The hackers, the fish and the high-rollers

How corporations are trying to stay one step ahead of cyber criminals.

The fishy world of cyber crime (photo: MM)

A report by the European police agency, Europol, confirms that criminals share a special kind of alertness with entrepreneurs when it comes to identifying the business opportunities that new technologies offer. A case in point is the Internet of Things (IOT), where criminals have been quick to exploit vulnerabilities related to the proliferation of connected devices.

According to a recent report, 978 million victims lost $172 billion to cyber crime in 2017. Things are likely to get worse as IHS Markit expects the number of connected IoT devices worldwide to jump from nearly 27 billion in 2017 to 125 billion in 2030.

The steady increase of connected devices is a major headache for risk professionals. Most believe that a data breach or cyber attack caused by insecure IoT devices would be “catastrophic” for their organization.

As defined by the standardization bodies, IEC and ISO, IoT is “an infrastructure of interconnected objects, people, systems and information resources together with intelligent services to allow them to process information of the physical and the virtual world and react.” It covers everything from household appliances to connected cars to widgets in nuclear power plants (NPPs).

In the past decade we have gone from worrying about protecting our computers and smartphones to being aware of the risks that refrigerators, thermostats, industrial machines and other systems pose to network security. In industrial environments, the growth of connected devices has accelerated the convergence of the once separate domains of Information Technology (IT) and Operational Technology (OT), resulting in Industrial IOT (IIOT).

This has made cyber security intrusions and threats more difficult to detect and prevent. At the same time, tools like the IoT search engine Shodan have made it much easier for hackers to pinpoint vulnerable devices in a network, whether it is refrigerators, heating systems, or in the case of hackers targeting a casino in North America, a fish tank.

The casino hackers were able to transfer 10 GB of data out of the network, via a smart thermostat and up to the cloud, including the bank account details of wealthy patrons. The crux of the matter is that when connected to a network, any device with weak security poses a risk to the whole organization.

Malware gives hackers an even quicker route into a network if their targets can be tricked into opening infected documents. Secret papers leaked last year revealed that CIA agents regularly use malware to turn connected televisions into bugging devices.

Sometimes called Industrial IoT, operational technology (OT) refers to hardware and software that controls physical processes, industrial devices and infrastructure. For example, the manufacturing industry is fast proving a popular target for hackers as it becomes better connected.

Elsewhere, protecting energy security and critical energy infrastructure against cyber attacks is rapidly emerging as an absolute priority. A May 2017 report by the FBI and Homeland Security warned that hackers were penetrating the computer networks of nuclear power stations and other energy facilities in the US and around the world.

Seven months later, in December 2017, a cyber attack shut down a power plant, believed to be in Saudi Arabia. Attacks targeting nuclear power plants (NPPs) could have devastating consequences for the entire power network and the ability to trigger an environmental catastrophe.

The IEC has issued 235 OT and IT security-related publications. Some 160 have been developed in cooperation with ISO, including the ISO/IEC 27000 family of Standards.

In the fight against cyber crime it is of critical importance to understand when, if and how an intrusion into a network, system or application occurs. Security systems must be able to identify what vulnerability was exploited in order to implement the right checks and controls so as to prevent similar intrusions in the future.

“Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively,” says Frank Abagnale, a man who knows a thing or two about the criminal psyche. Abagnale, whose life story became the subject of a film by Steven Spielberg, worked for the FBI and a host of organizations as a security consultant, but in his youth was one of America’s most wanted criminals.

Adhering to International Standards is the most effective way to stay one step ahead. They provide a robust and reliable framework for cyber security, based on best practices identified by the leading industry and technology experts around the world.

While organizations must continue to be vigilant, they can at least count on International Standards for help. For example, the widely known ISO/IEC 27000 family of Standards provides a powerful framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.