Thursday, 16 March 2017 09:49

IoT security – should Australia regulate?

IoT security – should Australia regulate? Shutterstock courtesy Neustar

The Internet of Things (IoT) is one of the hottest growth areas with major benefits for big data and analytics. But many of these devices are vulnerable and have been harnessed for some of the largest DDoS attacks in history. Should Australia legislate for security as, say, Europe has recently done?

A worry for both companies and users is that there are few measures put in place by device makers to mitigate the threat or provide protection against an attack.

Many device manufacturers design IoT products as “set-and-forget” where security is an afterthought. This is especially worrisome considering the long lifespan of many white goods and other household smart devices that do not receive the same regular operating updates as smartphones, leading to a greater risk of a breach.

iTWire spoke to Robin Schmitt, general manager Australia at Neustar, for his take on the issues. Neustar provides real-time information and analytics for the Internet, telecommunications, entertainment, and marketing industries, and is a provider of clearinghouse and directory services to the global communications and Internet industries.

Neustar Robin Schmitt“It almost goes without saying that as the rate of IoT devices in the mass market increases exponentially, the risk of security breaches also rises. A recent Neustar report into DDoS attacks found that 61% of organisations are already using IoT devices,” Schmitt said.

Of those companies adopting IoT, 82% have been attacked in the past year versus just over half of companies not using IoT devices. Research firm Ovum says there are at least 500,000 vulnerable devices already in the market. Ironically, Forrester Research predicts that more than 500,000 IoT devices will suffer a compromise this year.

Q. Why are connected devices so vulnerable to DDoS attacks?

A worry for both companies and users is that there are currently few measures put in place by device makers to mitigate the threat or provide protections in the event of an attack.

For example, many devices share a common flaw in that they are configured and shipped with the same well-known and weak user IDs and passwords common to all devices of each model. In addition, some devices are built using a third-party component where the default user ID and password are hardcoded and cannot be updated or changed by the user.

Once vulnerable devices are found and the security deficiency exploited, it becomes near impossible to prevent infection without issuing a security update or recalling the affected devices, incurring significant costs to the manufacturer. Also, rolling out firmware updates can be difficult as many devices are not designed to be easily updateable.

Q. Who is most at risk of an IoT botnet attack?

Generally, those industries with the least investment in DDoS detection or mitigation are the most vulnerable to threats. E-commerce platforms are under particular threat, as revenue is directly and significantly impacted by DDoS attacks.

Companies of all sizes can fall prey to a DDoS attack. However technology companies, retail and financial services are particularly vulnerable to due to the substantial financial gains to be made for the attackers.

Q. Will the number and volume of IoT botnet attacks continue to increase this year?

IoT ecosystems need gateways to communicate between devices and each additional gateway is another attack surface for potential security hacks. As the number of IoT devices in use rises dramatically over the next decade, this offers a lucrative means for botnet herders to seize more and more vulnerable devices to hit organisations with higher volume DDoS attacks.

According to a recent Neustar report into cyber security trends, organisations globally experienced peak multi-vector attack sizes much greater last year than in 2015. In fact, the average size of maximum monthly peak sizes was more than double the largest monthly attack averages in 2015. This reflects, in part, a higher potency of attack strength mustered by powerful vector combinations and new attack methods involving IoT botnets.

Q. Is government intervention necessary?

Europe is at the forefront of global IoT regulation, with moves already in progress to provide a framework for better regulation of connected devices. Last October, the European Commission reported it was drafting new security legislation for IoT devices, which would include a certification system notifying consumers of the level of security of their device. The certification would be comparable to Europe’s current energy efficiency rating system for whitegoods and electronics.

The aim of the proposed regulation is to mitigate cyber security risks and ensure consumer confidence in IoT devices, particularly considering Europe’s plans to boost Internet speeds over the next decade.

In the wake of the recent high-profile, high-volume DDoS botnet attacks, such as the global attack on Dyn and the attack on security writer Brian Krebs’ website, this is a step in the right direction.

Time will tell if Australian lawmakers decide to follow in the footsteps of Europe in developing a set of standards to combat the increasing threat of botnets. Certainly, there is a need for it given the spread of attacks globally, including in Australia.

IoT needs standards and certifications, to help propagate best practice, improve quality and implement security controls. As the IoT industry continues to evolve, collaborating openly and adopting standards and introducing certifications will strengthen the industry.

Q. At the enterprise level, how can organisations ensure better security?

Worryingly, Australia and the rest of APAC fall behind global counterparts in relation to DDoS protection, with almost half of all APAC organisations taking on average over three hours to detect a DDoS attack and an extra three hours to respond.

This is alarmingly higher than global averages. Understanding the changing risk profile is key, particularly when faced with the knowledge that network outages during peak times can cost almost half of all organisations $100k or more. Organisations should review the risk imposed and consider varying their defences in line with increased risk exposure. Right-sizing the investment is vital.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments