The Internet of Things garnered plenty of headlines in 2018, but not necessarily for the best reasons. While the rapidly growing industry successfully avoided the type of black eye that the Dyn DDoS attack left back in 2016, IoT devices are still seen as major vulnerabilities among cybersecurity experts.
In fact, IoT cybersecurity is such a concern that, in 2018, California became the first state in the nation to pass an IoT bill—establishing minimum cybersecurity standards for connected devices. And while new rules governing IoT cybersecurity are helpful (even if confined to the state of California), watchers of the space shouldn’t expect a significantly safer ecosystem in 2019.
To that effect, we sat down with Dover’s senior leadership team to see what their expectations are for IoT cybersecurity in the year ahead. Below, Dover CEO and Founder Jothy Rosenberg, Co-Founder and VP of Engineering Marco Ciaffi, CTO Steve Millburn, and Chief Scientist Greg Sullivan share their predictions on IoT cybersecurity for 2019.
2019 Will Be a Watershed Year for RISC-V Processor Adoption in IoT
There’s a wave building in the IoT processor world, and we’re about to see a sea change when it comes to the dominant processors in the space, according to Rosenberg and Ciaffi. In the last year alone, major announcements from Western Digital and Nvidia have brought brand names into the RISC-V community--and in big ways.
In the case of WD, their CTO has announced the organization’s intent to be the leader of an industry-wide transition to RISC-V processors. Nvidia, in their own right, has announced that their next-gen Falcon controller will use RISC-V and the company is also looking into future projects with the open-source processors.
“Western Digital and Nvidia are two great companies to have endorsing and transitioning to RISC-V,” said Rosenberg. “But I predict that in the next year we’ll see at least three more major announcements that will make WD and Nvidia pale in comparison.
“We’ll look back at 2019 as the year when RISC-V starts to become the dominate processor for the IoT space.”
There are other indications that 2019 will be a big year for RISC-V as well.
Ciaffi noted that SiFive’s growth alone in the Asian market will be seen in hindsight as a “proliferation of RISC-V processors into the space.”
“It’s not just SiFive,” says Ciaffi, “it’s that the RISC-V Foundation is seeing its membership grow; it’s that RISC-V summits and workshops are getting more recognition and being hosted in spaces like Google, Rambus, and Western Digital.”
Ciaffi also notes that at the 2018 RISC-V Summit “the No. 1 semiconductor provider in the automotive space, NXP, handed out free RISC-V evaluation boards,” so developers could start getting familiar with the architecture and begin writing code for the next generation of processors in the industry.
In 2019 We’ll Come Dangerously Close to Leon Panetta’s Prediction of a “Cyber Pearl Harbor”
Imagine a cyberattack so devastating that it moves stock markets and negatively impacts GDP? Leon Panetta warned of such an attack back in 2012, and 2019 just might be the year we see it unfold, Rosenberg predicts.
“It might seem ‘impossible,’ or the stuff of movies,” said Rosenberg, “but thanks to the proliferation of the Industrial Internet of Things and embedded systems, a cyberattack like the one Panetta is talking about is easier and more possible to achieve than ever before.”
Rosenberg notes that it would only take a blackout of a major US city or two, for a few strategic hours, to cause significant damage to the US economy and that it won’t take a nation-state to pull it off.
He noted, in a recent white paper on embedded system safety, a December 2014 attack in which a cybercriminal group caused extraordinary collateral damage to a german steel mill by hacking their network and accidentally sending a blast furnace into overdrive. Scenarios like that, replicated and coordinated in locations across the US, could be devastating to the US economy.
Ciaffi largely agrees with Rosenberg’s assessment, but adds that the attack might not be as obvious as major rolling blackouts, or disruptions to large industrial facilities. It could be more subtle and focused on extracting money from the US economy through the stock market, he said.
“Imagine an attack scenario where a bad actor takes over a simple sensor on a pipeline or a power substation,” said Ciaffi. “In this case, the attacker sends bogus power consumption data to the sensor which in turn affects the price of energy futures on the commodities markets.
“An attack so focused and seemingly inconspicuous could mean the attacker walks away without anyone noticing in time to do anything about it.”
By the End of 2019 at Least Half the US Population Will Own a Compromised IoT Device
When it comes to security, some IoT devices ship with nothing more than a default passcode set at “0000.” As IoT For All noted in their 2018 IoT predictions piece, by 2025 there are expected to be some 70 billion IoT devices in existence. And while 2025 might seem a ways off, Statista estimates that by 2020, the average connected devices per person will reach 6.58.
What this all boils down to is that it’s more likely than ever that the average person will own a device with little or no security. And, as Milburn points out, this means your insecure devices are probably being secretly used in botnets.
“IoT security is sorely needed, but vendors aren’t doing enough right now and it’s making it incredibly easy for attackers to string together devices into massive botnets,” Milburn said. “Until IoT device makers start doing their part by securing their embedded systems, attacks like we saw in 2016 that took down Twitter and other popular sites, are only going to get worse and more wide spread.”
Although this might seem like a lofty prediction, Dover Chief Scientist, Greg Sullivan, says it’s just the reality of today’s IoT.
“If you own devices that are connected to the internet, then you are vulnerable to attacks,” Sullivan said. “It’s not because you’re ‘bad at cybersecurity,’ it’s that the entire industry lacks the tools required to build secure processors.
“Until vendors start building truly secure processors, this is the reality we have to deal with.”
In this reality, Sullivan says it’s innocuous connected devices we need to worry about most. “Coffee makers, connected clothing, smart speakers, your connected fridge,” are all targets for hackers because they can all be compromised relatively easily and added to botnets. And, since most lack security features on the whole, the user rarely has any idea that their devices are compromised to begin with.
Want to stay more informed in 2019? Subscribe today and we’ll send content like this directly to your inbox.