Drone-jacking, IoT malware and the rush to comply with EU data protection legislation.
Recent high-profile security breaches in IoT devices could be the beginning of a trend as the proliferation in end-points give hackers more opportunities for attack. In 2017, we will see hacks become more innovative, widespread and the perpetrators harder to find.
IoT attacks will rise.
The October 2016 attack on DNS provider Dyn originated from a botnet of 150,000 infected IoT endpoints, including cameras, monitors, and routers. The hackers disrupted several high profile websites including Twitter, Netflix and AirBnB and almost brought down the internet by using publicly-available malware called Mirai. It is believed to be the first time hackers had used IoT to launch a large-scale attack, but it may not be the last. The Intel malware tracker estimates that there are over 3 million Mirai-infected devices.
Forrester predicts that IoT breaches like these will become commonplace in 2017. It believes that the industries where IoT has been quickly adopted are still the most vulnerable to breaches. These include transportation, surveillance, warehouse management and manufacturing.
Demos of IoT hacks will wake up the industry.
In November 2016, a team of experts at the Dalhousie University, Canada and the Weizman Institute of Science, Israel, showed how hackers could easily take control of Internet-connected lightbulbs, plunging office buildings and street lighting into darkness. They achieved this by flying a drone next to its target and using a worm to hijack the bulbs.
Hacking into connected cars has become a regular occurrence. Recently a team from Norwegian app security company Promon showed how easy it is to drive off in a Tesla car, by finding a car in a parking lot, opening the door and taking control of its keyless driving functionality.
With cybercrime growing, companies are increasingly hiring ethical hackers to test their security systems and ability to withstand a cyber attack.
Increased legislation and certification.
This year will see a call for increased legislation of IoT, along with IoT certification standards from manufacturers.
The US Department for Homeland Security has already issued guidelines to companies manufacturing IoT devices, maintaining that as a nation it “cannot afford a generation of IoT devices deployed with little consideration for security. The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy.”
It is urging IoT manufacturers to build security in at the design stage or face the very real possibility of legal action. “While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected,” the document states.
Standards bodies are also following suit. After four years of research and collaboration, the US National Institute of Standards and Technology (NIST) has just released the final version of its guidelines for securing IoT devices through their lifecycle. This has been rapidly followed up by the Broadband Internet Technical Advisory Group (BITAG) cybersecurity guidance.
Forrester predicts that vendors will jostle for IoT certification while heavyweights like Microsoft, IBM and Cisco will invest heavily in IoT training and certification, providing IT professionals will the skills to manage current and future challenges.
Forrester believes that at least 10 industrial vendors will jointly certify their IoT-enabled products with enterprise vendors in 2017, following the lead of Rockwell Automation and Cisco.
Greater data protection.
The EU General Data Protection Regulation (GDPR) legislation , due to be introduced in May 2018, will get a lot of traction as enterprises look to comply with its legal requirements to avoid hefty fines for non-compliance. This will have an implication on IT security budgets and staffing. Enterprises will need to upgrade their data protection capabilities to ensure personally identifiable information is secure and defining who has access to it, when and where.
The 72 hour notice requirement to EU authorities under the GDPR also means that enterprises will have to re-assess their incident response strategies.
The EU-US privacy shield will be reviewed in May 2017, and it may be a game changer on data protection between the EU and US. It is also likely that the new Trump administration will bring in new legislation. President Trump has publicly stated he is for stronger data sovereignty and data protection laws.
Drone-jacking will make its debut.
Drones are becoming workhorses, increasingly valuable to industries as diverse as agriculture, law enforcement and logistics.
McAfee Labs 2017 trends report predicts that with drone exploit kits appearing on the darknet, we will see drone-jacking in 2017. The report maintains that drones are exposed to hacking, thanks to a stampede to get products to market that has resulted in unencrypted communication and open ports.
We will also see cybersecurity become a business-critical process for enterprises who need to shore up their defenses against cleverer and even more innovative cyberattacks.
Establishing specialist cybersecurity units.
With the risk of increased cyber threats, service providers are looking for new ways of strengthening cybersecurity capabilities. Since January 2016, for example, Orange Business Services has channeled its cybersecurity expertise into Orange Cyberdefense, a specialist unit offering managed, integrated and hybrid services, including design, implementation and operations management of security strategies. Orange now has 1,200 employees working on security issues.
With the recent acquisition of Lexsi, Orange Cyberdefense reinforced its threat intelligence ability with the first private Computer Emergency Response Team (CERT) in Europe. CERTs are warning centers responding to digital attacks on organizations.