Cyber criminals are expected to shift their sights away from ransomware and onto Internet of Things (IoT) devices, according to industry experts, CNBC reports. The rapid increase in the number of IoT devices has captured hackers’ attention.
These cyberattacks have ranged from shutting down computers to data theft as well as negatively impacting everyday life. This includes hackers using IoT devices as entryways to attack a nation’s critical infrastructure or disrupt vehicles or medical devices that contain software.
“What I wish is that the vulnerabilities of cybersecurity could never negatively affect human life and infrastructure,” Meredith Schnur, cyber brokerage leader for US & Canada at Marsh & McLennan, which insures large companies against cyberattacks, told CNBC. “Everything else is just business.”
Hackers currently have plenty of IoT devices to attack. There are about 17 billion devices around the world. Meanwhile, Mario Greco, the group CEO of insurer Zurich Insurance Group, recently told The Financial Times that cyberattackers are a bigger danger to insurers than pandemics and climate change if they opt to ruin lives vs. just stealing someone’s data.
For example, a cyberattack forced Toyota to halt operations at one of its plants last year. Meanwhile, Ukraine’s power grid was attacked in April, as was the Port of London in May. In 2021 in the U.S., cyberattacks hit a critical infrastructure, shutting down energy and food supply operations of Colonial Pipeline and the JBS meatpacking company.
A lot of industry experts now expect cybercriminals connected to a nation-state to solve and replicate a scheme that uses IoT devices at scale. If successful, hackers could figure out how to control various IoT devices at once, such as vehicles or medical devices.
“We have already seen large-scale attacks using IoT, in the form of IoT botnets,” John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, told CNBC. “In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.”
IoT’s update problem
The cybersecurity industry has stepped up its efforts, CNBC reports. IoT security-focused firms such as ForeScout and Phosphorus are consistently taking inventory on endpoints — where new devices connect to a network.
A lack of a good process for updating devices with patches after new vulnerabilities, hacks or attacks are discovered is one of the biggest problems IoT security faces, according to Greg Clark, former CEO of Symantec, currently the chairman of ForeScout. Many users download updates and patches to their personal devices, but a lot don’t bother to do so. The same is true for IoT devices.
“Not many of the IoT devices have a system to update the code,” Clark told CNBC. “It becomes a serious problem to remediate the vulnerabilities in the IoT.”
Clark also noted a potential line of defense is cybersecurity firms placing controls around IoT devices so they can only perform certain tasks. This ensures that devices can’t be instructed to do bad things like attack networks.
More regulation for IoT devices?
IoT device use has steadily increased, but overall, it is still relatively new. That means there are not a lot of established U.S. guidelines and regulations in place to help safeguard these devices, leaving cybersecurity in customers’ and companies’ hands.
“I’m hopeful there will be some new standards, and newer regulations that will force the vendors to do more,” Randy Trzeciak, director of the science information and security policy and management program at Carnegie Mellon University, told CNBC. “There should be a national discussion around insuring device security, and where the manufacturer needs to take some ownership and responsibility.”
CISA and the National Institute of Standards and Technology are working together to establish guidelines for thousands of IoT device manufacturers, according to Clark. These regulations could help ensure that devices can identify themselves to networks prior to being added to them. U.S. Congress turned the guidelines into a law in 2020, but it only pertained to firms that supply the U.S. government with IoT devices.
Meanwhile, some investors and executives have cautiously welcomed regulators’ increased involvement.
“It’s simply too complex,” Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the top cyber security investors worldwide, told CNBC. “There’s not enough qualified and experienced security people.”