From automated thermostats and smoke detectors, to smart refrigerators and dishwashers, the Internet of Things (IoT) is fast becoming a part of our everyday lives. IoT allows for a more connected world, as devices become smarter and more integrated. The space is growing so rapidly that Gartner projects up to 20.4 billion connected devices will be in use globally by 2020.
But just as the IoT space evolves and the number of companies and products grows, so does the associated Cyber Risk. Cyber attacks on IoT devices – DDoS attacks being the main concern – are a growing problem, whose impact on IoT Service Providers is going to be increasingly serious.
One of the major concerns of cyber security today are DDoS (Distributed denial-of-service) attacks.
A DDoS attack is a malicious attempt to make an online service or network unavailable by flooding it with internet traffic from multiple sources. The attack uses a network of malware-infected computers (or IoT devices) to overwhelm the target. A common analogy used to describe a DDoS attack is a traffic jam – all traffic is blocked, and not even important vehicles, such as police cars or ambulances, can get through the packed streets. DDoS attacks target a wide range of victims, from popular online publications, to medical insurance and bank websites.
Well-known DDoS attacks include:
- Attack on the Church of Scientology, which shut its website down and caused $70k worth of damage
- Websites of Motion Picture Association of America, the Recording Industry Association of America and Universal Music shut down
- Attack on the US Copyright Service, the US Department of Justice and the FBI
IoT Devices and DDoS Attacks
Since DDoS attacks rely on connected devices, the rise of the IoT has brought with it an increase in the number of potential attacks, carried out using IoT devices. Harnessing numerous IoT devices to such attack can fuel it to reach scale that was inconceivable a few years ago- the most prominent example is of course the Mirai Botnet, that almost shut down the internet on the US East Coast.
As much as these attacks affect end-users, they also affect IoT service providers in a huge way. The minute a service provider’s device is compromised, they’re the first to be blamed.
Consequences of Compromised IoT Devices and DDoS Attacks
The consequences of compromised IoT devices are severe. Even just in terms of financial costs, this includes direct costs that can be measured in dollars, business lost due to downtime; the costs of getting systems back online, and the cost to repair or replace damaged systems.
Not to mention intangible costs such as reputational consequences, lost clients, and PR that has to be done in order to prove that it’s safe to do business with a company in future. It is estimatedthat Target has racked up liabilities in excess of a quarter of a billion dollars after its 2013 data breach.
Cyber risk is a true business and operational liabilty.
Many insurance policies exclude cyber risk liabilities, and while cyber insurance is available, it deals with the symptom and not the problem itself – not to mention the escalating costs relating to 3rd-party protection.
DDoS attacks may be subject to civil and criminal liability, including contravention of the Computer Fraud and Abuse Act, or a breach of contract. Furthermore, if it can be proven that a user or Service Provider did not take adequate steps to prevent an attack of this nature, they may be held liable for the consequences. Vincent Vitkowsky reports that “The Federal Trade Commission (FTC) has conducted enforcement proceedings based on the position that the lack of reasonable security measures to protect consumer data may constitute an unfair or deceptive trade practice under Section 5 of the FTC Act. It has moved against companies who lose personally identifiable information through “inadequate” data security practices.”
Companies are already suing each other for cybersecurity negligence, and consumers are not far behind. And with GDPR legislation has come into effect, being involved in DDoS attacks, even inadvertently, can have severe consequences.
Protect Yourself Before You’re Held Liable
From an IoT service provider’s point of view, securing connected devices serves both to ensure the quality of service and to offset the risk of future liability. Real-time monitoring and alerting of the earliest stages of botnet infection are paramount, as is quick remediation. Addressing the cyber risk issue will be paramount ot the success of such entities.
We certainly expect that legislators and courthouses will frown upon service providers who will neglect to do so, if and when their large devices arrays will be used for such devastating attacks.