The IoT meets the Internet of Behaviors

In a recent article, “The Internet of Things meets disruptive technologies”, I talked about some of the security implications of the IoT, noting that in coming years, threat levels will rise further as the IoT comes online and opens up even more ways for cybercriminals to exploit the weakest links in the ecosystem to move around on the network and seek financial gain.

Many of the commonly discussed threats involve theft of sensitive data, introduction of malware, and ultimately, “command and control”-style sabotage of connected, controllable devices. Of course, the threat level increases as IoT devices become more controllable and more autonomous. In these latter cases, cybercriminals can exploit vulnerabilities to remotely control IoT devices to change sensor or device behavior, to sabotage these devices, or even inflict physical damage on the surrounding environment.

Here’s a few scenarios to illustrate the point:

• Connected home hacked to open the front door to thieves, open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on.
• Connected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged.
• Connected hospital hacked to change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on.
• Connected manufacturer hacked to interrupt functions of warehouse “picking” robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on.
• SCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran’s nuclear centrifuges.

In each case the resulting “damage” can range from nuisance issues all the way to serious issues related to potential injury or loss of life, damage to physical property, or even threats to national security.

While hacking and sabotaging the sensors and devices themselves may grab the headlines, one of the other major issues in the future will be the simple theft of detailed and sensitive data arising from the ongoing use of IoT sensors and devices – this is the halo of data that swirls around these objects.

As part of their everyday use, many IoT devices will contribute to what I call the “Internet of Behaviors”. This is the detailed usage and behavioral data that’s collected as individuals use various IoT devices and systems. It provides compelling insights that organizations can use to gain a better understanding of their customers in terms of their preferences, behaviors and interests.

What this means in terms of the implications for cybersecurity is that cybercriminals will now have more access to masses of sensitive data revealing consumer patterns of behavior. This may well give cybercriminals more data such as healthcare data to hold for ransom, and more data such as daily travel routines to pick the exact time and place for a physical crime. We may also see more thefts of mobile devices since many will now provide physical access to homes and offices.

As we continue to blur the lines along digital and physical boundaries, we may see cybercriminals form allegiances to perpetrate hybrid digital and physical crimes. You can imagine a digital cyber-ring selling stolen property access (e.g. hacked electronic front door or building access codes) or vehicle delivery schedules and routes to traditional criminals.

As IoT ecosystems are developed, and often include multiple partners and suppliers as well as consumers and citizens, it will be important to gain an understanding of the potential legal issues should either sensitive data become compromised or these sensors and devices themselves become controlled by cyber-criminals. A comprehensive risk management strategy, and a robust approach to cybersecurity, will need to be developed to support these new classes of devices, and their new usage scenarios, which extends existing cybersecurity techniques.

Four key tenets of this new approach to cybersecurity will include converged security (to protect physical as well as digital assets), defense-in-depth (even more important with more points of vulnerability on the network), “zero-trust” (to help prevent lateral movement on the network once hackers gain access via IoT devices, for example), and an adaptive perimeter (to help dynamically draw and re-draw lines of protection around key external assets).

Finally, with the “Internet of Behaviors” now storing masses of detailed consumer behavior from the use of IoT devices and systems, it will be critical for organizations to define and clearly understand roles, responsibilities and expectations of each other in terms of data privacy and also in the event of data breach within IoT ecosystems.