Indirect vs. Direct Attacks Involving IoT Devices
It’s important to differentiate between two types of attacks on IoT devices: 1) indirect attacks vs. 2) direct attacks. In ‘type 1’ indirect attacks, the goal of compromising IoT devices is to use them to conduct cyberattacks against other external targets. In ‘type 2’ direct attacks, the goal is to conduct some sort of ‘local malfeasance’ right there at the device itself—such as to cause some malfunction or physical damage to the machine/environment that the device is embedded in, or steal data from the machine, or surveil the environment, or gain entrance to the facility, or perpetrate other types of misconduct right there at the device or its immediate vicinity.1
A high profile example of a ‘type 1’ indirect attack was the DDoS (Distributed Denial of Service) attack against Dyn (a major DNS service provider) in October 2016. This attack exploited security weaknesses in tens of millions of IoT devices to create a botnet generating over 1 TB/second of traffic directed at overwhelming Dyn. This made dozens of major internet sites (e.g. Amazon, Twitter, Netflix) and other internet services unavailable to users across large areas of North America and Europe.
Lack of Market Incentives for Strong Security
- Multi-layered approach
- Security designed in from the start
- Security for legacy and limited resource devices
- Granular and scalable security
- Protect against social engineering and insider malfeasance
- Encourage robust, independent security testing
- Prioritize security investments
