Tag Archives: IoT

Why cybersecurity can be a source of innovation for IoT projects

An interesting survey finding came my way almost a year ago that revealed that as much as 80 percent of projects falling in the Internet of Things domain didn’t utilize their data in its entirity. This means that most of the projects are configured to churn data that is futuristic in nature and may not be of much relevance to the stakeholders in the short run. This leads us to an interesting question. Can this huge volume of data being generated be put to some use after all?

There are various reasons why there is an overflow of data in such projects. The most agreeable one is that business owners are often pre-occupied with the need to get their hands on information that can justify their investments in such projects and in the process ignore data streams that cannot be monetized or deployed to improve efficiency, productivity or preventive maintenance practices. Such a myopic view can indeed lead to value stagnation in the long run for such projects.

A Spanish company had deployed a set of temperature sensors across its offices to monitor the ambient temperature. The data showed the existence of islands of significant temperature variation across floors. The company didn’t invest any time or resources in determining how such differences affect the productivity of employees or outcomes of meetings. Yes it would need a stretch of effort to figure this out but then its not impossible.

In another instance, a well-known retailer in South-East Asia is currently accessing information on supply chain efficiency across various points in the chain using IoT. However, this entity is still ignoring information on ambient weather conditions that are also collected alongside the data gathered by various sensor and device configurations. Again the weather information in this instance could be correlated with supply chain efficiency to determine the best weather conditions for movement of goods and supplies as also to avoid conditions that might adversely impact movement.

There are many such examples of businesses ignoring data already available to further their business interests.

Linking cybersecurity

IoT is one of the few enabling technologies that still have a long way to go when it comes to cybersecurity. Often times, proof of concept projectsrun without security coming into the picture in any form or manner. The capital and resources invested in the project are thus rendered vulnerable to a possible cyberattack. A sizeable one could lead to the project being shelved complety – a possibility that is not just a remote possibility but is happening more often than it should.

Given the significance that security entails,

Cybersecurity could be considered as an avenue for innovation. There is no reason why businesses shouldn’t be thinking and acting this way. Let me elaborate. For one, cybersecurity is all about doing more with all the data available. It is also about getting deeper into data to determine how and why data is behaving the way it is (is it under the influence of malware or has it been subject to some form of compromise?).

Attention to data for purposes of cybersecurity can yield remarkable results. It can make decision makers aware of the quantum and content of data that they are drawing from sensors and devices and therefore put it to better use. Financial services entities and retailers can take the lead in this arena. By making businesses delve deeper into data patterns, organizations are rendered more data-sensitive thereby opening avenues to better use and deploy data. And this could enable competitive differentiation and innovation across the enterprise.

Data awareness could also reduce the rate of failure of proof of concept projects. It could lead to customer delight as well when used in the right way to give actionable data and insights. A large aircraft manufacturer recently found out the hard way how ignoring basic data could be a perilous endeavor. The lesson, therefore, is clear and apparent.

Cybersecurity, when viewed as an enabler of innovation, could also lead to greater investments in time, attention and resources in securing enterprises. This holds good for all businesses irrespective of their size, maturity or market addressed.

To read the latest State of IoT Security reports

Download now!

IoT poised to transform healthcare

Among the sectors where the Internet of Things is offering a non-conventional way to address traditional challenges, healthcare stands out not just in its uniqueness but also in bearing significant potential to positively transform the quality of life of citizens. As the use cases increase, so does the scope for IoT to do more and this is just a beginning. In the days to come IoT will bring in a drastic reduction in healthcare administration costs, improve the efficacy of medicines and improve our ability to identify and isolate disease vectors well before they reveal their darker side.

Healthcare is a vast ecosystem. IoT has already made deep inroads into applications such as remote patient monitoring, clinical trials, pharma administration, personal healthcare, drug testing, insurance, robotics, smart pill cases, and treatment. Preventive healthcare is another area where IoT is helping. IoT enabled wearables are providing real-time data on every individual’s health enabling physicians to diagnose early warning signs of disease and administer medication or other interventions before it turns into a major risk to the person’s health.

With evolving technology and improving connectivity (with the arrival of 5G) and personalization of medical attention, it will be possible to do a lot more with IoT. For instance, data on responses to a certain medicine (collected and analyzed anonymously) will enable doctors to derive the exact dose to be given to the patient to ensure maximum drug efficacy. Smart jars will also remind patients to have their medicines on time and in the right dosage. This will help prevent misuse of vital medicines such as antibiotics.

