IoT is becoming essential for many technology companies these days. As part of their capstone research project for their MBA, GLOBIS students investigated the risks and opportunities of IoT for Hitachi, with the collaboration of one of the company’s senior executives and making recommendations in conducting their "Business Smartization" efforts. This series covers some of the research conducted by those students. We kick off this series by exploring the risks of IoT and cybersecurity.
Have you ever seen the 1995 Hollywood movie “Hackers?” It introduced the world to the idea of teenagers breaking into banks and companies via the internet to download sensitive data and steal money. One hacker used a government database to change a person’s status from living to dead. Malware was even used to capsize an oil tanker. Although this movie was released over 20 years ago, many of the risks and issues raised are still relevant today (and even more so, as we will see).
While many people probably imagine that capsizing oil tankers through hacking is pure fiction, in 2014 hackers actually tilted an oil tanker off the coast of Angola, causing it to shut down and allowing pirates to take control of the vessel. At the Def Con hacker conference in 2015, computer security researcher Chris Rock demonstrated how to exploit weaknesses in death record websites to “virtually kill people.” How would you feel if you received a call from your bank saying that your account had been frozen because, according to their computer, you were dead?
This article explores the issues about present-day cybercrime and the future impact of cyber-risk on the Internet of Things (IoT). For example, are companies that are developing smart industries, such as Hitachi, GE, and Siemens secure enough against present and future cybercrime activity?
It has been suggested that the motivation for hacker activity could be the desire for hackers to challenge themselves or the allure of money. If we look at the most recent ransomware cybercrimes, victims were forced to pay money to cybercriminals or else lose access to their data and systems. In addition, further costs are created by preventing users from the ability to access their systems. According to Cybersight, every 40 seconds a person or company is affected by ransomware. In 2017, it was estimated that ransomware cost companies and individuals $5 billion. If hackers can cause this much damage by infiltrating individual systems, what could be the impact of hackers gaining access to vulnerable systems which are also connected to and integrated with IoT smart companies?
The Potential impact of Future IoT on Existing Cybercrime
While IoT has become an increasingly prevalent buzzword, the actual definition of this technology is rather unclear. Most people consider IoT as the value created by connecting previously unconnected devices to each other. One example could be allowing a refrigerator to detect milk levels and then automatically order more milk online when milk starts to run out. For the purpose of this article, I would like to disregard this type of IoT, and instead consider the huge and complex smart industries created by mega-companies like Hitachi, which sink hundreds of millions of investment dollars into creating smart-companies. As an example of this, imagine a large corporation where all devices are interconnected, where every device is a sensor, part of a huge network of data generated on a nanosecond-by-nanosecond basis. At its heart is an Artificial Intelligence (AI) which can filter and organize data into useful insights to be delivered to managers and executives.
As of January 2018, it was estimated that 8.4 billion devices have already been connected. By 2020, experts have projected that this number will approach approximately 50 billion. This represents the potential for a dramatic improvement in the evolution of technology and innovations which have heretofore been unachievable. A Gartner study in 2016 projected that by 2020, IoT will save consumers and businesses $1 trillion a year in maintenance, services, and consumables. Platform solutions like Hitachi Lumada are already offering corporate customers the capability to integrate systems through IoT to enable them to better understand core activities throughout the value chain.
The power of big data on such a large scale creates the potential to streamline existing processes, gather and interpret complex business activities, and in the end gain advantage over competitors. The power of IoT will rely upon how companies leverage AI. In addition, since data has become a new currency, potentially vulnerable IoT systems create exciting (and scary) opportunities for hackers who have both the technical know-how and the determination to wreak damage and steal data.
A Deloitte model on cybersecurity maps out the level of hacking sophistication with an attacker’s determination to penetrate a system. The assumption is that the more time and effort a hacker invests, the more damage or data they seek.
Source: Deloitte (2015). Responding to cyber threats in the new reality.
Examples of cybercrime at the lower left side of the graph might be to physically damage hardware, steal personal information, lock down a system and demand money. At the mid-level, corporations stand to lose confidential data, lose hundreds of millions of dollars or lose access to systems, causing significant disruption in their business activities. The areas highlighted on the far right refer to matters of national security. Hackers could, for example, gain access to a nuclear power plant, accidentally or intentionally cause nuclear material to enter into the water or air supply, hack air traffic control and crash planes, or steal entire databases of confidential data. The potential for financial loss and loss of life grows with the level of attacker determination and hacking sophistication.
Cybersecurity embedded cultures: Corporate overconfidence?
Taking a step back, there is no denying that smart Industries are the future of organizations and businesses; indeed, IoT is already here today. But the dangers of weak cybersecurity are increasingly becoming a cause for concern due to the escalating potential of damage and scope of data affected. A global survey by Accenture in 2017 found that 80% of companies are confident in their cybersecurity embedded culture, while 1 in 3 focused attacks find success. In addition, only 17% of respondent companies invest in cybersecurity training. The Institute of Information Security Professionals (IISP) survey in 2016 showed that 80% of computer security professionals believe that employees are the biggest security vulnerability in any organization.
Cybersecurity risk is spread between intended and unintended harm. Opening suspicious email attachments can enable viruses to be released into a company system, deleting files and creating damage. Alternatively, a trojan may create backdoors into a secure system, enabling data theft or system exploitation. Disgruntled employees may wish to abuse their security privileges to have revenge against their company. Revoking existing passwords and changing computer authority is insufficient because often it is the employee’s knowledge of companies’ systems which enable them to subvert security.
If we were to imagine remaking the original 1990s “Hackers” movie and setting it in 2020, considering the effects of IoT, the story could be about a national-level hacking collective from North Korea hacking an integrated smart bank industry to drain it of trillions of dollars and crash the world economy. Is it so implausible? Just a few months ago in January 2018, global media outlets reported that North Korean hacking collectives were responsible for a cyberattack on Youbit, resulting in a loss of 17% of its BitCoin assets, amounting to approximately $75 million.
Cybersecurity is primarily a defensive measure and is reactive in nature. This is because companies wait for cyberattacks to happen before finding ways to prevent them from happening again. Perhaps it’s time to move to a more proactive method of cybersecurity. There is a growing voice that security may be strengthened through AI and Deep Learning. If this is so, could IoT AI be a solution? Certainly, one of the messages today is that companies and organizations that utilize IoT need to escalate investment into cybersecurity in proportion to the risks described above.
Photo Copyright: leowolfert