© Fraunhofer / Tom Maelsa

CYBER SECURITY  What we now need to know about digital attacks, IoT and recent research

By Nadia S. Zaboura

The first wave of attacks starts at 6:10 a.m. EDT. It paralyses access to a wide range of popular websites: Netflix, Amazon, Spotify, Twitter, GitHub, CNN and many more are not reachable for many hours. The bots are back.

((For a German version of this article, click here.))

That one thing security experts feared and predicted for a long time hits the digital economy on October 21, 2016 — with full force: Utilizing an armada of hijacked security cameras, criminals launch a digital attack of an unprecedented scale. With serious impacts: Affected companies are incapable of keeping their business running, thus sending their staff home. Millions of customers in the US and in parts of Europe are confused. And the economic damage done is not quantified as yet.

This major blackout occured less than 20 hours after the closing remarks at a symposium titled „Fraunhofer Day of Cybersecurity 2016“: Over 160 professionals convened in Berlin, following the invitation of renowned Fraunhofer Society, Europe’s largest organization for applied research (featuring a staff of 24.000, who work with an annual research budget totalling more than 2.1 billion Euros). At this very conference — that I had the pleasure to lead through as specialist presenter — the attendees saw experts precisely predicting these massive attacks and subsequently introducing the latest IT security solutions backed by research.

But let’s skip back to the beginning in order to sum things up with four key security aspects for digitial economy and society.

„Smart“ devices as digital weapons

In order to understand both, the extent and future of digital threats as well as effective countermeasures, it is inevitable to take a closer look at how the October attacks took place.

We know that a DDoS attack caused the system outage — a wilfully induced server overload. The main victim was US-based company DYN, a provider of DNS systems for many major Internet platforms. In a nutshell: If DYN servers break down due to forced overload, then their clients’ websites can no longer be reached. A toxic attack at digital economy itself, on its omnipresent always-on business models.

While up to this point such DDoS attacks were unleashed by means of infected computers (around 40% are said to be affected in Germany alone), we are now standing at the cusp of more radical methods finding use — with hackers exploiting the Internet of Things (IoT), that is the increasing digital cross-linking of machines, devices, sensors.

Exactly that is what happened on said October 21: A botnet consisting of an invisible army of hijacked industrial surveillance cameras in the tens of millions attacked the DYN servers in three waves, thus forcing them to their knees. From early morning until late afternoon, several of the most popular US websites were rendered inaccessible.

From Internet of Things to Botnet of Things

Clearly, the Internet of Things is starting to attract criminals as a new playing field, as a new and vast resource. Moreover, with the forecast growth of IoT and all its connected devices, the threat of a Botnet of Things arises simultaneously: BoT attacks might shut down our Internet access on a large scale — at least temporarily.

It is hard to conceive just how serious the impact of such an outage might turn out for global digital economy. This in spite of the fact that the future of IoT seemed nothing but bright so far: With the value of the IoT market in 2014 already hitting more than 600 billion US dollars, it is said to increase to around 1.8 trillion US dollars in 2022. An enormous market, with companies across the globe fiercely competing for shares, developing new business models, new products and new supply chains.

Smart everything: Gateway for blackmail 4.0?

So as tempting as prospects may seem: Digital business model in any industry might turn out fragile and vulnerable in times of ubiquitous networked devices. Eventually, with the growth of smart, connected devices, the risk of being attacked by these increases as well. Market researcher Gartner recently predicted just how rapidly this number of smart devices is expected to rise:

Around 21 billion things will be connected to the Internet by 2020 — with currently 5.5 million new devices added to the network each day: Devices for smart home and smart city applications. For smart factories and industry 4.0, for autonomous driving and e-health solutions. Devices that not always meet current safety standards. Devices that are not continuously tested. In short: hackable devices, whose combined malicious force could shut down entire parts of the Internet (without their owners even knowing).

With this scenario in mind, it doesn’t come as a surprise experts are already picturing a specific botnet business model, particularly profitable for criminals: On the one hand, service providers make easy blackmail targets, just by threatening them with a BoT attack. On the other hand, anybody could order such an attack for a handful of dollars, switching off competition and afflicting them with real business and reputational damages. BaaS — Botnet as a Service, if you will.

Practical relevance and pioneering research

© Fraunhofer / Tom Maelsa

While the attack of October 21 already is a complex matter, the sheer number of all pressing cybersecurity challenges urges all three — large companies, SMEs & startups—to tackle IT security concertedly. But what should be taken into consideration? Which standards safeguard data effectively? What is the current state of research and which solutions are appropriate?