Smart pills add a unique dimension to IoT. Smart pills, or simply digital pills, are medications prescribed to patients and come with edible electronic sensors that dispatch wireless messages to devices like patches, tablets or smartphones that reside outside the body when ingestion of these pills.  Since this technology will allow patients and doctors to track their drug regimen compliance, increasing patient adherence, it could lead to savings to the tune of $100 – $300 billion annually in the US alone.

Adoption challenges

Storing, securing and managing data are aspects that still pose a challenge to widespread IoT adoption in the sector. In addition, there are reliability and security issues with data alongside the lack of infrastructure and training among providers. This is because there are providers who lack the infrastructure to harness and analyze data even when it flows freely. Another issue is the cost of wearables. It is still not cheap enough for it to be used widely by populations in rural areas.

Security is still a key concern for the whole eco-system. With a diversity of devices, communication flavors, storage options, through fare networks, every aspect brings in its own security challenge. Since patient data is involved in the form of healthcare records or treatment efficacy, there are many entities and individuals out there who would want to get their hands on this data. Healthcare devices could also be highjacked to be used as conduits to launch larger Distributed Denial of Service attacks on other networks.

With so much data floating around in the networks, privacy issues have already come to the fore. Groups are suggesting that with smart pills, for instance, a surveilled compliance scenario would emerge and the doctor or the pharma company may end up receiving and hoarding more data than necessary.

The road ahead

The challenges that IoT brings forth should be measured against the benefits that it delivers. Overall, it is now becoming increasingly difficult to view healthcare minus IoT interventions in varied aspects. As these interventions get bigger and the benefits expand, the challenges will also be addressed. For a country like India that is trying to bring affordable healthcare to the masses, IoT is more than a game changer. What changes is not just affordability but also the availability of timely medicare. The savings in terms of replacing traditional and more costly alternatives are alone for India to give more attention to IoT.

India will definitely enable the emergence of many interesting use cases.

Cybersecurity trends to watch out for in 2020

The adoption of IoT is growing globally. Today, active sensors are monitoring and reporting on everything from weather conditions, traffic, power consumption, water pressure, among others. Smart technology is everywhere, enabling cities, people, and governments to do more.

It won’t be an exaggeration to say that the IoT boom is already here. But as more and more sensors and devices are connected to the internet, cybercriminals gain more opportunities to leverage unattended vulnerabilities. IoT botnets can compromise and leverage thousands of such devices to wreak havoc on deployments.

2019 saw a range of attacks on IoT infrastructure. Wicked, OMG Mirai, Triton, Shamoon, ADB.Miner, DoubleDoor, Hide ‘N Seek, and Mirai-Variant IoT Botnets were widely seen in cyberattacks around the world.

2020 will see hackers go after data with increased zeal. This includes highjacking devices as part of Advanced Persistent Threat attacks and using them to gain access to sensitive data and IP, which could be held for ransom. The sectors that will attract maximum attacks in South America include oil and gas, infrastructure, utilities, defense, and retail. Attacks bearing a geopolitical motive are also expected to increase this year.

Regional hackers have figured out that businesses are more willing to pay ransoms to prevent such data from being published online or on the dark web. This they are working to target devices and networks to pilfer data and record conversations of value. Another tactic gaining currency is data poisoning wherein inaccurate information is fed into decision making systems to disrupt large systems.

Publishing zero-day vulnerabilities without taking the vendor into confidence or giving them reaction time to patch devices creates a unique advantage for hackers as they can take advantage of such vulnerabilities to create widespread damage. This trend will persist in 2020, albeit with vendors turning more cooperative, responsive, and with more information being made available, lesser instances will come to the fore.

With more businesses using bots to log data in CRM\ERP or other business management software, the data accessed by such bots are becoming more critical with each passing year. By spoofing identity, hackers can gain access to critical systems and then use such bots to exfiltrate data, and since most of these bots are today working with very little monitoring, an attack could theoretically last months or even years, if they go undetected.

