With UK utility companies on high alert over the threat of a serious cyber-attack in the wake of the on-going diplomatic confrontation with Russia, following the Salisbury chemical attack involving a former Russian spy, Sergei Skripal and his daughter, we’re seeing UK institutions working closely with the UK government’s National Cyber Security Centre (NCSC) to assess potential risks.
But cyber-attacks and cybercrime are nothing new and are, in fact, increasing in both frequency and in terms of their impact.
Criminals are innovating their modus operandi as they look to breach systems and their attacks are continuing to evolve.
According to John Moor, Managing Director of the IoT Security Foundation, “The general trend is that cyber-attacks are increasing and we're aware of more state-sponsored activity (often disguised as business hackers), a rise in ransomware, DDoS and the weaponising of the Internet of Things (IoT) to help conduct attacks too.
“Most recently we've seen websites hacked to mine cryptocurrencies which have helped to heighten anxiety among individuals, business, and agencies such as the European Commission and the US National Security Agency.”
“Cyberattacks are becoming larger and more comprehensive in scale,” says Art Dahnert, Managing Consultant at Synopsys. “Millions of users are now being affected and we’re seeing the bar raised when you consider the amounts of traffic now being sent in an attack.”
Dahnert makes the point that they are becoming more sophisticated too.
“Everything is now organised. They’re no longer conducted by the ‘400 pound’ loner sat in his bedroom. That view of the hacker is no longer valid. Attacks are coordinated and usually comprise of loosely connected hackers motivated by a mutual idealistic vision. We’re also seeing state sponsored cyber-attacks, there’s a growing list of nations with the sophisticated capabilities necessary to infiltrate and attack another.”
As connectivity increases though, so the world becomes more vulnerable to cyber-attacks.
Connected devices
Analysts Gartner predicted that there were over 8billion connected devices in use at the end of 2017 and in just three years’ time we could see over 20billion devices, representing an increase of 150percent.
"The general trend is that cyber-attacks are increasing and we're aware of more state-sponsored activity (often disguised as business hackers)." John Moor, Managing Director of the IoT Security Foundation |
At present cyber related crimes are said to cost the global economy $400billion each year, but when trillions of devices become connected, that could prove to be ‘small change’.
Why is the cost of cybercrime so high? Well, according to Simon Segars CEO, Arm, it’s because, “System and device security across all sectors is simply not good enough.”
“The Internet of Things (IoT) is heavily implicated of course,” says Moor, “as this is the next wave of internet technology.”
The IoT is extremely vulnerable. Its use of sensors and connected devices gives hackers clear routes of access since most of the devices are configured poorly with weak credentials.
“More mature companies are addressing this,” suggests Dahnert. “Where it’s a concern is among smaller companies working in the consumer space. They are resistant to security on the grounds of cost, they need to be shown how a failure of security can affect them negatively. You need to engage them by discussing the financial impact or damage to their brand and, perhaps, sell security as a key differentiator when it comes to taking their product to market, not as something that gets bolted on at the end.”
Despite their vulnerabilities these connected systems are being used to underpin improved services, drive innovation, create wealth and are seen as crucial in helping to tackle some of the most pressing social and environmental challenges.
“Connectivity is so cheap that many traditional products are being connected to the network, which may also be attached to the Internet and Cloud services,” Moor says.
In the conclusion of the Royal Academy and IET report, ‘Connecting data: driving productivity and innovation’, that increased connectivity between physical and digital systems will bring with it increased risks.
The report recommended that work be done to investigate measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure that society now depends on.
It did suggest, however, that innovation alone wouldn’t be able to solve the security challenges. It said that users are themselves the first line of defence which means that people need to stay away from suspicious sites, be careful about downloads, maintain passwords and keep their devices up-to-date with the latest security fixes.
“We need to care more about the consumer and focus on the cyber-psychology of tech security,” says Dr Mary Aitken a Cyber-psychologist working out of the University of Dublin and an Academic Advisor to the European Cyber Crime Centre at Europol.
“We need a human centred approach that is mindful of how humans actually use connected ‘things’”
Dr Aitken says that it is crucial to understand how human behaviours in the cyber domain can “mutate, amplify or escalate,” a security breach.
She suggests that in the light of the rapidly changing threat landscape in which product designers work, it’s critical that they adopt a more agile approach to research and development.
Going forward she suggests that human insight combined with collaboration together with robust machine learning could form a suitable foundation to reduce the impact of security attacks.
Design considerations
So as cyber-attacks become more sophisticated it’s vital that companies view security as a primary design consideration and ensure that security scales in the face of growing threats.
“When it comes to addressing security, the first thing is to avoid the common pitfalls, namely speaking in security shop language and spreading a sense of fear,” says Moor.
“In essence, security professionals understand that security risk needs to be translated into business language and business risk. In this way, it can be assessed, quantified and managed appropriately. It is important not to lose interest because of hyperbole and spreading of fear - it is important to understand the business appetite for risk and mitigate against that, it is also important to know how risk can be insured against if specific investment is not possible.” According to Moor, “To understand the risk is to assess it properly and communicate in a language that managers can understand.”
