IoT presents boundless opportunities for the banking industry. Frictionless onboarding, contextual services, multichannel payments, smart asset tracking and back end optimization are some of the key reasons that is driving IoT adoption among banks in India. However, IoT also exposes the banks adopting it to cyber security breaches that could threaten the trust and reputation that banks base their existence on.
India ranks fourth among the top 10 most targeted countries by cyber criminals. In the period between April 2017 and January 2018, over 22,000 websites including those belonging to the government were hacked. A major public sector bank and a private bank in Pune lost nearly INR 100 crores to hackers who exploited weaknesses in the system to channel money to accounts abroad.
The introduction of the Internet of Things to the banking IT infrastructure adds another dimension to the problem. IoT, an enabler of many business outcomes open up new and hitherto unknown vulnerabilities in the system that could be exploited by criminals. IoT malware for perpetrating various types of attacks on the banking infrastructure is openly available on the dark web and criminals are constantly modifying their attack strategies and tactics to slip under the security radar to siphon money and data from banks.
Cyber criminals are today deploying Machine Learning (ML) and Artificial Intelligence(AI)-based technologies to launch more sophisticated attacks. ML and AI offer a high level of automation and in a situation where a bank is not aware of its complete inventory of connected assets, a cybercriminal could exploit vulnerabilities in the data chain before the bank could mobilize resources to plug it.
Through a daring attack in 2016, hackers shutdown internet across the east coast of the US using IoT devices. The bot used in this attack was also used to launch attacks on banks in the past. This episode clearly highlighted the dual or multiple use nature of the vectors connected with IoT attacks. Vectors could be reused multiple times to launch attacks on a range of industries that are using IoT to varying degrees.
In June this year, a malware was tracked attempting to modify the DNS server settings in the routers of Brazil residents to redirect their DNS requests to a spurious DNS server. This malicious server was high jacking data traffic bound for the host name of a prominent Brazilian bank and redirecting it to a fake website of the same bank hosted on the same malicious server.
Banks employ traditional IT security strategies to secure IoT ecosystems, while this provides a false sense of security they do very little if not nothing to mitigate the threats. The inherent nature of IoT such as low compute, long deployment lifetimes and lack of standards make them very difficult to secure with traditional IT security systems. IoT security can only be ensured by using paradigms and systems that are designed for IoT ecosystems. Some of these paradigms include strong but light weight encryption, agentless monitoring and ecosystem specific threat mitigation.
Cyber security should be a key consideration in all IoT deployments and should be included as early as possible in the project lifecycle. The first step would be to analyze the whole ecosystem for threats, while individual components (device, connectivity or platform) may be individually secure, the cyber security vulnerabilities open at the seams where these typically diverse components probably supplied by multiple vendors integrate. Next banks must consider all possible protection strategies to lower the attack surface of the IoT ecosystem this may include segregation from the main network, closed connectivity through MPLS, etc. The third consideration is to put in continuous monitoring system in place, a system specifically designed for IoT and that leverages IoT specific threat intelligence and advanced machine learning to detect threats that are rampant in IoT.
All cybersecurity strategies should work with one tenet that despite all systems and processes that is put in place, breaches are inevitable. Cyber resiliency is the ability to respond and recover from breaches. Banks should have response plans that satisfy regulatory requirements and public messaging in place to regain the trust of patrons. IoT ecosystems once integrated become critical to the operations of the bank and hence business continuity should also be a key consideration in the event of a cyber-attack.
Secure IoT promises to improve customer interaction, create competitive advantage and lower costs for banks. Security is the only differentiator that can ensure that IoT becomes a key differentiator for the bank, lack of which just makes IoT the Achilles heel in a bank’s operations and another failed project.