2 Insight has organised the Secure IoT annual conference in 2018 and 2017 at the Green Park Conference in Reading.
The risk and damage in terms of reputation, costs, health & safety to an organisation or individual due to poor security practice can be considerable, as is illustrated in the timeline below.
We are seeing an ever-increasing number and sophistication of cyber-attacks on systems and products that are using connected IoT devices. These attacks are being instigated by different types of actors including: criminals; states and state sponsored; issue-orientated hactivists (malicious insiders pose the greatest threat) and ‘script kiddies’.
In May 2018, the General Data Protection Regulation(EU) 2016/679 (GDPR) became enforceable. GDPR covers “security by design” in hardware and software. Data controllers are obliged to consider “data protection by design and by default”.
Organisations using insecure hardware could face action under GDPR should the firmware of IoT devices prove insecure and contribute to a spillage of personal data. In other words, not checking hardware is secure before procuring it, not configuring it securely (for example, not changing bad default passwords) and not expeditiously patching vulnerabilities in firmware (and other software) used to process personal data.
- 2014 – A hack attack caused massive damage at a German Steel plant
- 2015 – A cyber-attack on Ukrainian electricity distribution companies caused a major power outage, with disruption to over 50 substations. Fiat Chrysler had to recall 1.4 million cars in US after security researchers showed that one of its cars could be hacked
- 2016 – Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water. A massive Internet Distributed Denial of Service attack which caused outages for many Web sites (including Twitter, Amazon, Spotify and Netflix) was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV digital video recorders.
- 2017 – NHS hit by massive ransomware attack. Research Trend Micro revealed 83,000 industrial robots are ‘exposed’ to the public-facing internet, of which thousands are not protected with authentication. A Freedom of Information request reveals a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government. US Food & Drug Administration issued a letter calling for the voluntary recall of some 465,000 Abbott (formerly St. Jude Medical) pacemakers to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities.
- 2018 – Avast’s threat labs team has discovered a new malware strain (codenamed Torii) that is building “the most sophisticated botnet ever seen” and it is targeting IoT devices. In addition to sharing information regarding infected devices, the malware’s communication with the Command and Control Server allows its authors to execute any code or deliver any payload to an infected device. Radware Threat Research Center identified a hijacking campaign aimed at Brazilian Bank customers through their IoT devices, attempting to gain their bank credentials. SEC Consult researchers issued a warning about critical vulnerabilities where 9 million Xiongmai cameras, DVRs are wide open to attack. Scientists at the Ruhr-Universitaet in Bochum, Germany, have discovered a way to hide inaudible commands in audio files–commands that, while imperceptible to our ears, can take control over voice assistants like Alexa, Siri, or Cortana.
The IoT Security event brought together leading cybersecurity experts and speakers from:
- Amazon Web Services
- Cardiff University
- City, University of London
- Department for Digital Culture Media and Sport
- Device Authority
- Industrial Internet Consortium
- IoT Security Foundation
- Knowledge Transfer Network
- Pen Test Partners
- Secure Thingz
- University of Oxford
- University of Hertfordshire
- University of West London