Securing the Internet of Things

April 2017

In our 2016 Manufacturing RiskFactor Report analyzing the risk factors cited in the 100 largest publicly traded U.S. manufacturers’ annual filings, we reported that cyber risk ranked in the top 10 risk factors for the first time in our study’s history. More than 9 in 10 manufacturers (92 percent) cited cybersecurity concerns in 2016, up a staggering 44 percent from 2013.

Cyber is finally on manufacturers’ radars—and not a moment too soon, as the IoT introduces a host of new cyber threats and attack vectors for bad actors. Last September, the Mirai botnet, a strain of malware that infects internet-connected devices and corrals them into an IoT “army” to overwhelm a target’s servers with malicious traffic, made headlines for triggering a massive internet outage. The original Mirai botnet counted approximately 500,000 IoT devices worldwide. Following the attack, the manufacturer of the devices used to make Mirai was forced to issue a recall.

Mirai remains a real threat—not only for manufacturers of IoT devices, but also for any organization that leverages the IoT. On October 1, 2016, the hacker behind the botnet, known as “Anna-senpai,” subsequently open-sourced its code, enabling fellow hackers to develop their own Mirai strains to target additional IoT devices and increase the botnet’s compute power. And while Mirai is currently the star of the show, it’s far from the only game in town. The Leet Botnet, which came onto the scene at the end of 2016, is rumored to rival Mirai in its capacity to do damage.

Despite the acceleration of IoT-powered attacks, 81 percent of survey respondents say they are confident or very confident in their current cyber risk management program to address the IoT environment. Just under a fifth (19 percent) are unsure or not confident in their current program to address security concerns in the IoT. Given the magnitude of recent IoT-enabled cyberattacks, manufacturers’ level of cyber confidence is surprising—and potentially worrisome.
 
How Confident Are You in Your Organization's Current Cyber Risk Management Program to Address the IoT Environment?

Manufacturers may feel that the innovation rewards of the IoT are not worth the cyber risk. But there is no escaping the IoT; it’s already here. If your employees bring their personal devices into the workplace or use them to remotely check work email, your corporate network is exposed to the IoT. Two-thirds of manufacturers either allow or are considering allowing non-corporate devices into plants. However, only a third have implemented Bring Your Own Device (BYOD) policies and procedures.

Many manufacturers prioritize continuity over innovation because any downtime of systems can disrupt revenue. Forty percent of manufacturers surveyed cite adapting existing technologies as one of the biggest challenges to implementing the IoT. But relying on legacy infrastructure, which can include outdated PCs and equipment, can inadvertently expose manufacturers to risk. Legacy systems are inherently tough to secure against modern cyberthreats, and it can be difficult to connect and service disparate systems.

Third-party cyber risk also increases exponentially with the IoT. If we look back at the Mirai botnet incident, the primary target was Dyn, a cloud-based Internet Performance Management company that controls a substantial portion of the internet’s domain name system infrastructure. But when Dyn’s servers went down, it wasn’t the only victim—the websites of its 3,500-plus enterprise customers also went down.

The saying “you’re only as strong as your weakest link” rings true for cybersecurity in an IoT environment. Sophisticated attackers frequently exploit third-party vulnerabilities to gain access to their ultimate target. Any security gaps in manufacturers’ supplier networks can serve as ingress points for hackers. While most manufacturers are cognizant of and actively address third-party cyber risk, more than a quarter (27 percent) do not have or are not sure if they have a security policy in place for their supply chain partners and other vendors. On the flip side, manufacturers can also be the ingress point for hackers to reach their supply chain partners and end‑customers.

In this high-risk environment, manufacturers can’t afford to make cybersecurity an afterthought—and a good number are not. Nearly half (47 percent) of manufacturers surveyed start thinking about cybersecurity considerations during the product conceptualization and design stage—which, in our view, is when cyber needs to come into the picture. And we’re not alone in our thinking: In November 2016, the Department of Homeland Security issued six strategic cybersecurity principles for the IoT. “Incorporate security in the design phase” is the first principle on their list.

Less ideal, 21 percent of manufacturers start thinking about cybersecurity during the production stage, while another 18 percent hold off until the quality control phase. Nine percent either don’t start weighing cyber considerations until they’re marketing the product (when it is typically too late to make significant changes) or don’t consider cybersecurity at all.
 
“A data breach can result in angry customers and lost business, particularly if the victim company is deemed cyber-negligent. And for manufacturers that sell to highly regulated industries or the government, an insufficient cyber posture—even if they haven’t had a data breach—can knock them out of the running for new business or result in terminated contracts.” - Shahryar Shaghaghi, Technology Advisory Services national leader and head of International BDO Cybersecurity