During the last few years, malicious IoT hacks have grown exponentially with no immediate signs of slowing, while hackers relentlessly pursue new and creative ways to attack and exploit organizations. According to the FBI, within the past six years, attackers have amassed $144 million in ransomware payments alone – and each new attack costs more than the last.
While previous hacking efforts tended to come from one random entity, there are actually now large, highly-organized criminal enterprises dedicated to extorting major businesses as opposed to individual people. Known as the “cyber mafia” and made up of hundreds of “employees,” its strategic and organized approach has allowed them to extort millions of dollars from corporations.
Cybercriminals have increasingly become focused on attacking operational technology (OT) versus traditional IT systems. OT refers to any system used to run a business, including physical hardware in manufacturing plants and machinery, offices, access control systems and other critical infrastructure. Attackers now prey on OT systems because manufacturers neglect issuing security updates and regular patches, which makes it easier for attackers to enter corporate networks. Many companies aren't even aware of these attacks and therefore have become prime targets. A perfect example happened in 2016, when a malware attack known as Industroyer took control of a Ukrainian power grid and left an entire part of Kiev without power for a full hour. Its programming allowed for it to directly attack electric switches, circuit breakers and protection relays.
In its 2020 X-Force Threat Intelligence Index, IBM found that hackers continue to pursue these new vectors across IoT, OT and connected industrial and medical systems. OT attacks increased 2,000% in 2019 versus 2018 alone and the Cybersecurity and Infrastructure Security Agency of Homeland Security has recently taken action by issuing the AA20-205A security alert, which recommends immediate steps to reduce the security exposure across operational technologies and control systems.
As more IoT devices are introduced into these systems, and as companies try to cut costs by leveraging technology such as inexpensive sensors, the risk of being hacked has clearly multiplied. Today, everything from fire alarms, access control systems to city power grids like that in Kiev can end up at the mercy of a criminal organization. Hackers are well-aware that these organizations will do anything –including pay a large ransom – to avoid negative impacts to their operations, reputations and bottom lines.
Unfortunately, even as OT attacks spread, big corporations don't usually update security. Some of the reasons include the extensive amount of time required, the need to pause operations, fear of losing a major investment and the overall notion that too many companies don’t take the threat of cyberattacks seriously.
Organizations must improve their security defenses to combat the cyber mafia. Here are a few steps they can take:
- Run frequent updates and patches. Companies must assume that they are just as vulnerable as any of those that have come under fire thus far. Start by investing time into regular updates and patches on devices as part of overall security processes. Avoid the often knee-jerk reaction to cut corners and costs that result in deploying the cheapest sensors. With better technology deployed, organizations will be in a stronger position to combat the potential effects of cyberattacks.
- Aim for greater visibility. Companies that create visibility along the supply chain, within the organization and its back-end systems, and across potential vulnerabilities will make smarter decisions. Organizations must proactively understand and mitigate existing threats to protect their employees and customers. Start with vulnerability scans and work your way to “fuzzing” techniques that search for errors and security loopholes in software.
- Partner and learn from industry leaders. Security teams can’t wait for the government to regulate IoT security. Leading organizations, like the ioXt Alliance have taken the initiative to address IoT security issues. The trade group offers access to other industry leaders who offer expertise on cybersecurity risks, including through lab or self-certification options for connected products. The alliance also spends a lot of time working with manufacturers and developers to get them to improve the security of IoT devices and software.
Companies now have any number of opportunities to learn about IoT security. These IoT systems run our manufacturing plants, offices, transportation systems, and utilities. With the threat landscape so dangerous, companies really do have to focus-in and develop an IoT strategy. Our lives depend on it.
Mike Dow, senior product manager, IoT Security, Silicon Labs, and board member, ioXt Alliance