Three key target sectors in 2020

  • Manufacturing
  • Retail
  • Financial services

Three trends that will continue in 2020

  • Increasing reconnaissance on critical infrastructure projects
  • Phased attacks on new IoT projects
  • Price of malware sold on forums will rise further this year (because of the demand-supply imbalance)

As geopolitical faults expand, cyberwarfare has turned deadlier. Today actors sponsored by nation-states are investing in AI-based offenses to harass their adversaries. Geopolitical attacks are now targeting critical industrial systems, utilities, smart devices, renewable energy farms, offshore oil rigs, and more. With agencies finding it difficult to suppress information on such attacks from leaking out into the mass media, hackers are getting more aggressive as the impact of their work becomes more visible, monetarily rewarding, and discussed.

The global network of botnets will also grow and expand in terms of devices and countries in 2020. This is one trend that refuses to move into negative territory because of various reasons.

Sectors such as banking and financial services, healthcare, oil and gas, and retail will continue to attract attention from hackers in 2020. The attacks will get more sophisticated, and the attack signature will turn even paler as hackers use newer tactics and strategies to breach networks.

On the response front, as this article is being written, we are seeing cybersecurity being addressed through “codes of practice” and “guidelines.” The government of California has openly come out with its resolve to make businesses do more towards securing their infrastructure, and others will follow in 2020. What is still missing is a coordinated effort to address the problem at hand. Cybersecurity will remain a half-hearted battle until all stakeholders join hands and launch a concerted effort to curb the menace.

Globally, cybercrimes cost over $600 bn in damages in 2019. No nation is rich enough to afford such a colossal loss individually or collectively. Instead, if this money were to be deployed for improving healthcare, generating employment, and improving civic infrastructure, the magnitude of the damage becomes more apparent. Hopefully, 2020 will be the year where we see more coordination between stakeholders. Such a collaboration is inevitable if we are to see lasting progress in the war on cybercrimes.

Cyberattacks grew 26% on India’s IoT deployments

India has been attracting complex cyberattacks for a while now. Hackers are using a mix of complex malware, social engineering and hit and run tactics to target various facilities and IoT deployments here. In the last quarter alone, cyberattacks on the country registered a 26 percent increase and some unique samples of malware were isolated by our threat research team.

Mumbai, Delhi and Bangalore were the most attacked cities and hackers are looking at monetizing attacks while creating large scale disruption. They are also working to overload defense mechanisms in order to prevent early detection and mitigation of these attacks.

The IoT Security Report for India for the third quarter (July-September) of the calendar year 2019, highlights the continuing attention that hackers are paying to IoT and OT installations in India. The report notes attacks, attack techniques, sectors drawing attacks and the various types of malware used to attack smart cities, defense projects, manufacturing entities, retailers and other entities using IoT or OT in the country. Download this report to find out how the threat environment in the country is evolving.

To read the latest State of IoT Security report for India

Download now!

Securing mobile edge computing

Mobile edge computing or Multi-access Edge Computing (MEC) – is a network architecture that enables cloud computing to be performed at the edge of a mobile network. Currently, many applications manage their online computations and content storage on servers far away from the devices and the end user. MEC brings those processes closer to the user by integrating with the local cellular base stations.

Multi-access edge computing is based on the principle that offering processing capacity at the edge of the network offers significant application benefits especially in responsiveness and reliability. MEC enables faster and flexible deployment of new applications and leads to lower latency — and better performance — for local applications and data when compared with centralized data center resources.

Businesses that run multiple applications that entail high volumes of data with low latency such as IoT gateways in healthcare, retail etc., will find MEC quite appealing. It is going to be a key enabler for connected cars, autonomous vehicles and industrial IoT. Edge computing will help autonomous vehicles achieve higher levels of situational awareness by merging information gathered and processed at the edge and through AI/machine learning. In such areas, even a millisecond delay can make a huge difference. Autonomous vehicles, for instance, cannot wait for information stored to be processed in the cloud (even if it only takes 200 milliseconds) to make a critical decision.

The MEC market is expected to range anywhere between USD3-9 bn by the year 2022. Start-ups will find a new world of opportunities coming their way through MEC. The convergence of connectivity and compute power and the resultant context awareness at a node will lead to services and content being customized to a new level. Wearables, smart homes, utilities and transportation are expected to drive business. All these are segments that hold great potential for start-ups to capitalize on.

As the industry evolves, and the eco-system becomes more enabling, entry barriers are expected to ease. Hyper localization a significant need from a content delivery and a last mile user perspective is enabled with lesser latency. With the content delivery networks or CDNs coming closer to the user, localized content such as area maps can be delivered faster and with more detail to a user. A CDN is a system of distributed servers (network) that deliver pages and other Web content to a user, based on the geographic locations of the user, the origin of the webpage and the content delivery server. Till now, CDNs were in datacenters far away from the user.

On the security and safety front, MEC will enable a new level of surveillance and monitoring as surveillance and video analytics can be done much closer to the source. This also means that the data available to decision makers will be much closer to real-time.

In an industrial environment, MEC can improve safety levels by giving real-time information on heavy equipment, machinery, vehicles and environmental factors. MEC will also improve the response timings in case of an accident or an emergency by enabling first responders to reach ground zero and locate the affected people faster.

In the entertainment vertical, Augmented Reality and Virtual Reality require faster response with the least possible latency. MEC makes that possible. It is expected that many new VR and AR-based games will be released once MEC becomes a commonly used technology.


Lack of standards around MEC is one factor that might slow down adoption of MEC. Many organizations are currently working in parallel on evolving competing standards around MEC focusing on various aspects. With data being stored and processed at a local node the possibility of attacks at that level also increase as a new attack surface emerges. These challenges are being addressed and there are strategies and solutions available to secure MEC and its users.

All said and done, MEC is nothing short of a revolution in the works. Beyond bringing the web and allied services closer to users, it will also usher in a new era of user experience and engagement. The opportunity is clearly on the horizon it is now up to the eco-system players to ramp up their game to hasten adoption without compromising on security in any manner.

Rising importance of IoT in the Indian manufacturing sector

According to a leading analyst firm, by the end of next year, 30 percent of our interactions with technology will be through conversations with smart machines. The manufacturing sector has already taken a lead in this direction by deploying high levels of automation and enabling data exchange across the board. Factories have been turned into smart factories and shop floors have become safer, productive and innovative, and this is just the beginning as there is still a long road to tread as we move forward on this innovation superhighway.

Industry 4.0 as it is popularly referred to relies on several key technologies including autonomous robotics, simulation, horizontal and vertical system integration, the Industrial Internet of Things(IIoT) and cybersecurity. These technologies are transforming manufacturing like never before and are poised to bring in efficiencies, productivity enhancements, safety and sustainability. Such technologies are also generating unique use cases in India as well, meeting the unique challenges that we have see her so far.

Industrial IoT is set to transform the Indian manufacturing landscape as well. Manufacturers here are already using IoT for tracking assets, increasing equipment efficiency, preventive maintenance, supply chain management and more. Proof of concept projects are also running in various areas as manufacturers try out the best possible combination of technologies, processes, human intervention and outcomes.

Use cases

A large manufacturer in Maharashtra is using IIoT to streamline its supply chain. Its factories have a huge vendor footprint spanning multiple cities across the country and abroad. Cargo coming in has to be synched with production schedules and delivery commitments to customers. Thus the whole process has to be orchestrated with precision. Every bit of cargo is tracked till it reaches the warehouse from where the production teams takeover. The shop floor is also IoT enabled with devices tracking the position of each employee and machines sharing data such as temperature, speed of various components, production efficiency, movement of carousel etc.

Another manufacturer is using IIoT to manage equipment health. Each equipment shares data on its current state, state of inputs and essentials such as oil and variables influencing its performance at an optimal level. This data is monitored from a central hub from where help in the form of maintenance staff can be dispatched at short notice if required. Since this entity operates in a precision environment, manufacturing a critical component for a defense hardware manufacturer, the data is also shared with the client as part of an agreed compliance process.

In other cases, IIoT is helping ensure safer working environment for employees, cleaner production environment, preventing industrial espionage and more.

Why is it important?

The Indian government has made “Make in India” initiative a priority. The goal is to strengthen India’s manufacturing prowess while providing a nurturing environment for Indian and international manufacturers to manufacture here. For Make in India to succeed, Indian manufacturers need to manufacture more efficiently, cost effectively and deploy all-round innovation to stay competitive. Industrial IoT will help do that. By streamlining supply chains and processes, reducing operational costs, improving safety and environmental conditions in the workplace, manufacturers can afford to focus more on improving competitiveness and on business strategies while IIoT strengthens their ability meet quality norms and other criteria.

