Government Agencies and Hospitals Face Increasing Risk of IoT-Powered Cyberattacks
While there's hype surrounding the tremendous opportunity the IoT offers, there are still hazards that have yet to be properly addressed.
If you paid even the slightest attention to tech media and conferences in 2016, you heard how the Internet of Things (IoT) is the next big thing. While there’s hype surrounding the tremendous opportunity the IoT offers, there are still hazards that have yet to be properly addressed. The biggest concern -- safety -- is a thorny topic with which enterprises are still grappling. For example, 2016’s DDoS attack on Dyn that took down several major websites such as Twitter was caused by a bot army of unsecured IoT devices. This attack is only the tip of the iceberg, and in 2017 we should expect more of the same, but websites and companies won’t be the only targets. Unless manufacturers and users of connected devices get serious about security, we will see these attacks evolve this year. I believe that there’s a significant chance these attacks could extend to major government institutions and hospitals.
Why these attacks are coming
According to a study from HP, 70 percent of IoT devices are currently vulnerable to an attack. While both manufacturers and their customers are certainly working to reduce that, a significant number of IoT devices will still be unprotected in 2017. Additionally, Gartner predicts over 20 billion IoT devices by 2020. Let’s say that in the next three years the number of secure IoT devices doubles, which means that only 40 percent will be insecure. According to Gartner’s estimate that means a total of 8 billion devices by then that are free to be enlisted in a hacker’s arsenal: roughly equivalent to the population of the Earth. That security risk is beyond anything we’ve currently seen in the realm of cybersecurity.
The risk isn’t necessarily coming from the sophistication of attacks but poor security practices of IoT users. Bad practices such as using the default usernames and passwords that are supposed to be used only for setup and then changed, are making it easy for attackers to take those devices and using them as botnets. Companies aren’t doing much to stop this or other potential sources of breaches. A study showed over 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack and a stunning 98 percent of the most vulnerable executives have little confidence that their firms constantly monitor devices and users on their systems. It’s clear that most C-Suite executives don’t give cybersecurity enough consideration.
Even more chilling news came from a report back in April, which ranked the U.S. government (including federal, state and local agencies) as having the worst cybersecurity protocols compared to 17 major private industries, including transportation, retail and health care. As these agencies face pressure to virtualize, move to the cloud and embrace connected devices, this lack of security will leave them greatly exposed. I believe that as a result of these vulnerabilities, there is a 50/50 chance that a significant cyber warfare attack is instrumented against the U.S. government, the U.S. military, U.S. critical infrastructure or the U.S. banking infrastructure. This organization will be ill-prepared and vulnerable; it is also likely that the attack won’t originate on IoT devices owned by the government but instead will come from the outside.
Can IoT breaches threaten your health?
Government infrastructure won’t be the only new source of an attack that reaches tomorrow’s headlines. I also predict that a major hospital will face a HIPAA violation for using an unsecured smart medical device. Hospitals have a lot to gain from deploying the IoT for crucial data/insights to improve patient care, but so do hackers. They’re already targeting connected MRI machines, CT scanners and dialysis pumps to steal patient medical data, which is worth more than twice as much as financial information on the black market. While the FDA already recognizes that cybersecurity/HIPAA compliance is an important issue, it is not certain they get practices ready in time to prevent a major breach. And more important than data, there’s an ever-increasing chance that an IoT attack will put lives at risk if it can cause a shutdown of needed medical services.
How will hospitals fight back? The best prepared ones will do so by adopting improved security practices such as: password management, policies to ensure all devices are up to date/passwords get changed, network segmentation, software-defined network overlays with security built in and improved data management policies. Vital to ensuring that these practices get used successfully will be administrators that make them part of the hospital’s workplace culture.
Change your culture, build your defenses
My advice for entrepreneurs and startups is to make IoT security a serious and valued part of company culture. Bake it in while the company is still young and there’s no complacency from “doing things the way we’ve always done them.” Furthermore, do not make it solely the IT department’s responsibility to keep enterprise data safe. Every member of the organization needs to help take responsibility, follow security procedures to the letter and be vigilant for signs of danger. The good news is that there are security solutions out there to help, even with technology as nascent as the IoT. There is also a great deal of advice on the best practices to put in place, from a variety of experts and trusted sources. As Gartner cautioned at last year’s ITxpo, developing best practices can only prepare you for threats that are already known. Only innovation can prepare you for tomorrow’s threats that have yet to be discovered. A combination of advanced software and a strong internal culture will create a cybersecurity defense ready to take on potential attacks.
Richard Conklin is a seasoned computer networking, switching and security expert with over 25 years of experience. He has 11 granted and several pending patents and specializes in developing and advancing innovative technologies. Past employers include Ciena Corporation (where he held the positions of Senior Principal Engineer and Senior Manager), Scientific Atlanta, Motorola and Siemens.