Late last week, a series of waves of online attacks on Domain Name Server (DNS) provider Dyn Inc. blocked access to hundreds of well visited Internet web sites including Amazon, Twitter, Netflix, PayPal, The New York Times and various other sites throughout the day. The cause has since been attributed to a distributed denial of service (DDoS) attack against Dyn, which as a DNS facilitates the loading of webpages. The DDoS attack, which came in three waves, overwhelmed the servers of the New Hampshire-based DNS provider.
From our Supply Chain Matters lens these increasingly occurring and more impactful malware related incidents, which are now utilizing physical embedded devices at the edge of networks, provide a very concerning signpost for Internet of Things (IoT) related deployments and business initiatives. Namely that data security among physical devices installed within distributed industrial networks should remain a top-of-mind concern and potential threat.
According to a published report by USA Today, the hackers used the malware program Mirai, which can send thousands and even hundreds of thousands of servers’ requests simultaneously, creating a flood of fake traffic and overwhelming a targeted web site. Further disclosed was the hacker created malware program was carried out, in part, by calling into service unsuspecting devices connected to the internet. The report cited tech firm Dynatrace which monitors more than 150 websites, indicating that it found that 77 of those sites were impacted by the attack.
Security firm Flashpoint indicated to media outlets that it believes that digital video recorders and webcams in people’s homes were taken over by malware and then, without owners’ knowledge, used to help execute the massive cyberattack. Once more, hundreds of thousands of devices appear to have been infected with the malware.
Further noted by Flashpoint was that the methods used in Friday’s attack were very like the one carried out against the website of cyber researcher Brian Krebs last month, as well as French internet service provider OVH. It is unknown if the attacks are related.
In this year’s Predictions for Industry and Global Supply Chains, we included the prediction that IoT initiatives would continue to meet the realities of line-of-business strategy and deployment concerns. Further noted that it is rather important to not get caught-up in the plethora of predictions for billions of devices connected to the Internet. Rather it is important to differentiate B2C consumer focused and consumer market use cases from those of broader B2B needs, often referred to as the Industrial Internet. The consumer device sector may well be quagmire in conflicting standards, protocols and security vulnerabilities, and this latest attack incident provides ample evidence.
Thus, our counsel to readers, both line-of-business and IT focused, is to not dismiss the latest incident in the context of consumer related devices installed with little regard for layered data and password protections, and that our situation is far different. In the various IoT focused briefings and presentations from consultants and systems integrators that this industry analyst and technology influencer has taken in, we have indeed heard iterations of IoT focused information protocols utilized that are very dated, and of information or password security layers that thin because of concerns related to the seamless interchange of required data exchange from physical devices to certain applications. There are indeed more updated standards, but the challenge is the lack of multi-vendor adherence, differences or acceptance among various existing standards. The obvious takeaway from the ongoing, more powerful malware attacks that continue to occur is that layered information security cannot be compromised, and that applies even more to the Industrial Internet and edge networks.
When we penned this year’s IoT focused prediction last December, we included the following statement:
“We join others in predicting that information hacking will provide additional headline visibility in 2016, increasing the pressure on technology providers and device producers to focus more on information security remediation techniques.”
We do not take pleasure that indeed our prediction has manifested itself, and we again urge IoT evaluation and deployment teams to pay special attention to layered information security safeguards.
© Copyright 2016. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.