Carolina A. Adaros Boye - Understanding Cyberrisks in IoT: When Smart Things Turn Against You

Understanding Cyberrisks in IoT

Understanding Cyberrisks in IoT

When Smart Things Turn Against You

Carolina A. Adaros Boye

Understanding Cyberrisks in IoT: When Smart Things Turn Against You

Copyright Business Expert Press, LLC, 2019.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any meanselectronic, mechanical, photocopy, recording, or any other except for brief quotations, not to exceed 250 words, without the prior permission of the publisher.

As part of the Business Law Collection, this book discusses general principles of law for the benefit of the public through education only. This book does not undertake to give individual legal advice. Nothing in this book should be interpreted as creating an attorney-client relationship with the author(s). The discussions of legal frameworks and legal issues is not intended to persuade readers to adopt general solutions to general problems, but rather simply to inform readers about the issues. Readers should not rely on the contents herein as a substitute for legal counsel. For specific advice about legal issues facing you, consult with a licensed attorney.

First published in 2019 by

Business Expert Press, LLC

222 East 46th Street, New York, NY 10017

www.businessexpertpress.com

ISBN-13: 978-1-94897-664-0 (paperback)

ISBN-13: 978-1-94897-665-7 (e-book)

Business Expert Press Business Law and Corporate Risk Management Collection

Collection ISSN: 2333-6722 (print)

Collection ISSN: 2333-6730 (electronic)

Cover and interior design by S4Carlisle Publishing Services Private Ltd., Chennai, India

First edition: 2019

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.

Abstract

Information security policies and controls are deployed in many organizations. Either for compliance reasons or because there is a legitimate concern about cybersecurity risks, managers more frequently consider this as deserving attention from a strategic point of view. However, IoT devices and industrial systems are not very often considered within the scope of information systems security management, leaving a door open to attackersactually, quite frequently, many doors.

The explosive growth of IoT and Industry 4.0 has increased the expectations about new business models and services and more productive and efficient systems. However, the fact that IoT devices present many cybersecurity vulnerabilities that can increase the risk of an attack in an organization seems to go unnoticed. There are many examples of this, from data stolen from a casino through a smart fish tank to IP cameras, routers, printers, and vending machines used as bots for Distributed Denial of Service (DDoS) attacks. The target can be the IoT system itself, an adjacent network, or a third party. In any of the cases, the attack can long remain undetected because the security of these systems is not always monitored. This book explains why smart systems such as IoT, IIoT, ICS, and SCADA can introduce risks to a network and why it is important for managers and decision makers to know about this. It is rather obvious that you cannot address a problem if you do not know it exists, or if you are unaware of how serious it is! In these pages you will also find examples of past attack cases that can serve as lessons to avoid making the same mistakes in the future.

You probably already know that in a business the main assets for production are processes, technology, and people. This should make you aware that cybersecurity is not an IT problem but an organizational problem. As a team leader, manager, or business owner, the better you understand cyberrisks, the better you can ensure that the right people will be involved in preventing them, that the right processes will be defined, and that the right solutions will be displayed efficiently. To achieve this, it is essential that you have some background knowledge about the challenges that your security teams can face on IoT and cybersecurity front.

Keywords

IoT (Internet of Things); IIoT (Industrial Internet of Things); cybersecurity; risks; industrial control systems; cyberattack; vulnerability; threat; availability; integrity; privacy; confidentiality; cyber-awareness

Contents

To my dad who inspired my curiosity about things and taught me that no matter how complicated things are, they can always be explained in a simple way. To my mom who always believed in me as a writer, and to my brother, who is unsparing to correct my English grammar.

Introducing the Reader to IoT

Not long ago, a friend was visiting me in Birmingham, and, as usual, we engaged in a conversation about our career goals and projects. She is currently based in London and works as a human resources director of a well-known multinational company. When I told her, once again, that my work was related to research on cybersecurity risks of the Internet of Things (IoT), she said: You know, my friend, everybody talks about IoT and I still cannot understand what it is. Her day-to-day work is about dealing a lot more with people than with technologies. Nevertheless, in todays world everybody uses technology, even if it is not their main field of endeavor. Therefore, I believe it is important for everybody to acquire at least a general understanding of how some things that we use everyday work, particularly if they introduce risks that you might not be aware of. Maybe you do not currently use IoT every day, but I am sure you will, at some point in the not-too-distant future. You may also have to decide whether to use it or not in your business and how. In many cases, IoT can be a useful solution to many business problems, so you may probably decide to go for it. Just remember that this means that you will be introducing new risks to your organization. Managing these risks is extremely important, since on that depends the potential of IoT, which is used for the benefit of the organization and not against it. In other words, a good cost-benefit balance should be ensured, by preventing and controlling potential negative impacts caused by cyberincidents.

I believe that every person who could potentially make use of IoT should have at least a general idea of what it means. Moreover, anybody who has to make a decision about designing, building, buying, or implementing an IoT solution should know the basics of it, as well as the risks involved. Even my neighbor who is considering getting a smart thermostat for her house, just because her sister-in-law got one, should know as well, at least to a certain extent, what she is dealing with. It is not only businesses but also individuals that use IoT, and, according to Gartner, the consumers market for IoT is growing by leaps and bounds (Panetta 2017).

Before we look at what IoT is, it is important to understand that there is no consensus on a single definition. My favorite denotation for IoT is the one given by the European Union Agency for Network and Information Security (ENISA), which says that the term IoT describes a wide ecosystem where interconnected devices and services collect, exchange and process data in order to adapt dynamically to a context (ENISA 2017). I can imagine that for many this definition might mean absolutely nothing. I am sure at least that this is the case with many people I know who are not familiar with IT technical jargon. So to start this book, I must provide a definition that makes sense to a broad audience.