The fears surrounding IoT security appear to have been realised last weekend when a DDoS attack on DNS provider Dyn brought down numerous online services, including PayPal, Spotify and Twitter. Mirai botnets – which turn large numbers of IoT devices into botnets – were believed to be the culprits.
Greg Singh, director of sales engineering at information security firm Cylance, said the attack served to highlight the risk that IoT devices can have on networks beyond their own.
“The Internet of Things massively increases the threat surface, and we take the position that any of the introduced threats are currently unknown and we will not know until IoT devices become more ubiquitous and modes of attack become ‘known’,” Singh told IoT Hub.
He said that as new platforms are developed and deployed on resource-constrained systems, “many previously managed attacks will find new opportunities to operate.”
“New attack techniques are [also] inevitable and will likely be related to the sheer number of IoT devices and their physical security,” he added.
He said that while the motivations for attack won’t necessarily change, the increase in attack surface will allow for more to engage in malicious activity, with the consequences of such attacks being significant.
“Consequences of breach in an IoT-enabled world can be quite catastrophic, including loss of critical infrastructure and the related potential for loss of human life,” he explained.
“We could well see a world where large organisations and governments are prevented from providing potentially essential services and simultaneously extorted.”
Is AI the answer?
Singh believes that the algorithmic logic developed for artificial intelligence and its predictive analysis capabilities could help mitigate the security threats introduced by IoT in five ways:
- Small footprint – “We can do with comparatively tiny algorithms what used to require massive databases.”
- Speed of analysis – “Executing algorithms is generally much more efficient than trying to look through large databases.”
- Efficacy – “Simply put, AI-based processes are much better at predicting and preventing attacks. AI has potential to be used at all OSI layers of communication, for instance the data sets used for learning will naturally be different for different layers.”
- Highly scalable – “AI-based solutions can be easily scaled to meet projected IoT scale.”
- Enduring – “IoT-based logic can remain effective for long periods before updating is required. This is in stark contrast to many security solutions that need much more frequent updating.”
Singh added that IoT’s hardware-reliant nature also lends itself well to hardware-embedded AI security measures.
“One likely use will be to ensure that systems are genuine and have not been tampered with,” he said.
“Logic for other layers too are likely to be embedded in hardware for IoT, where updates to algorithms will be akin to firmware updates.”
How can companies prepare?
Singh said that companies should accept the fact that introducing IoT into their operations will increase their attack surface area, and to prepare accordingly.
“Existing security will need to continue while new security strategies to address the Internet of Things will need to be augmented to existing strategies,” he explained.
“Typically where there is new opportunity for technology, there is almost always associated risk.”
He also advises companies to understand the benefits of any new technologies, the potential exposure and related cost to reduce introduced risk to an acceptable level.
“As always, avoid turning on any features before a risk assessment has been undertaken – the result could be that it is too expensive to secure,” he said.
“The real challenge comes when organisations need to match one another and are prepared to sacrifice security for functionality – this is a danger for everyone.”