The significance of IIoT should also been seen in the context of the competition Indian manufacturers are facing from entities located in other parts of the world such as South-East Asia. Embracing IIoT will give Indian manufacturers a clear competitive advantage. Also, with norms around pollution and clean manufacturing tightening due to countries voluntarily adopting international protocols, the onus will shift to manufacturers to prove that they comply and are following green and sustainable manufacturing processes and norms. IIoT can also help here as it can give manufacturers clear and precise data to facilitate intervention-oriented decision making to improve production and reduce practices that could cause strain on the environment.

IIoT can not just transform our manufacturing sector but also serve as a strong platform for adoption clean, safe and environment friendly manufacturing processes. It is now up to the sector participants to embrace IIoT and work towards integrating it with their supply chains, processes and manufacturing methods. All said and done, IIoT will be a strong ally for Indian manufacturers to succeed on a global stage.

Securing smart cities

As the smart cities mission gathers momentum in India, one cannot but help imagine that these cities will turn into growth engines for the Indian economy in the near future. A whole new eco-system is coming together to facilitate the evolution of these projects and the country’s technology prowess is also getting a boost thanks to the unique needs that these projects are placing in terms of hardware, software and technology strategies.

One area where we have more work to do is the domain of smart city cyber security. As smart city projects take off and grow in scale, the security challenges will also rise proportionately and so should the strategies and tactics deployed to deal with them.

When one looks at the entities connected with a smart city, the challenge becomes clear. From smart energy to smart infrastructure, the network of people, devices, access points and interfaces creates vulnerabilities that criminals or actors will mal intend can exploit. The web of information flow created by each of these creates complexities that

Any chink in the armor which could be something as downstream as smart street light in a manner of speaking can lead to the whole chain of data getting infected.  The infection could spread upstream going back into the command and control facility and spread to other smart city aspects and threaten the viability of an entire city.

When it comes to cyberattacks on smart cities, the attacks can be subdivided into man-in-the-middle, data and identity theft, device high jacking, Denial of Service and Distributed Denial of Service (DDoS). In all these cases, the hacker or hacker groups might target data, disruption or attacks on third-parties. During a Denial-of- Service attack (DoS attack), a machine or a network resource may be rendered unavailable by flooding it with fake requests that prevent legitimate requests from being attended to. In case of a DDoS, multiple smart city entities may be used to attack a single or multiple sources outside the network to overwhelm the system. Smart cities could either be the targets of such activity or their infrastructure could be used to launch these attacks on other entities.

Smart parking meters, lighting, traffic signals and other connected end points could also fall prey to  Permanent denial- of-service attacks (PDoS), an attack that damages the device so badly that it requires replacement or reinstallation of hardware.

Connected vehicles that interface and engage various aspects of the smart city eco-system could also serve as an entry point for vectors. A connected vehicle that got infected with a vector that came onboard through another city or network could carry that vector and infect another city or network it comes in contact with. A single connected vehicle or a set of vehicles could be virtually highjacked to cause chaos on the roads. In instances where such vehicles interact with intelligent traffic systems, they could be used to mount a DDoS attack on the city or such systems.

During a natural disaster or any other emergency, such vehicles could be turned unusable by hackers thereby increasing the response time.  The easiest way to control mass behavior is by controlling mass or individual transport systems which is why connected vehicles are always on the radar of hackers and other groups.

Malicious actors could work to cause large scale disruption including power outage, grid shutdown, even disrupt emergency services or law enforcement communications.

Every attack on a smart city could lead to loss of capital, revenue potential, legal liabilities or even deaths. If the hacker takes down a traffic management system during peak hour, the disruption could result in loss of manhours and unnecessary fuel consumption both of which have an implication for the economy of the city and the country. A medium sized breach affecting nearly 100000 devices could cost upwards of USD 1 million to fix and this is just a conservative estimate.

While loss of revenue and investment opportunities may be compensated, in the short term through capital infusion, the loss of credibility cannot be fixed that easily.

Protecting smart cities
A multi-pronged approach is needed to secure endpoints, the underlying network infrastructure and the cloud architecture safe. By deploying multiple layers of security through multiple detection and remedial methods, threats from every endpoint could be contained before the network is harmed. Cities can also boost their threat intelligence by installing sensors that constantly monitor the threat environment and automatically respond to those threats across the whole network.

