The threat to IT systems and PCs has been demonstrated spectacularly in recent months. In May, the WanaCrypt0r 2.0 ransomware attacks struck, followed quickly in June by a global attack that was originally thought to be a variant of Petya ransomware, but was subsequently determined to actually be malware. These attacks have hit global organizations and companies, including the NHS, Maersk and WPP, causing huge disruption and cost from both a monetary and reputation perspective.
As the threat landscape continues to evolve rapidly, it’s clear that many organizations are failing to learn about what they’re up against from a cybersecurity perspective. Sure, organizations today know that they need to have a cybersecurity strategy in place to protect their business from being disrupted by cybercriminals. However, current business models rely on connectivity and enhanced services to meet growing consumer demands for flexibility, ease of access and convenience. It is this connectivity which introduces more vulnerabilities from an increasing number of third-party sources.
With the growing opportunity for IoT devices, such as connected cars or SmartBuildings, businesses must be aware of how threats, such as ransomware, will evolve in the near future, progressing from the PC to also impact IoT businesses. Gartner has predicted that there will be more than 20 billion IoT devices by 2020 and the previous model for IoT devices was very often build, ship and forget. If something as simple as patching PC systems is being missed and letting ransomware in, the prospect of protecting the scale of IoT does not look good. Manufacturers should be thinking now about protection, updates and upgrades as a critical part of their IoT security strategy. It is crucial for organizations to better understand the threat that they’re up against, otherwise their approach to cybersecurity is destined to fail.
The ransomware business model
To date, security bugs in IoT and connected cars have mainly been found by enthusiasts or whitehat hackers (meaning that vulnerabilities have not yet been regularly exploited by cybercriminals to cause damage – the PC remains an easier and cheaper target). However, as the proliferation of similar IoT devices continues, it is likely to gain the attention of hackers that are looking to profit. To estimate the spread of this threat into other areas, the following business model must be considered.
The return on investment (ROI) on ransomware has been estimated at over 1,400% in some cases, according to a report from Trustwave. However, with recent attacks, the bulk of the cost of the attack is not in paying the hackers, but in recovering the IT systems impacted. The ROI from any attack likely comes down to the ubiquitous nature of the targets, focusing mainly on IT systems and PCs in particular. Windows-based PCs have a market share of around 80%, making it very easy for ransomware to spread, resulting in maximum profit for the attackers. IoT is still a relatively early stage market and there are many different versions of OS controlling the devices. However, we expect this to converge and become more standardized in the future, which will increase the threat. Given that ransomware is often the domain of organized crime, the motivation to launch an attack will often come down to the total ‘investable’ market, vs. the investment required to hack it.
We have already seen ransomware attacks take factories and hospitals offline, and the impact here is clear on the bottom line. However, when it comes to IoT and automotive, we will also likely see ransomware attacks executed that threaten brand damage. Take the example of an expensive consumer appliance like a connected washing machine (or any other expensive appliance that will carry a warranty). Once critical mass is reached, an attack would only need to threaten the possibility of the appliance doing something strange to ensure a mass warranty call from consumers. The potential brand damage and cost of replacement would likely motivate the manufacturer to pay a ransom based on the threat. When you throw in the potential for the attackers to make public claims about the vulnerability and its impact on consumers, brands will certainly be running scared. The issue faced by manufacturers is that ransomware of IoT is slightly different to the PC-focused ransomware attacks we have seen recently. This brand impact has the potential to drastically impact a company’s relationship with its customers. Even if the threat is minor or meaningless it could still shake consumer confidence, potentially destroying a company’s brand and future sales. This impact is significant and its potential could translate into far higher cash payments demanded by cybercriminals.
It will only take that tipping point into mass consumer adoption for this scenario to become a reality. When only a few thousand appliances of this nature are in homes, there is not the business case for the attackers. When this turns into hundreds of thousands, or even millions, suddenly the ROI for IoT ransomware becomes justifiable.
Ensuring an unviable target
As the potential for profit in attacking IoT devices increases, we are likely to see attackers starting out small – testing and refining attacks, before going after big targets. Whether that’s trucking fleets, extorting OEMs or IoT infrastructure, this is a worrying thought for companies across the globe. As a result, many organizations will be wondering where to start in terms of upgrading their security strategies to protect against this new threat.
The first thing to remember is that it’s not about making yourself hack-proof (this is virtually impossible), but about making yourself and your products more secure than the environment around you. With the ransomware business model in mind, attackers will almost always target the least secure element first as this requires the least investment in terms of both time and money to generate a potential return.
It is about making yourself an unattractive or unviable target for the attackers, and organizations must therefore implement a defense in depth approach to cybersecurity, and continually update to raise the security bar against the latest attack vectors. This approach involves many layers of security being implemented throughout the infrastructure, rather than simply protecting systems from the outside-in, in addition to a security in-depth strategy for endpoint devices, incorporating run-time integrity verification of the device. This is crucial in mitigating ransomware in IoT, IIoT and Automotive, as with this strategy, even if the hacker finds a way to break in, they won’t be able to steal, or hold hostage, the data, device or even the car.
Mark Hearn, Director of IoT Security, Irdeto
Image Credit: WK1003Mike / Shutterstock