Recently, research from the Barr Group showed that security remained a secondary concern among many embedded design engineers. In fact, over 20 percent said that security was not listed as a product requirement for their current project.
Commenting on the report’s findings Barr’s CTO, Michael Barr, said, “Prioritising security in every internet-connected embedded device is essential to maintaining the integrity of the IoT.”
But while it might be fair to say that many companies have tended not to consider security when it comes to the development phase, that’s beginning to change.
According to Moor, however, “While it is certainly changing we need to move a lot faster.”
Many technology providers are embracing what Segars calls the ‘Digital Social Contract’ which obliges them to protect users no matter what.
“It means we lean into problems, but we can always do more,” he writes in Arm’s Security Manifesto, published last year. “We are working with our ecosystem to improve communications and transparency around attacks and exploits to ensure mistakes aren’t repeated.”
Is there a risk that such a non-legally binding commitment could be undermined by a changing competitive landscape?
Where industries are already operating under a legal duty of care, such as the automotive sector, this is seen as less of a problem.
Speed to market, according to Seagers, is the greatest source of risk to the Contract and warns that the fast to market segment model could prove to be a “disaster for security as weaknesses in products once deployed may not be correctable in the field, so a system may be left vulnerable.”
He argues that a new more resilient business model is required, one that makes, “secure by design technologies available to developers.
“This will enable a specific new business model that will be suitable for the Internet of Things but also aligns with the responsibilities inherent in the Contract.”
Regulations
In this fast-moving world, the role of standards and regulations is, according to Seagers, limited. He believes that product makers need to be anticipatory, flexible and resilient when it comes to handling the challenges being thrown up by today’s hackers.
But while Seagers sees a limited role for standards and regulations, Moor disagrees.
According to Moor increasingly concerned Governments and regulators are looking to bring in addition controls for new technology.
“The speed at which markets and innovation are moving, and the concerns around security, safety and privacy is building pressure to introduce new laws and regulations,” he believes. “There are concerns that blunt regulation will stifle future innovation as the situation is complex and far from simple. Regulation is not as simple as it sounds and there are new problems to consider.”
Security is a moving target, according to Moor.
“What is secure today may not be tomorrow as new vulnerabilities and techniques emerge. This means we have to have a different mind-set from a pre-market compliance and certification scheme that is largely associated with safety regulations.
“Durability is now required over the life-cycle of products and systems and this will have major implications for product maintenance and support.
“On the plus side, a great deal is already known about security so the route forward can be immediately served by promoting best practice and the uptake of known good standards.”
Regulation is coming, he suggests. “It's not a case of if, but when.”
“I don’t believe that new regulations will affect innovation,” says Dahnert. “We’re working in an industry that is always innovative no matter the regulatory environment. But that’s not to say that the costs of regulation might not have an impact.”
A lack of user awareness and of security by design means that the cybersecurity industry is either repurposing traditional cybersecurity products or creating new and advanced products and services, says Moor.
“This will continue for the foreseeable future, especially when we consider the prospects of quantum computing and the application of AI and machine learning.”
Using machine learning and AI to accurately predict and identify attacks is seen as a boon for the cyber world.
According to Dahnert when he looks at the cybersecurity industry, he sees, “Blood in the water. Every company is faced by snake oil salesmen offering products that will save you from everything, and that’s simply not possible.
“Anyone employed to defend an application, a network or organisation will have to understand the scale and scope of their attack surface. They will have to understand the different flavours of the pie from network security to physical security. One methodology or product isn’t going to work, you will have to build a defence that can cope with specific types of attacks.”
There are too many companies who are less than ethical when it comes to selling security products, Dahnert warns.
“Most products will only address a specific scenario, they can’t solve all your problems, no matter what you’re told. To manage security you need a suite of partners, products and processes. Keep that in mind. And it’s only through education and training that we will be better placed to tackle security. It’s becoming a crucial part of business.”
Much talk is being made of AI and machine learning and the development of predictive security, according to Dahnert.
“It’s certainly the new flavour but is primarily the streamlining of existing methodologies making them easier to understand. As for AI and data analytics watch out for the snake oil salesmen. I doubt your business will be an expert in AI and you’ll be dependent on someone selling you tools. Your adversary can adapt and adjust his attacks. Will your AI solution be able to do the same?”
"Everything is now organised. Cyber-attacks are no longer conducted by the '400ib loner' sat in his bedroom. That view of the hacker is no longer valid." Art Dahnert, Managing Consultant at Synopsys |
Dahnert says that businesses also need to look at their supply chain.
“The entire supply chain has to work together. You have to work with them and understand their security posture and what they have in place. Also, what do they insist from their suppliers?”
For people unversed in security it can be overwhelming.
“There’s a lot going on in this space,” Dahnert concedes. “Most will need a partner that can guide them, but who can also come up with a plan explaining what happens when you have to deal with a breach and engage with media and analysts. You will need to show that you understand the problems and are planning for a resolution.
“Take your beating and work hard. Most stakeholders are forgiving.”
“Never stop learning and don’t operate within a silo,” says Moor. “Collaborate and share knowledge because effective defence is a team sport.”