The Internet of Things Risks and Challenges

Size: px

Start display at page:

Download "The Internet of Things Risks and Challenges"

Herbert Summers
8 years ago
Views:

1 The Internet of Things Risks and Challenges Providing the insight that enables our customers to make informed business decisions. Antony Price 03rd March 2015

2 Contents Internet of Things - The next threat generation Risks and Challenges Jackpotting How the CIC can help Final thoughts Questions

3 Internet of Things (IoT) The next threat generation Having so many interconnected devices is convenient but represents a risk for organisations as they still lack security. Here are the top five threats to IoT devices identified by CSO last year. In-Car WiFi: This technology is turning cars into mobile hotspots and connects passenger s devices to Internet. But without the firewalls usually present in traditional WiFi hotspots, in-car devices and data will be at risk. Wereable devices: Due to their automatic connection to the Internet, devices like Google Glass are a major attack vector, providing attackers with confidential corporate information and intellectual property. mhealth applications: The wearable wireless devices market across fitness, mhealth and sports growing so quickly, hackers will increasingly attack them to get personal health information. M2M: M2M security being closely connected with the IoT and the number of devices that routinely use the Internet to function increasing, mobile devices are becoming more and more vulnerable to Internet-based attacks. Drones: As drones rely on vulnerable telemetry signals, attackers can leverage them easily using various attacks such as authentication bypasses Deloitte MCS Limited. All rights reserved.

But without the firewalls usually present in traditional WiFi hotspots, in-car devices and data will be at risk.

4 Risks and Challenges With more than 30 billion devices expected to be wirelessly connected to the IoT by 2020, imagine again what the lack of a robust security infrastructure would mean for that M2M-enabled car you might be driving ZDNet, Rate of change Rapid proliferation of number, types and capabilities of IoT connected devices and sensors being developed and released is faster than we can understand and manage the unique risks and threats to properly secure them. Privacy concerns Everything will become a node on the network, which means that everything will be monitored and/or reporting its status. This raises concerns on how information will be used, for what purpose, and by who. Will there be a skills drain due to people becoming dependent on their devices or can people opt out into Interne-Free Zones. Software vulnerabilities These devices and sensors are treated like hardware appliances, however these devices and sensors are not just hardware devices they are also software applications that will contain software weaknesses. These weakness will need to managed and patched. Lack of acceptance from vendors - no plan to patch of fix vulnerabilities. Management challenges Geographic disparity, device disparity, operating system disparity, number of devices, different data types will introduce information, security and operation management challenges. This will be Insecure by design These devices and sensors are not built with security in mind: Many have purpose-built features that equate to security flaws. IoT devices include anything from SCADA to consumer products - all flawed with inherent weaknesses Deloitte MCS Limited. Private and confidential

faster than we can understand and manage the unique risks and threats to properly secure them.

5 Risks and Challenges Figures 70% Of tested devices are vulnerable to attacks. 25% Avg. number of identified vulnerabilities per device. 80% Allow the use of weak passwords. 70% 25 80% 60% 60% Have vulnerable web interfaces. Of tested devices are Avg. number of identified Allow the use of weak Have vulnerable web vulnerable to attack. vulnerabilities per device. passwords. interfaces Deloitte MCS Limited. Private and confidential.

70% 25 80% 60% 60% Have vulnerable web interfaces. Of tested devices are Avg.

6 Industry-Specific Challenges Category Challenges Category Sample S&P Concerns Motor Vehicle/Location tracking Unauthorised vehicle access Self-driving vehicles (and impacts of malicious intent) Health Mobile health device - data Monitoring privacy Payment transaction security External, distributed physical links to internal corporate systems Home Unauthorised home access POS/Vending Hacking biomedical Automation Privacy issues if video links devices (e.g. are misused/hacked pacemakers) Smart meters HIPPA compliance Household appliances Opt-in, Opt-out criteria hacking Insurance Privacy of loss history Smart Grid & Power grid attacks, Anonymisation of data for Utilities vulnerability statistical analysis National security implications Deloitte MCS Limited. Private and confidential.

biomedical Automation Privacy issues if video links devices (e.g.

7 Jackpotting Malware will often slow down a computer, and when you slow down a medical device it no longer gives the integrity needed to perform as it should. Barnaby Jack was known for his jackpotting presentation at the Black Hat computer security Conference in He demonstrated different kinds of attacks involving both physical access to two ATMs and completely automated remote attacks. He also gave presentation outlining vulnerabilities on various medical devices by hacking insulin pumps, pacemakers and defibrillators Deloitte MCS Limited. Private and confidential.

He demonstrated different kinds of attacks involving both physical access to two ATMs and completely automated remote attacks.

8 Cyber Intelligence Centre Enabling effective protection and response Helping organisations protect their critical data and services by driving value from their existing security infrastructure via the CIC Services. Cyber Monitor Cyber Watch Cyber Protect Cyber Check Cyber Respond Cyber Govern Deloitte MCS Limited. All rights reserved.

existing security infrastructure via the CIC Services.

9 Final thoughts What looms on the horizon is even more daunting. With the Internet of Things, every car, consumer appliance, and piece of equipment could be linked and ready for hacking Tech Trends Deloitte University Press IoT is (and always will be) bringing more entry points in to an organisation Security teams need to redefine the scope of security efforts Must address policy and processes while maintaining security and compliance Segment consumer IP devices from data-sensitive systems on corporate network Deloitte MCS Limited. All rights reserved.

Deloitte University Press IoT is (and always will be) bringing more entry points in to an organisation Security teams need to redefine the

10 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte MCS Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte MCS Limited would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte MCS Limited accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England No Deloitte MCS Limited. Private and confidential.

Deloitte MCS Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL.

ISO27032 Guidelines for Cyber Security

ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance