Mitigating the cyber risks of IoT and finding solutions

The last decade has seen unprecedented development of the Internet of Things (IoT) landscape, enabled by new distributed network technologies. McKinsey estimates that by 2025, the world will own 50 billion networked devices, up 400% from 2010, and contributing US$11 trillion (€10 trillion) to economies.

While this proliferation of IoT devices in recent years has created exciting opportunities for businesses, governments and individual consumers, it has created new risks which require mitigation. With such rapid development and implementation of IoT technologies, threats and attacks are a clear concern for individuals as well as organisations globally.

Andrea Gaglione, IoT expert and technology lead at Brit Insurance, examines the potential risks of IoT and his colleague, cyber underwriter Ben Maidment identifies the steps that users, developers and insurers can take to protect themselves from these.

What are the risks?

Crucially, the understanding of the risks and potential cyber vulnerabilities associated with IoT is still evolving – and in order to implement mitigation measures and solutions, these potential risks must be identified. Unfortunately, in many cases, it is increasingly becoming clear that these weak points are only identified after a breach or cyber-attack has taken place.

  • Data loss

Security and cyber threats grow exponentially according to the size of the potential ‘attack surface’ and network entry points, something IoT systems therefore are particularly susceptible to. Recent data shows that 26.66 billion IoT devices were active in 2019 and 127 new devices are being connected to the internet every second.

Ben Maidment

As this scales up, the key challenge is the management and protection of all the data that IoT devices capture, use and transmit, especially in light of recent high-profile data breaches and the punitive fines associated with GDPR (General Data Protection Rules) regulation. A primary concern, as with most cyber risks, is the loss or compromise of data, especially customer and personal data. Examples of IoT devices collecting large amounts of personal data which may be particularly vulnerable include smart wearables which monitor, collect and transmit health data.

  • Business disruption and interruption

As supply chains and business processes become more reliant on networked devices to achieve greater efficiency, companies are more at risk of attack. Significant business interruption, through devices being taken offline by a hack can result in a significant loss in revenue in the short term, as well as reputation and trust in the longer term.

In addition to exploiting IoT device vulnerability to enter a network, bad actors can also utilise a series of unsecured IoT devices to divert data and launch Distributed Denial of Service (DDoS) attacks. In 2016, bad actors compromised more than 25,000 digital video recorders and CCTV cameras, diverting their data in order to launch a DDoS attack that brought down the servers of Dyn, a major US DNS provider, which triggered internet outages in the US and Europe bringing down high-profile websites such as Twitter, Netflix, GitHub, and Reddit.

  • Cyber physical

Finally, an emerging risk of IoT (and indeed cyber more broadly) is that of cyber physical, whereby a cyber-attack can result in physical damage. This can range from networked medical devices such as pacemakers, to self-driving cars or expensive industrial processes. A malicious hack of these devices, taking control of these activities could lead to costly and potentially physical damage or danger to life. For example, last year the US Food and Drug Administration issued an alert warning that some insulin pumps are vulnerable to hackers, who could remotely gain access to and potentially change the pump’s settings.

How can we mitigate the risk?

  • Security & privacy by design
Andrea Gaglione

So far, for IoT manufacturers there has been a perceived compromise between the speed of bringing a product to market and the robustness and security of the system. As we have seen with the first wave of IoT, security wasn’t considered a priority requirement, however, we have seen a growing focus on privacy following high profile data breaches and new data regulation.

In our view, security should be paramount in the design of new IoT devices, and continuous measures must be put in place to maintain and improve the security of both new and existing devices.

  • Best practice cyber security

Users themselves, whether individuals, companies or the public sector have a responsibility to adopt best practice when it comes to cyber perils, and awareness and education is critical. Organisations need to balance the desire for the connectivity and efficiency that IoT technologies offer, with the risks that such connectivity creates, particularly given the lack of emphasis on security in the development of such products.

In the same way as they would manage a traditional operating system, individuals should play an active role in shaping company policy on IoT and be responsible and up to date on the threats facing their businesses. Many of these measures have become second nature in traditional IT but are slowly being adopted and considered when considering IoT devices.

Simple steps that users can take to reduce risk (and limit liability in the event of a cyber incident) include: using strong passwords and security keys, updated regularly; monitoring devices and systems to detect and respond to security events, and; continuously updating security of devices with the download of software patches from the manufacturers.

What solutions does insurance provide?

Insurers have a crucial role in mitigating these risks through educating companies to minimise the risks and provide financial and other support should IoT devices be compromised and result in business interruption, physical damage or the theft of data.

Cyber insurance policies can cover the first-party and third-party financial and reputational costs if data or systems have been stolen, damaged or compromised. First party cover includes the cost of investigating and recovering from a cybercrime, from loss of income incurred by a business interruption, reputational rehabilitation and management to extortion payments paid to hackers. Third-party coverage includes damages and settlements, and the cost of legally defending yourself against fines resulting from a breach.

The best forms of cyber insurance are not just a product, but a service which helps to move companies further along the path to compliance and minimise their exposure to risk. An increasing number of insurers – including Brit – offer a number of pre-cyber incident services as part of their policies: clients can have access to online portals which include procedures and plans which can be implemented to lower risks, incident response planning material and check lists for readiness.

The authors are Andrea Gaglione, technology lead and Ben Maidment, cyber class underwriter at Brit Insurance.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Yellowfin explores the future of data storytelling and reveals the impact narrative and automation will have on business analytics

Posted on: October 27, 2021

London. 27 October, 2021 – Yellowfin, the analytics vendor that combines action-based dashboards, automated discovery, and powerful data storytelling, launches a white paper exploring ‘The Future of Data Storytelling: how narrative and automation will redefine the next decade of analytics’, offering valuable insight to organisations on the power and potential of future augmented and automated

Read more

Renesas and wolfSSL enable ready-to-use IoT security solutions based on embedded TLS stack

Posted on: October 27, 2021

TOKYO, Japan and EDMONDS. Washington, October 27, 2021 ― Renesas Electronics Corporation, a supplier of advanced semiconductor solutions, and wolfSSL, a provider of embedded security solutions, announced a multi-year licensing agreement whereby customers of Renesas’ 32-bit MCU offerings can obtain a free commercial license for the wolfSSL TLS (Transport Layer Security) stack with integrated Renesas hardware

Read more