Updated: Oct 10, 2020
Back in 1904, the rise of AI and IoT was predicted by Nikola Tesla, “when wireless is fully applied, the Earth will be converted into a huge connected brain...” perhaps of both living and non-living things.
IoT devices are inundating the world and are becoming cognitively better day by day with more robust AI engines. But, as these 30 Billion devices become more pervasive in our lives, cybersecurity will be the main challenge that IT Operations will have to grapple with.
Last year, I had the privilege of giving a webinar on “How to Protect 30 Billion IoT Devices by 2020” then last week I was given the opportunity to give a sequel to that webinar entitled, “The Rising Impact of AI and IoT in the World of Cybersecurity”; both webinars were hosted by the EC-Council. In this article I’m going to outline some of the key take-away’s in both webinars.
Without a doubt, IoT is one of the fastest growing technologies in this digital economy. The global market value of IoT is estimated to be greater than seven trillion dollars this year. Since 2017, there has been an exponential growth of IoT devices of about 8.5 billion yearly growth. This year (2020) there are more than 30 billion connected IoT devices in the cyberspace.
With growth, risk comes along -- as “Nothing vast enters the life of mortals without a curse,” according to Sophocles. So, we need to ask these 3 compelling questions:
What are the risks and threats associated with the proliferation of IoT’s and AI’s?
What do we need to do to protect the IoT and AI space and why?
How are we going to protect our world with 30 billion IoT devices connected in the cyberspace?
The Risks and Threats of IoT are Real & Imminent
From 2010-12, TRENDnet sold SecurView cameras for various uses, ranging from home security to baby monitoring. However, they had a faulty software that let anyone who obtained the camera’s IP address to view and listen to your intimacies, if you are one of those who installed this device that time.
Source: TechNews World
In Our Offices
In Oct. 2016, a malware called Mirai searched vulnerable IoT devices and then use known default usernames and passwords to log in to your systems and propagate infection. CNN, Twitter, and Netflix were some of the big names infected by this malware.
Source: PC Magazine
In Our Vehicles
In July 2015, a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus, by exploiting a firmware update vulnerability, they hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even veer off the road.
Source: IBM Security
In Wearable Devices
In Sept. 2017, University of Edinburgh researchers and researchers from Germany and Italy proved that personal information can be stolen from popular Fitbit devices.
In Medical Devices
In Jan. 2017, the FDA confirmed that St. Jude Medical’s (now Abbot) pacemakers and defibrillators have vulnerabilities that could allow a hacker to access the device.
In the Manufacturing Plants
In 2016, the European steel conglomerate ThyssenKrupp confirmed that it had been victimized by a cyberattack that the company believes was carried out in connection with industrial espionage.
In Smart Cities
In Aug. 2018, smart-city products from three companies (Libelium, Echelon and Battelle) were discovered to have easily exploitable vulnerabilities that could allow hackers to commandeer sensors and access data for malign purposes.
If anything connected to the internet can be potentially hacked, and IoT devices are connected to the internet, therefore they can be potentially hacked.
The 7 Trillion Dollar Question is: how can we protect these 30 billion IoT devices?
Let’s start with the basics, follow these rules:
The 10 Commandments of IoT Security
Institute practical but effective cybersecurity policies
Implement clear operating rules and guidelines
Establish a layered but interconnected security approach
Always remember that prevention is better than remediation – setup strong passwords, encrypt when possible, disable UPnP and unused ports (physical & logical)
Thou shall not connect to a promiscuous network nor to your neighbors WiFi
Conduct real-time vulnerability assessments & audits
Enforce compliance control combining processes and tools
Implement IoT device management system
Implement IoT device end-point security
Follow regulations and industry standards specific to your requirements
Then last week, on my Cybertalk, I discussed the 11th rule: “The antidote against AI-based attacks -- is an adaptive AI-based SIEM; capable of governing and orchestrating both your physical and cyber security domains…”
As more and more IoT devices are pushed to the connected world, Artificial Intelligence and Machine Learning would play an important role at all fronts of Cybersecurity. With more sophisticated vulnerability exploits coming out each day using advanced AI and ML algorithms, modern threat management system must employ the same technological antidotes to defend their frontiers. Failure to do so would render an organization to be feasting ground of more sophisticated organized cyber criminals and sad to say, that more often than not, the global criminal justice system is not really ready to prosecute any perpetrators sitting in a basement across the other side of the world.