The command and control facility needs to be secured by deploying systems that can monitoring inbound and outbound data traffic and flag any anomaly. A security operations center should also be deployed to constantly monitor the functioning of the smart city at all levels of data flow.  Small but essential steps such as firmware updates need to be done on a regular basis. And finally, through secure decommissioning of devices, smart city security professionals should prevent the repurposing of devices to launch in-bound or outbound attack by logging on to the network.

When it comes to protecting a smart city, a series of small steps done in a coordinated manner with complete attention and involvement of stakeholders at all levels can go a long way in preventing attacks and disruption. Smart cities are undoubtedly the growth engines of the future and deserve security attention and planning of the highest order.

Prioritizing security in the age of Internet of Things

It is almost impossible to underestimate the importance of IoT security. However, businesses appear to be somewhat myopic when it comes to securing their IoT deployments and Proof-of-Concept projects. Enterprise networks across the globe have millions of unmanaged IoT devices connecting to their networks every single day.  IoT security breaches are costly operationally and financially bleeding enterprises to the tune of $2.5 million per attack. Despite the high cost associated, security is yet to emerge as the focal point of attention and action for IoT engineers, business heads, and developers.

Early days

Like other new and innovative technologies that came before it, IoT is right now going through its initial adoption phase. The immediate questions that are asked include: can we hive out a manual process? How do we improve data transmission speeds? Is it possible to make our machines learn? When the answer is yes, the solution in most instances is IoT technology. However, the rush to adopt and deploy these new possibilities has left many CISOs encountering a growing challenge in the form of security.

Over the last few decades, Supervisory Control and Data Acquisition (SCADA) systems have played a major role in industrial operations. Industries like oil and gas, energy/smart grid, agriculture, manufacturing, and utilities have implemented SCADA systems and networks to collect data and automate processes, and are looking to automation systems for more effective ways to operate. Attacks on such critical infrastructure could cause billions in damage and some businesses will find it difficult to get back on their feet.

In the last five years alone, mass rapid transit and power and water systems across the globe have been attacked and shut by hackers. Many of these attacks were designed to manipulate the behavior of the masses and in some instances to inflict unacceptable damage to the economies of the countries involved. Attacks on massive IoT systems like the command and control setup of a smart city could cause disruption of the scale that we have never seen before.

Inherent vulnerabilities

in 2017, over 2 million IoT devices were found to be compromised in a single instance of a powerful malware infection. The attack malware dubbed Reaper or IoTroop was found to be quietly harvesting data across these devices for purposes yet to be fully understood.  Reaper was found to exploit 9 vulnerabilities and according to some researchers, the malware in a mutated form might still be lurking around exploiting vulnerabilities.

Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors—all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers, and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging.

Compounding the challenge is an unwavering focus on establishing data streams and ensuring PoC success at all costs. In their drive to make IoT deployments successful, decisionmakers and other stakeholders often overlook vulnerabilities and long-term security requirements across processes, devices, data flow, storage, and analytics. Security is not even an afterthought in many instances.

How to prioritize security?

Security should be an integral part of the drawing board for every project. Beyond that, the entire length and breadth of the value chain and IoT implementation should be fortified to secure data, devices and storage mechanisms. Here are a few other steps that are recommended:

  • Security should be part of every IoT discussion within or outside your organization to the extent possible
  • Run internal hackathons and stress test scenarios to identify and fix vulnerabilities
  • Always keep your firmware and software updated and patched
  • Use systems to detect unusual traffic flow or other anomalies
  • Secure legacy systems first
  • Go for layered security with multi-point data encryption
  • Run isolation and remediation drills for devices
  • Identification and authentication of devices is a must

Remember that you are always in the crosshairs of a prospective hacker and the best security strategy is to increase the distance between your critical systems and data and them.

Are smart transportation systems sitting ducks for hackers?

The answer is yes. While investments in public and private transportation systems have grown reasonably well in the last decade, the investments in cybersecurity measures have not increased proportionately. With cybersecurity being grouped with the lowest of investment and resource allocation priorities, hackers and groups with questionable intent have found an avenue to exploit. The result- global and frequent attacks on smart transportation infrastructure.