Answers to these and many more questions were provided during the aforementioned “Fraunhofer Day of Cybersecurity 2016”. Participants from industry, science and politics gathered on October 20, 2016 at Fraunhofer Forum, Berlin. In his opening remarks, Fraunhofer Research Director Dr. Raoul Klingner emphasized how inseparable trust and security are in today’s society and economy. Digital security must be understood as a matter of national sovereignty, while also permeating a variety of global topics:

From mobile and automotive security through industry 4.0 and product certification for reliable industrial value chains to IT forensics and supply guarantees regarding critical infrastructures — think about the basic supply of energy, water, finance or transport. Around 400 Fraunhofer scientists currently conduct research in these and other fields, jointly developing new security solutions across institutional borders and topics.

Call for action and mythbusting

© Fraunhofer / Tom Maelsa

In their following keynote speeches, representatives of the German Federal Research Ministry and the German Federal Ministry of Economics also claimed that digital security is a matter of vital importance. Both heads of departments highlighted current and future activities supported by politics and governments — including an open call by Prof. Wolf-Dieter Lukas to directly address the Research Ministry with innovative research projects regarding IT security.

The ensuing format “mythbusting” then turned out to be instructive even for proven experts. Many myths still surround the topic of cyber security: Hackers spend their time isolated and lonely in basement flats, proprietary solutions are always safer than open source software and security inevitably comes at the expense of usability. For busting these myths, eight of the most persistent assumptions were identified — and then debunked once and for all by Fraunhofer researchers (now available online, German only).

Industry requirements — research solutions

Four external experts then illuminated key security challenges for corporations and SMEs. Present were representatives of Airbus Space & Defense, the Federal Printing Office Bundesdruckerei, German Mechanical and Plant Engineering Association VDMA and German Federal Association for Information Technology, Telecommunications and New Media BITKOM.

© Saskia Esken via Twitter (@EskenSaskia)

All experts debated practical challenges such as coherent, resilient security architectures including different confidence levels, the digitization progress in SMEs, recruitment problems (current delta between actual demand and approx. 40.000 vacancies for IT security specialists), the ideal balance between industry initiatives and political regulation as well as industry implications of the aforementioned Botnet of Things, for instance in terms of necessary global standards, certifications and lifecycle security.

Research responses to these challenges were then provided by five Fraunhofer institute directors. All five granted insights into current cybersecurity projects, e.g. from “Volksverschlüsselung” (easy encryption for the masses) and protection measures for intelligent factories through mobile industrial test labs for the detection of vulnerabilities to training programs for the economy and measures for usable security, which turn the security loophole “human” into seasoned users.

Compact information on these and other current research projects can be found here.

The four key take aways for timely cyber security

The symposium eventually concluded with four industry workshops in which I carefully noted four key security aspects for digitial economy and society, which turned out as programmatic for the entire event:

© Fraunhofer / Tom Maelsa

1. Need to Connect
Is it really a given that all things need to be connected to the Internet — from bulb to sensor-rocking bassinet? Not upgrading every single thing into a smart device should surely turn out as beneficial for basic trust in the IoT market. Moreover, corporate responsibility — spanning from supervising value chains and suppliers to own products — will make the Internet of Things a safe and sustainable place to do business in.

2. Security by Design
The basic requirement for safe products is the consistent consideration of current safety standards. Starting during hardware and software planning phase, this process continues during development right up to continuous lifecycle testing. Significant resources can be saved by raising awareness for this principle within the IT industry as well as by its effective transfer via rigorous training of professionals.

3. Realism, not tech pessimism
Yes, IT security is a complex undertaking. Yes, complete security is hardly feasible. No, this should not lead to either panic or passivity. With coherent security concepts — from a protection requirements analysis through staff training and certification (ISO 2001 et al.) to emergency planning — companies can close huge security gaps quickly, thus avoiding subsequent and costly patching.

4. Security as innovation driver and locational advantage
If the digital economy has shown one thing, it is that challenges do offer great potential for clever solutions. Companies, startups and institutions that turn security challenges into their business model push “innovation driver” security forward — and simultaneously strengthen the reputation of Germany as a trusted site and secure data haven.

Want to learn more about the 4 main aspects, further key points and collaboration on cyber security and digital topics? Get in touch.

Furthermore, a fine video review, reflecting the symposiums’ highlights, can be found following this link.

((For a German version of this article, click here or visit this website.))

© Text: Nadia S. Zaboura