Since viruses nowadays use enhanced polymorphic and metamorphic capabilities, or the ability to mutate every 10 seconds, they can easily inject themselves deep within your network without being detected. Traditional protection tools will not be able to cope-up with these AI-based viruses. Like a time-bomb, hackers, cyber terrorists, and ill-intentioned nations will take advantage of these AI technologies -- just waiting for the right time and the right target.
I’m also predicting that, in the future war will be fought in cyberspace. Rather than bombing cities and killing people, individuals, groups, organizations, and great nations will use AI and robots to wage war for whatever vile intentions and interests they may have.
Intelligent machines can be used for the good, the bad, and the ugly.
Now how can we defend ourselves and our organizations against these modern-day threats?
First, we need to address a fundamental error — the physical and cyber security division mindset. Most traditional organizations still have the realm of physical and cyber security divided. As what Scott Borg, the Director and Chief Economist of the U.S. Cyber Consequences Unit had said, “As long as organizations treat their physical and cyber domains as separate, there is very little hope of securing either one.” In the future, my bet is that organizations will finally realize the value of a synergized physical and cyber security model. Failure to do so will have a humongous critical negative outcome.
To this end, I propose an AI-based Total Security Protection Model, considering both the Physical and Cyber domains.
1. Information & Physical Threat AI Analytics - traditional vulnerability assessments will no longer cut it, simply because of the time you need to run the whole process. Nowadays, an extensive-online-all-the-time audit process must be used and it must include extensive coverage for non-traditional systems, specifically those that interact with your OT (Operational Technology) systems at the manufacturing floor, as well as the other physical security system in your organization such as your CCTV’s.
2. Information & Physical Security Monitoring AI - monitoring both your physical and cyber world will increase your chance of protecting both. No amount of cybersecurity software can protect you against espionage and sabotage if somebody has physical access to your Crown Jewels, there is simply no way you can guarantee that they cannot be stolen — and that is a basic rule.
3. Automated Incident Response - if a security breach occurs, your Security Operation Centers must be able to act and react fast against these AI-based attacks — like those viruses that could change or mutate in seconds. Traditional Security Incident Management tools will not cut it. It will be like putting of a fire with a water pistol.
4. Automated Control & Mitigation - your systems must be equipped with a self-protection mechanism; the ability to lock itself down, or perhaps quarantine itself, or perform sand-box explosion of payloads for you to identify unusual threat patterns. All of these must happen in a matter of seconds — as this is a race for speed, processing, and intelligence.
5. Prescriptive Security Analytics - your risk assessment and threat analytics must be in real-time; therefore, prescribing controls must also be done in real-time.
6. AI-based Remediations - if prescribed controls are in real-time, then it is naturally fitting that remediations must be automated considering threats to both your physical and cyber domains. However, you can only do this with a combination of robots and AI, as coping-up with this task is not humanly possible.
7. Adaptive SIEM (Security Information & Event Management) powered by AI - everything must be governed by an AI-Powered SIEM or a (Security Information & Event Management) system acting as a central orchestrator running at an unprecedented speed. Again, this is a race for speed, processing, and intelligence; as polymorphic and metamorphic viruses are already mutating every 10 seconds, they will just get faster in the future — so we need to catch-up!
In the past, you would typically have a report of your vulnerabilities, you would slap some hands, patch your vulnerabilities, then go-on with your life. As exploits using AI and ML would mimic very normal activity patterns, which may not be easily discernible by an untrained human or traditional threat protection system, advanced tools must be used to perform discovery audits to autonomously discern these new AI viral patterns. Adaptive SIEM powered by AI will be your best chance.
In conclusion, the antidote against an AI-based attack is an adaptive AI-Based SIEM; capable of governing and orchestrating both your physical and cyber security domains. With that, I would like to leave you this simple question, “Are you prepared for the AIoT cyber warfare? If not — you better be. The best time to plant a tree was 20 years ago and the next best time — is NOW!