result of this digital attack, was the physic damage of approximately 1000 or the 10,000 IR-1 centrifuges at the Natanz Fuel Enrichment Plant, and huge delays to Iran’s ambition to become a nuclear power. To be fair, Stuxnet probably accessed Natanz via a USB drive, rather than an IP address, but it is still a good example of how integrity of data can be as damaging as confidentiality and accessibility. Worrisome indeed. But perhaps more so for Australian businesses, which Professor Michael Johnson, Scientific Director at the Optus/Macquarie University Cyber Security Hub, says are “known internationally” for having an “enormous
'...the total volume of data generated by IoT will reach a staggering 600 zettabytes (ZB) per year by 2020 worldwide. In comparison, traditional global data centre traffic will only reach approximately 15.3 ZB by the same year. It’s therefore predicted, that with this massive increase in traffic, that IoT attacks will reach 25% of total cybercriminal behaviour.' skills gap”. Johnson highlights that cybercriminals, in particular, target Australian banks more often than those in Singapore and Japan, because of the “lack of tech-aware standards”. And if the ‘Big Four’ Australian banks, all of which are in the Top 10 ASX listed companies, lack the means to reduce their risk of cyber-attack, then it is likely that this is more so for other listed and private companies here in Australia. Worse still, this risk in only growing. According to Forbes, the total volume of data generated by IoT will reach a staggering 600 zettabytes (ZB) per year by 2020 worldwide. In comparison, traditional global data centre traffic will only reach approximately 15.3 ZB by the same year. It’s therefore predicted, that with this massive increase in traffic, that IoT attacks will reach 25% of total cybercriminal behaviour. The Internet of Things, combined with Cloud computing, and ubiquitous broadband are the key technologies will improve how we live, work, and interact with one another, and will massively improve efficiencies and create new opportunities for business. But this is twoedged sword. The IoT-connected world expands the risk and liability, to include the physical environment, specifically health and safety. Heating, ventilation and air-conditioning (HVAC), medical devices, autonomous vehicles, and even basic industrial IoT sensors, just to name a few, could be our best friend, or our worst enemy. That outcome depends on measures taken to IoT-proof the three cyber security pillars.
Asia Pacific Security Magazine | 33