IoT Security Standards & Collaboration
By: Scott St. John
The demand for connected devices is seemingly insatiable. Based on most estimates, there are billions of connected devices online today, generating hundreds of billions of dollars in revenue, and
this is estimated to grow to over $1 trillion across
Internet of Things (IoT) market segments by 2026. Add to that another $13
trillion in estimated IoT platform revenue and the predicted momentum behind IoT is truly astounding.
When you drill down a little deeper, you see there is a wide range of IoT devices behind this boom, spanning everything from your video doorbell to appliances, industrial equipment, data centers,
medical devices and extraterrestrial satellites. Whether we use them at home, manage them at work, wear them, or have them physically embedded inside of us, one thing is certain: we are really
just beginning to scratch the surface of the IoT opportunity and the grave risks associated with it.
Just under four years ago, a brute-force DDoS attack against Internet service provider Dyn was
launched using the Mirai botnet, leveraging millions of IoT connected devices—such as
relatively inexpensive webcams and DVRs—to bring down nearly 1,700 commercial websites including Amazon, Paypal, and Netflix, and knock out the Internet across most of the Eastern United States. The damage estimates
are staggering and encompass (nearly 10 percent of) Dyn customers who
churned in the wake of the attack, and the loss of business from some of the world’s largest online marketplaces. Today, a single cybersecurity breach can cost a company millions to tens of millions of dollars in damages and recovery
While the Dyn attack may seem like somewhat old news, it marked a tipping point in IoT security at a time when IoT was just taking off. The Dyn attack demonstrated the use of an
unprecedented number of devices, speed, coordination, and regulatory response. While prior attacks leveraged hundreds of devices, the Dyn attack leveraged millions. Prior attacks had reached
speeds of 620 gigabytes per second, but the Dyn attack set record speeds at 1.2 terabytes per second. The size, speed, and level of sophistication or this attack is a bad omen. The Mirai botnet
is now widely dispersed, making this type of attack more likely—and raising legitimate security concerns that the frequency and severity of these types of attacks is expected to increase.
What’s more, the increased frequency and severity of attacks like these have prompted a global IoT security response. With the ever-increasing concerns for data privacy, regulators have been
frantically scrambling to catch up. This encompasses everything from new regulatory compliance criteria for cybersecurity certification, to significant penalties (up to $7,500 per incident), and regulatory liability (such as GDPR) for future
breaches—which equates to tens of millions of
dollars, at a minimum. In fact, the proposed California legislation attempts to protect consumers by enabling them to sue device manufacturers for statutory damages for data breaches, and the
proposed UK regulation goes so far as to allow the government to seize and
destroy non-compliant IoT devices.
But the potential threat of regulatory penalties and civil liability actually pales
in comparison to the magnitude of damage that could be wrought as literally billions of IoT devices continue to come online. It’s not so much what these devices are as much as it is what they do,
how mission critical they have become, and how they could be misused for malfeasance. IoT connected devices control portions of the power grid. They are used in medicine for things such as insulin pumps and pacemakers. IoT connected devices are used in agriculture to
help control and manage the global supply chain. They are used for air traffic control, banking, self-driving vehicles, dynamic highway traffic control, and much more—most of which has already been hacked or proven to be vulnerable to attack. All
of this makes the potential and even damaging attacks practically imminent—and the dispersion of malware such as the Mirai botnet, and the possibility of new more destructive variants, frankly
Experts have been calling for wide sweeping action from government regulators, connected device manufacturers, IoT
vendors, standards development organizations, and everyday citizens for years now. Yet surprisingly, the regulation has been met with opposition. And, while there are IoT standards development
organizations making headway, you probably don’t know them well. At least not yet.
Pipeline recently had an opportunity to interview Joerg Borchert, president of Trusted Computing Group (TCG); Amy Nelson, TCG’s technical committee co-chair; and
*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: https://www.pipelinepub.com/data-agility/IoT-connected-device-security#new_tab