With our propensity to connect every gewgaw and curio in our lives to the internet, the surface area and vectors of cyber threats are expanding exponentially with each Consumer Electronics Show (CES). As the latest "smart" coffee maker, refrigerator, light bulb and doorknob - killing the expression "dumb as a doorknob" - are revealed to rapturous technophiles, many in the cybersecurity community are aghast. While the prospect of killer coffee makers or a doorknob that will not unlock or will open at will, as was recently visited upon Airbnb hosts, is certainly frightening. The specter of small scale internet of things (IoT) exploits pales in comparison to the risks posed by the internet of very big things.
Simply put, if there is a way for data feeds to get out of a device, sensor or control system, there is a way of infiltrators, viruses and ransomware to get in. Indeed, this digital backdoor is present across the IoT landscape, as well as in the third-party relationships of most organizations. In the most sophisticated cases, and this is where things get truly frightening, operating systems can be overcome handing over the reins to remote users who might have questionable motives for taking over your aircraft, navigation systems or fleet of vehicles. Indeed, this is one of the key risks to critical infrastructure, such as the electricity grid, water control systems and other industrial operating frameworks that often ride on antiquated and highly-vulnerable software platforms. One of the principle vulnerabilities is that these systems are often not inoculated trough software patches because they are like digital Frankenstein’s, designed on a patchwork of dated technology. If there are gaping holes in the retail and commercial software patching process – the likes of which enabled the WannaCry ransomware attack to spread to 150 countries in 3 days – the industrial software patch quilt is in complete tatters. The irony should not be lost that to improve industrial software patching, selective connectivity will be required.
As with many cyber exploits of the "snooping" variety (or dark supply chain exploits), people have become inoculated to prying eyes, whether from the state or from their neighbor. The real risk of someone gaining unwanted access to your medical records is not that they know your blood type is B positive. It is that they now have the power to alter your blood type irrevocably changing your diagnosis or medical care. This is a very real risk with long term implications. Expanding the ability to alter information in this manner or fully seizing control of complex operating systems – creating veritable zombies – calls for greater urgency in understanding IoT risks, particularly as they relate to national security and public safety. IoT advancing in lockstep with industrial automation and product autonomy, such as driverless cars, means that quite literally no one is watching the wheel when possible threats take over.
Looking at the aviation industry through this dark lens, one of the exposures that keeps insurers awake at night is that they are tacitly on the hook for cyber threats to aircraft. This, while they have not collected adequate premiums to properly absorb potentially catastrophic claims, let alone conducting adequate actuarial modeling. Most insurers wade into new waters by fine tuning the narrow straits of their exclusionary language. Indeed, it is advisable to all policyholders in any class of insurance to begin by reading what is not covered to understand what is. Herein lies the worry when it comes to aviation risks. Cyber threats are not specifically called out, so while the “silence” on cyber risk in policy language may create ambiguity, it does not necessarily relieve insurers from being on-risk. Financing these losses is less important than patching technological holes and preventing them all together.
IoT risks of the “very big t” variety should always be treated as possible catastrophic losses or black swans in their severity but not in terms of their likelihood. Therefore, avoidance and truly creating barriers to risk entry are key priorities. With nuclear safety for example, the risk of connectivity is far too great to warrant the ease of use and the power or remoteness enabled by IoT. At the same time, the computational and security trade-offs of running nuclear industrial systems requires the cyber safety equivalent of an abacus with the processing power of Watson. Striking the right balance between both the technological and security layers requires deep emphasis of the most important layers of cyber resilience – namely, risk-ready people with risk-aware governance standards.
The race to connect every single device on the planet is afoot with more than 8.4 billion connected devices today. So the prospect of reversing the IoT tide is a moot point. The question then is how can the world go about contending with massive connectivity, especially as enterprises grapple with digital transformation initiatives, while at the same time balancing security standards? For managing cybersecurity in very big things, it is better to ask the question should this device be connected in the first place? What are the risk and reward tradeoffs? What are the possible exploits that are not contemplated when industrial engineers want to remotely monitor everything and CFOs and CIOs want to remotely monetize everything? What does IoT do to product and management liability? Sadly, like airport safety, we will not know where to harden until something bad happens. Until then, people, businesses and governments should ask delicate questions about connectivity.