Virtualization and Cloud executives share their predictions for 2017. Read them in this 9th annual VMblog.com series exclusive.
Contributed by Rick Conklin, Vice President of Engineering at Dispersive Technologies
Will 2017 Bring IoT-fueled Attacks on Government, Hospitals?
In 2016, the Internet of Things (IoT) dominated discussions
in the media and conferences. While many focus on the tremendous opportunity
IoT offers, large risks remain. In particular, IoT's biggest issue - safety -
is a thorny topic with which the industry is still grappling. For example,
2016's
DDoS attack on Dyn that took down several major websites such as Twitter
was caused by a bot army of unsecured IoT devices. This attack is only the tip
of the iceberg, and in 2017 we should expect more of the same, but websites
won't be the only targets. Unless manufacturers and users of connected devices
get serious about security, we will see these attacks evolve next year and
could extend to major government institutions and hospitals.
Here's what to expect
in 2017
According to a
study from HP, 70 percent of IoT devices are currently vulnerable to an
attack. While companies are working to improve that, a significant number of
IoT devices will be left unprotected in 2017. Additionally, Gartner predicts
over 20
billion IoT devices by 2020. Let's say that in the next three years the
number of secure IoT devices doubles, which means that only 40 percent will be
insecure. According to Gartner's estimate that means a total of 8 billion
devices by then: roughly equivalent to the population of the Earth. Imagine if
hackers had an 8 billion strong bot-army. That security risk is enormous
and game changing.
The risk
isn't necessarily from sophistication of attacks but poor security practices of
IoT users. Common practices such as using the default usernames and passwords
that are supposed to be used only for setup and then changed, are making it easy for attackers to take those devices and using them as botnets.
What's making the problem worse is that companies aren't doing much to stop
this and other poor security practices. A
recent study showed over 90 percent of corporate executives said they
cannot read a cybersecurity report and are not prepared to handle a major
attack and a stunning 98 percent of the most vulnerable
executives have little confidence that their firms constantly monitor devices
and users on their systems. It's clear that most C-Suite executives don't give cybersecurity enough
consideration.
Companies are not the only ones left wide open to an attack,
as the U.S government is reportedly
even worse off. Its agencies' weaknesses will be compounded by the growing
trends and pressure to continue to virtualize and expand their footprint with a
mass movement to the cloud and the integration of IoT devices. More
hypersensitive data will be transferred between multiple interconnected
platforms. I believe that as a result of these vulnerabilities, there is a
50/50 chance that a significant cyber warfare attack is instrumented against
the US government, the US military, US critical infrastructure, or the US
banking infrastructure. This organization will be ill-prepared and vulnerable; it
is also likely that the attack won't originate on IoT devices owned by the
government but instead will come from the outside.
Government infrastructure won't be the only targets; we also
predict that a major hospital will face a HIPAA violation for using an
unsecured smart medical device. Hospitals have a lot to gain from deploying the
IoT for crucial data/insights to improve patient care, but that means
cybersecurity will be even more crucial in an industry that already loses $5.6
billion each year to data breaches. The
FDA already recognizes that cybersecurity/HIPAA compliance is an important
issue and is working on creating standards and procedures, but that might not
be effective in preventing attacks. If a US hospital IoT breach doesn't sound
that dangerous, here's a
worst-case scenario example: a patient's insulin pump or other connected
medical device that is easily accessible with default passwords that have not
been reset. Poor IoT security will go far beyond acquisition of medical data
and has the potential to put the lives of patients at risk. In order to address
these concerns, hospitals will need to start by adopting improved security
practices such as: password management, policies to ensure all devices are up
to date/passwords get changed, network segmentation, software-defined network
overlays with security built in, and improved data management policies. Vital
to ensuring that these practices get used successfully will be administrators
that make them part of the hospital's workplace culture.
Conclusion
IoT security has to move from the conference presentations
to the boardroom, and 2017 will be a year of reckoning if IoT security is not
taken seriously. It can no longer be solely the IT department's responsibility to
keep enterprise data safe. Everyone in an organization needs to help take
responsibility, follow security procedures to the letter and be vigilant for
signs of danger. The good news is that there are security solutions out there
to help, even with technology as nascent as the IoT. A combination of advanced
software and a strong internal culture will give companies a cybersecurity
defense to make sure they're ready to take on potential attackers.
##
About the Author
Richard Conklin, Vice President, Engineering Dispersive Technologies, is a seasoned computer networking, switching and security expert with over 25 years of experience. He has 11 granted and several pending patents and specializes in developing and advancing innovative technologies. Past employers include Ciena Corporation (where he held the positions of Senior Principal Engineer and Senior Manager), Scientific Atlanta, Motorola and Siemens.