It has been described by the government as “the second digital revolution” and received £32m in funding to promote its benefits and development across the UK, so it’s no surprise that the Internet of Things (IoT) is high on the public sector agenda. And it’s growing: it’s predicted that by 2020 there will be an estimated 24 billion connected IoT devices globally helping consumers and businesses to augment their “smart” lives with an endless array of applications.
While the benefits of IoT are undeniable, they do come with a government health warning: those 24 billion devices are largely unsecured and, in the hands of the unscrupulous, could represent a “zombie army” waiting to receive orders from those intent on disrupting critical services. So what are the risks for public sector organisations, and what can be done to mitigate them?
The weaponisation of IoT
Although headlines about internet-enabled fishtanks being used to hack casinos may raise a smile, the fact is that whether it’s a fridge, a coffee machine or a camera, an internet-connected device represents a potential access attack point for unwelcome infiltrators. It doesn’t matter what its primary function is, if it’s not secured then it is a risk of being recruited to a botnet and deployed in a DDoS attack.
The proliferation and geographical diversity of IoT devices means that attackers can mount high volume, distributed attacks that, if not intercepted, can overwhelm systems and knock key services offline. This is the weaponisation of the Internet of Things, and the resulting “DDoS of Things” is a serious concern.
Historically DDoS attacks have often been targeted at gaming networks in attempts to punish rivals or gain a competitive edge, however, we are beginning to see more instances of attacks with political motivations. Indeed, commentators have debated whether DDoS could be considered a legitimate form of political protest – for the record, the answer is “no”.
It’s not hard to see that disrupting critical public services such as healthcare, benefits systems, emergency services and municipal networks is a desirable target for politically motivated threat actors, or indeed conventional cybercriminals looking to hold governments to ransom. While not directly a DDoS attack, last year’s ransomware attack affecting the NHS highlighted the enormous impact that a single successful campaign can have, and the very real consequences for the lives of citizens whose medical appointments and operations were cancelled.
Inherent vulnerability
The vulnerability lies in the unsecured nature of commodity IoT devices. When installing their new device, how many consumers bother to change the factory default security settings? Indeed, how many consumers know there are even settings to change? Very quickly yet another potential bot joins the network. If it becomes part of a botnet, its owner is unlikely to be aware, nor is the manufacturer, so there is no incentive for either party to mitigate the situation.
DDoS may not even be the primary objective of the attack, it can be used to mask attempts to infiltrate a network and steal personal data – of which the public sector has an abundance – or to seed malware onto the network for future attacks.
Eventually, legislation may be enacted to force manufacturers to accept responsibility for preventing their devices being accessed by rogue actors, but until then the onus is going to remain firmly on organisations to defend themselves against DDoS attacks and the additional cyberthreats that often accompany them.
Defence is the best form of attack
So how can public sector organisations protect against IoT vulnerabilities? With many thousands of devices connected to public sector networks, the potential attack surface is enormous, so protection needs to reach right to the network edge. Plus, the vast quantity of legitimate traffic must be allowed to flow uninterrupted. Security systems need to be able to distinguish between a genuine user and a bot, as bots become increasingly sophisticated in a bid to evade detection. Organisations also need to be prepared for multi-vector campaigns that comprise volumetric, protocol and application level attacks in a bid to confuse targets and sidestep defences.
Planning for scale is also key – those 24 billion IoT devices are sending more data than even before, so they need a 24 billion-strong defence. Organisations need to build scalability into their security strategies to keep pace with the developing environment.
While the seriousness of the threat from the DDoS of Things shouldn’t be underestimated, we’re all in the business of keeping critical systems operational and we should take a proactive approach to defence. That’s the philosophy on which solutions such as A10 Networks’ Thunder TPS are designed and tuned – to take on exactly the threats faced by organisations by detecting and mitigating multi-vector attacks at the network edge. They distinguish malignant traffic from the benign so legitimate users are unaffected. Added to this, organisations can leverage Threat Intelligence to get ahead of malicious actors and gain an edge in the security battle.
All of us rely on public services, and as those services increasingly start to take advantage of smart technologies to make all our lives better, they deserve the very best protection against threats from malicious actors weaponising the Internet of Things. As doctors tell us, prevention is better than cure and, when battling cyber-threats to public services, it’s vital that security is in the best possible physical shape to fight off the disease.