Key U.S. government report outlines need to protect the IoT from Botnets

On May 22, 2018, the United States Secretary of Commerce and The Secretary of Homeland Security issued a report entitled “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The report is not just relevant for the U.S. government; it also offers a wealth of information that anyone considering the implementation of Internet of Things (IoT) projects should consider in order to avoid having their product and their reputation become a victim of these threats.The 51-page report notably identified the Internet of Things as a quickly growing vector for cyberattacks - including but not limited to distributed denial of service (DDoS) attacks - noting that botnets “overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware; ransomware attacks distributed by botnets that hold systems and data hostage; and computational propaganda campaigns that manipulate and intimidate communities through social media.”The scope of such attacks has largely outpaced the IT world’s ability to deal with them, and with the exponential increase in devices connected to the internet, DDoS attacks have now reached a level of almost one terabit per second, outpacing the ability of current measures to deal with them.The report identifies six principal themes that should be taken into account when considering how to prevent automated, distributed threats like botnets, whether they come from more traditional cyberattacks, or ones leveraging IoT devices. We list them here, as well as sharing our thoughts about how people implementing IoT security should address these concerns.

1. Automated, distributed attacks are a global problem. When devices are compromised, that can happen anywhere, and it often happens when they come from countries where security hasn’t been sufficiently designed into the product, either out of ignorance or a desire to cut costs. Device manufacturers or buyers sourcing from these manufacturers must judge whether or not these products have been sufficiently secured against attack. And as these attacks increase, having good security will ultimately become and important value proposition for manufacturers.When the security of these devices is critical to customer safety, your business model or your reputation, independent third-party labs like the Kudelski IoT Security Center of Excellence can provide you with tailored evaluations of these devices in order to ensure that you are fully aware of any threats they might represent, as well as advice on how to counter them.
2. Effective tools exist but are not widely used. While many sectors are already using best practices against distributed cyberattacks, many product development companies have failed to adopt them due either to either a lack of awareness, cost avoidance, insufficient technical expertise, or lack of perceived market incentive. But short-term gain is often erased by long-term losses when security problems down the road require companies to invest unexpected resources and money in resolving security problems that could have easily been prevented during the design phase. And the costs of remediation are often exponentially more than the costs of a good initial security design.In addition to security evaluations, the Kudelski IoT Security Center of Excellence also provides security design services, helping companies create solid, robust product designs that ensure that their short-term security investments lead to long-term gains.
3. Products should be secured during all stages of the lifecycle. A good security strategy considers the entire lifetime of the device, from design to end-of-life – a period that in some industries can exceed 30 years! Companies implementing IoT products must consider how they can evolve the security of their devices over time as threats evolve, using tools like secure firmware over the air downloads and the ability to update the keys, algorithms and parameters of the devices security system itself should it come under attack.The Kudelski IoT Security Platform offers powerful hardware- and software-based tools like these and many others to ensure the long-term sustainability of IoT security well into the future.
4. Awareness and education are needed. Both home and enterprise users need to be educated to demand better security from their device suppliers, as well as to take more responsibility for the implementation of reasonable security measures in the home or at the office. But as hardware-based security clients with secure roots are increasingly integrated into IoT devices during the design phase, they will form the foundation for a strong and robust security architecture that will protect consumers and enterprises from attack without having to take extra measures to secure their devices.The Kudelski Group’s recent announcement with Swiss cellular and GSM module manufacturer, u-blox, is one example of how designing in security from the start will benefit everyone in the entire IoT value chain and reduce the need for proactive actions by home and enterprise users. Because security will just be built in.
5. Market incentives should be more effectively aligned. Currently, product developers, manufacturers, and suppliers are taking a short-sighted view in an effort to reduce cost and time to market rather than design in security from the start and take a long-term security lifecycle management approach. This will only lead to an increase in distributed attacks as more and more unsecured devices can be leveraged to carry them out. This requires both regulation and certification regimes as well as natural market forces to incentivize good security design and practices. French initiatives like CSPN, for example, provide a basic framework for such certifications, and more such regimes are required around the world. Ultimately, having these certifications will help companies sell more product, as consumers and enterprises will trust companies that prove they care about security.In addition to its own security evaluations, the Kudelski IoT Security Center of Excellence can conduct CSPN-based device and ecosystem security audits in order to give companies a competitive advantage by claiming independent verification of the security their devices provide.
6. Automated, distributed attacks are an ecosystem-wide challenge. The report concludes by saying that no single stakeholder community can address the problem in isolation. While this is true, every device that is properly secured and managed using the right technology (root of trust, renewable security, robust and efficient key management, etc.) and the right strategies (security lifecycle management, managed security services) will be one less device that is participating in a botnet attack.As consciousness of IoT security increases around the world, more and more devices manufacturers will seek a competitive advantage and protect their business and their reputation by implementing sustainable IoT security by working with experts like the Kudelski Group, who bring more than 30 years of proven experience to high-value device, data and business model protection.

Whereas the report expresses security is currently considered a perceived burden and a cost by implementers, we believe that robust IoT security will quickly become a perceived benefit. As enterprises and consumers become increasingly aware of its importance, end-users will start to make more informed buying decisions and demand their IoT device and component suppliers build security into their products from the start and establish strong security lifecycle management strategies. Doing this will allow them to feature security as a unique competitive advantage when selling to their end customers. And only by doing this will it allow them to reap the benefits IoT has to offer while protecting against DDoS and other attacks.