Why IoT Device Security Is a Common Pool Resource

The Internet of Things (IoT) is not merely devices that provide data to users, but networks of connected devices that can also communicate with one another. These capabilities don't just open up a world of possibilities for individuals, organizations and economies, but also enable cybercriminals to launch attacks such as botnets. The best-known botnet is the 2016 variant known as Mirai, which succeeded in bringing down mainstream internet websites. But exploits such as EternalBlue, ransomware and malware, in general, have become more dangerous for organizations with IoT deployments. And while botnets are dangerous, malware capable of lateral movement is even more so as it can cause extensive damage after accessing a single networked device.

Consider, for instance, a recent malware strain known as “WannMine” that first seeks out credentials on the network, then proceeds to infect every device possible. The goal of the attack is to use their processing power to mine for Bitcoin. Normally, these attacks target personal computers, but organizations with poor IoT device security are vulnerable as well, given that they often run on unsecured Linux builds. Malware such as WannMine and Mirai could easily be made to exploit IoT devices to hold them ransom until payment is made. This threat is something that should concern industrial Internet of Things (IIoT) users.

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]

Some of the most significant threats an organization face come from vulnerabilities in their application of the IIoT. Although IIoT is a subset of the Internet of Things, it uses a substantially similar network of devices, sensors and data with the explicit intent to optimize operations, productivity, reduce costs, and increase profitability. Most IIoT systems are fully automated. Think about modern car assembly lines; Machines handle the majority of tasks. One ransomware or botnet attack here and a whole company could be taken out overnight. Threats will continue to proliferate for the Internet of Things until organizations start to realize that there is more to security than phishing emails and malcontent hoodie-wearing hackers toiling away in a basement someplace.

The Tragedy of the Commons and IoT Security

In the famous text “Tragedy of the Commons,” Garrett Hardin outlines a scenario where a shared resource is depleted by self-interested actors making rational choices. One typical example is overfishing. This scenario demonstrated how technology alone cannot fix the problem of commons degradation. A shift in human values is required.

While this scenario is often brought up in regards to sustainable development, it applies quite well to the challenges we face today with cybersecurity. Consider how data breaches impact far more than just the individual or organization who has been attacked. Cybersecurity is often seen as a problem individual actors must solve for themselves according to their own means and motivations. IoT creates a more entrenched and connected network of devices and makes available more data, thereby increasing the impact of a breach. According to Raytheon and the Ponemon Institute, more than 80 percent of senior IT practitioners believe a catastrophic data breach is likely to happen due to unsecured IoT devices at their organization over the next three years. Remember the scale of the Equifax breach and how that one shook the very foundations of the U.S. credit system? If addressing IoT security requires that we treat the commons as a resource, what exactly can we do?

Treating Security as a Common Pool Resource

Empirical data suggests that individuals often develop their own solutions to the commons dilemma. In regards to IoT device security, the Industrial Internet Consortium is an independent coalition whose priorities including enhancing industrial Internet of Things security. Non-governmental efforts such as this treat security as a common pool resource that impacts us all. Such efforts should be encouraged and supported more since they frame security as not an individual issue but a common issue that needs collaboration to address. Government regulation will catch up eventually, but for now, businesses need to coordinate security among themselves. This is where organizational culture comes into play.

Cultivating a IoT Security Culture

Cultural development requires a clear vision, interventions and method for evaluation. There is no one correct way to do this, however, there are a few tips that have proven helpful. First set the vision for what your security culture will look like so that management is on the same page. Second, determine the scale of culture change and identify what interventions will get you there. Interventions can be behavior monitoring programs that alert users of policy violations or periodic awareness campaigns. You will also need to ensure there are security standards in place for every device or endpoint that is on your network. Ensure communication channels are established with management and employees for assessment and feedback. Lastly, there is the factor of measuring success. You should identify some key performance indicators, but also integrate the Security Return on Investment formula to assess if you’re generating a savings from your security culture program. If you are not, assess where improvements could be made to the program.

The Internet of Things is quickly changing the security landscape and is forcing us to rethink how we frame it. While most would say that improving IoT device security starts within our organizations, the reality is that we collectively need to treat security as a common resource that is maintained by us all.