In October, a massive denial-of-service cyberattack on internet infrastructure Dyn knocked huge swathes of the web offline for millions of Americans and Europeans, from Netflix to Twitter. It was the largest attack of its kind in history — and it was powered by an army of hacked webcams and smart devices with shoddy or non-existent security.
In short: The “internet of things” is a nightmare — a fundamental threat to the security and safety of the web.
But Google and other tech giants now have a plan to fix it.
New threats and security risks are emerging as utilities deploy Internet of Things (IoT) and cloud technologies. Mitigating these risks requires a combination of cybersecurity and physical security, putting a burden on both IT and operational technology (OT) staff.The question for utilities is how they can simplify compliance for IoT-connected grids so they can focus on larger goals like improving reliability and safety, and turning grid data into business value. A recent Forbes Insights ebook, Securing the Smart Grid, sponsored by Intel and Cisco, delves into the modern security landscape for utilities investing in IoT, and explores ways to simplify compliance, mitigate risk and boost reliability.
Optimists at CompTIA predict the number of connected “things” will grow 23.1% annually between 2014 and 2020, at which point 50.1 billion devices are expected to be in the wild. Consultants at Bain have a different view: Their surveys of over 600 executives found that 90% of companies aiming to deploy IoT at some point remain in the planning and proof-of-concept stage. Only 20% expected to “implement solutions at scale” by 2020.
You don’t need Sherlock Holmes to tell you that cloud computing is on the rise, and that cloud traffic keeps going up. However, it is enlightening to see the degree by which it is increasing, which is, in essence, about to quadruple in the next few years. By that time, 92% percent of workloads will be processed by cloud data centers; versus only eight percent being processed by traditional data centers.
The growing presence of connected devices is increasing efficiency in homes, workplaces and other areas of life that have seen the introduction of the IoT. Despite the expansion of connected devices however, there remains a number of consumers who are reluctant to adopt the IoT due to security concerns.
One of the reasons for this is that security often remains an afterthought when developing a device that, once in the hands of the consumer, may contain vulnerable software, making the consumer an easy target for being hacked.
Don’t expect the Federal Communications Commission to rush into issuing network security rules anytime soon, even in the face of a congressional inquiry seeking the agency’s response to the massive Oct. 21 distributed-denial-of-service attack.
At issue is whether the FCC’s Open Internet rules restrict internet service providers’ ability to block insecure Internet of Things (IoT) devices from their networks and whether the commission should mandate greater safeguards.
But the commissioners generally believe the Open Internet order already gives ISPs sufficient leeway to protect their networks from vulnerable internet-connected devices without additional regulations or standards. And, according to FCC officials, there isn’t much of an appetite to issue any new mandates now.
Last week we experienced the first security attack publicly and widely attribute to the Internet of Things (IoT). This day has been a long time in coming. It’s really far from the first IoT security breech mind you, but this is the first one that affected a wide group of people and received major press as an Internet of Things attack.
But this second wave of attacks appears to be affecting even more providers. According to Dale Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a “botnet” of Internet-of-Things (IoT) devices.
Distributed denial-of-service attacks are a family of attacks that cause websites and other internet-connected systems to crash by overloading them with traffic. The “distributed” part means that other insecure computers on the internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire.
Basically, it’s a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender’s capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win.
Earlier this month, an underground forum released the code for the Mirai malware, which lets attackers hijack the thousands (and counting) of Internet of Things devices that are used to carry out distributed denial-of-service attacks.
Of course it did. This hack means that everyone can now view the code that allowed someone using the name Anna-senpai to harness 380,000 bots via weak telnet connections. Let’s ignore for now that in 2016 there is absolutely no reason to have telnet on any IoT device.
That aside, much of the subsequent hand-wringing over default password damage control missed the one glaring thing that manufacturers, startups, and providers can do to prevent this sort of devastating vulnerability: Don’t use default usernames and passwords in the first place.
The most common reasons for using default usernames and passwords boil down into a few key arguments (when you leave out “we’ve always done it this way,” which I won’t even dignify with a response because I know if you’re reading this, that’s not an argument you care about).