The Internet of Everything: building cyber resilience in a connected world

The Internet of Things (IoT) is everywhere, ushering in a technological revolution at lightning speed. According to an Oliver Wyman report, between 50bn and 100bn devices are expected to be connected to the internet by 2020. While this rapid growth will undoubtedly open the door to new opportunities, organizations must also prepare for emerging security challenges. Are you ready for the internet of everything?

A wave of vulnerabilities

IoT products are physical devices or objects embedded with electronics, software, sensors, or actuators that can connect to the internet. From refrigerators and toys to medical devices and industrial control systems, internet-connected products are transforming the way many industries do business, driving efficiency and reinventing the customer experience. IoT devices are also providing businesses with mountains of valuable data that can be synthesised with analytics to improve products, penetrate new markets, and access potential customers.

The explosion of IoT devices is dramatically changing the cyber risk landscape – and not necessarily for the better. Many security experts believe that smart devices are creating a wave of vulnerabilities because they often lack strong – or, in some cases, even basic –  security features. IoT devices often also lack regular product support, such as updates and patches, making them particularly vulnerable to newly discovered weaknesses such as the Meltdown and Spectre flaws in most computer processors.

“Smart” technology is also connecting computer systems and devices that were once siloed or not directly connected to the internet. This new connectivity can leave organizations even more exposed to evolving threats that have not been fully considered or mitigated. Cybersecurity firm Symantec, for example, found that the average IoT device is attacked once every two minutes at peak times.

And more than half of internet security professionals surveyed by Tripwire, a provider of integrity assurance solutions, do not feel prepared for security attacks that abuse, exploit, or maliciously leverage insecure industrial IoT devices.

“Once an IoT device is compromised,” warns the FBI, “cyber criminals can facilitate attacks on other systems or networks, send spam emails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks.” Recent examples of IoT attacks by malicious actors include:

• Infiltration of a North American casino’s networks in 2017 by hackers who connected to an internet-connected fish tank inside the building.
• A massive DDoS attack in 2016 against a company that manages domain name server (DNS) traffic. The attackers used a botnet – a network of computers infected with malware – called Mirai to compromise internet-connected cameras across the world, which disrupted services for many of the company’s customers.

Variations of the Mirai botnet continue to wreak havoc on IoT devices. For example, earlier this year, hackers used code from the Mirai botnet and the processing power from connected devices –  including smartphones and smart TVs –  to mine Monero, a type of encrypted digital currency. Security experts warn that hackers will continue to attack IoT devices for crypto-mining.

Cyber attacks that interfere with the proper operation of certain IoT devices, such as internet-connected vehicles or medical devices, may also pose a danger to human life and property. The US Food and Drug Administration, for example, has warned patients with certain heart pacemakers that they could be vulnerable if a bad actor were to send computer code to deplete the pacemaker battery or change heart rates. White-hat researchers have also demonstrated successful cyber-attacks against internet-connected vehicles.

Regulatory considerations

With a growing list of IoT attacks and warnings in the news, lawmakers have taken note. In 2017, bipartisan legislation was introduced in the US Senate to improve the security of internet-connected devices. Among other things, this legislation would require IoT vendors doing business with the US government to ensure their products meet various security requirements. Legislation designed to improve the cybersecurity of autonomous vehicles and internet-connected medical devices is also making its way through Congress. Executive branch agencies, such as the National Highway Traffic Safety Administration, are also getting involved, issuing security guidance for internet-enabled cars and trucks.

IoT regulation is not limited to the US. The United Kingdom, for example, released a report in March that sets out guidelines to help ensure IoT devices are “secure by design,” with security built in from the start.

Preparing for the IoT revolution

Companies that design, develop, manufacture, or service IoT devices or products should consider a variety of potential cyber exposures. These include:

• Liability due to alleged design or manufacturing defect.
• Liability due to a connectivity failure.
• Liability due to security failure.
• Liability in providing IoT product services.
• Extortion demands against your customers or company.
• Regulatory investigations, fines, and penalties.

Companies that deploy or use IoT devices may be subject to cyber risks as well, including data breaches, business interruption and extra expense, data restoration, extortion, property damage, and bodily injury from an alleged security vulnerability or privacy breach.

To protect your business from these risks, work with your insurance advisor to assess your IoT cyber exposures and review your cyber and errors and omissions (E&O) policies to ensure appropriate coverage and limits for IoT products and services. Current policies may be silent on IoT devices and events, leaving room for ambiguities and the pervasive “silent cyber” dilemma where coverage may be available because it is not explicitly excluded. For example, technology E&O policies may have coverage available for IoT products if the definition of “technology products” is written broadly, even if that definition does not specifically include IoT products.

When reviewing your insurance policies and cyber event response plans, consider the following questions:

• Has your organisation quantified the potential losses from (or costs of) an IoT-related cyber event?
• Do your insurance policies provide sufficient coverage for a failure in the maintenance or servicing of your IoT product, such as software updates, service packs, patches, and other maintenance releases?
• Does your cyber extortion coverage include ransom demands made of customers stemming from your security or service failure?
• Do your cyber, property, and general liability policies and plans adequately protect your company from any increased cyber exposures from IoT devices?

During this review, scrutinise the wording of your policies and plans to determine whether IoT devices and services are excluded or carved out of important definitions such as “computer system,” “technology product,” and “professional service.” Businesses should also review their property and general liability policies for coverage and keep a careful eye on relevant regulatory activity as security requirements quickly evolve to keep pace with innovation.

###

This article was first published by Marsh