Vehicles (cars, trucks, buses, etc.) are fundamental units of transportation. They are also the targets for multi-pronged cyber-attacks by hackers. What makes these diverse modes of transit so attractive for hackers? Wide spread disruption, scope for ransom payment by authorities or affected people or simply the ease of attack. It is a well known fact that in the developed world, some of the most critical infrastructure runs on outdated and degraded operating systems with plenty of unpatched vulnerabilities. Hackers and hacktivist groups have known this for a while now.

IoT Security in the banking and financial services space

IoT presents boundless opportunities for the banking industry. Frictionless onboarding, contextual services, multichannel payments, smart asset tracking and back end optimization are some of the key reasons that is driving IoT adoption among banks in India. However, IoT also exposes the banks adopting it to cyber security breaches that could threaten the trust and reputation that banks base their existence on.

India ranks fourth among the top 10 most targeted countries by cyber criminals. In the period between April 2017 and January 2018, over 22,000 websites including those belonging to the government were hacked. A major public sector bank and a private bank in Pune lost nearly INR 100 crores to hackers who exploited weaknesses in the system to channel money to accounts abroad.

The introduction of the Internet of Things to the banking IT infrastructure adds another dimension to the problem.  IoT, an enabler of many business outcomes  open up new and hitherto unknown vulnerabilities in the system that could be exploited by criminals. IoT malware for perpetrating various types of attacks on the banking infrastructure is openly available on the dark web and criminals are constantly modifying their attack strategies and tactics to slip under the security radar to siphon money and data from banks.

Cyber criminals are today deploying Machine Learning (ML) and Artificial Intelligence(AI)-based technologies to launch more sophisticated attacks. ML and AI offer a high level of automation and in a situation where a bank is not aware of its complete inventory of connected assets, a cybercriminal could exploit vulnerabilities in the data chain before the bank could mobilize resources to plug it.

Through a daring attack in 2016, hackers shutdown internet across the east coast of the US using IoT devices. The bot used in this attack was also used to launch attacks on banks in the past. This episode clearly highlighted the dual or multiple use nature of the vectors connected with IoT attacks. Vectors could be reused multiple times to launch attacks on a range of industries that are using IoT to varying degrees.

In June this year, a malware was tracked attempting to modify the DNS server settings in the routers of Brazil residents to redirect their DNS requests to a spurious DNS server. This malicious server was high jacking data traffic bound for the host name of a prominent Brazilian bank and redirecting it to a fake website of the same bank hosted on the same malicious server.

Banks employ traditional IT security strategies to secure IoT ecosystems, while this provides a false sense of security they do very little if not nothing to mitigate the threats. The inherent nature of IoT such as low compute, long deployment lifetimes and lack of standards make them very difficult to secure with traditional IT security systems. IoT security can only be ensured by using paradigms and systems that are designed for IoT ecosystems. Some of these paradigms include strong but light weight encryption, agentless monitoring and ecosystem specific threat mitigation.

Cyber security should be a key consideration in all IoT deployments and should be included as early as possible in the project lifecycle. The first step would be to analyze the whole ecosystem for threats, while individual components (device, connectivity or platform) may be individually secure, the cyber security vulnerabilities open at the seams where these typically diverse components probably supplied by multiple vendors integrate. Next banks must consider all possible protection strategies to lower the attack surface of the IoT ecosystem this may include segregation from the main network, closed connectivity through MPLS, etc.  The third consideration is to put in continuous monitoring system in place, a system specifically designed for IoT and that leverages IoT specific threat intelligence and advanced machine learning to detect threats that are rampant in IoT.

All cybersecurity strategies should work with one tenet that despite all systems and processes that is put in place, breaches are inevitable. Cyber resiliency is the ability to respond and recover from breaches. Banks should have response plans that satisfy regulatory requirements and public messaging in place to regain the trust of patrons. IoT ecosystems once integrated become critical to the operations of the bank and hence business continuity should also be a key consideration in the event of a cyber-attack.

Secure IoT promises to improve customer interaction, create competitive advantage and lower costs for banks. Security is the only differentiator that can ensure that IoT becomes a key differentiator for the bank, lack of which just makes IoT the Achilles heel in a bank’s operations and another failed project.

Get Started with Subex

Schedule a Demo
close slider

    I consent to receive communications from Subex Limited. Confirm Opt-In