Adhering to International Standards is the most effective way to stay one step ahead in the fight against cyber crime.
Challenges in cyber security are evolving continuously as an ever growing number of connected devices and smart technologies are incorporated into our homes and workplaces. In the past decade we have gone from worrying about protecting our computers and smartphones to being aware of the risks that refrigerators, thermostats, industrial machines and other systems pose to network security.
As defined by ISO/IEC, the Internet of Things (IoT) is “an infrastructure of interconnected objects, people, systems and information resources together with intelligent services to allow them to process information of the physical and the virtual world and react.” It covers everything from household appliances to connected cars to widgets in nuclear power plants (NPPs).
A key issue is that in industrial environments the once separate domains of Information Technology (IT) and Operational Technology (OT) have been converging in the Industrial IOT (IIOT) with the growth of connected devices. This has made cyber security intrusions and threats more difficult to detect and prevent.
IHS Markit expects the number of connected IoT devices worldwide to jump from nearly 27 billion in 2017 to 125 billion in 2030. An increase in the number of connected devices means more potential vulnerabilities for cyber criminals to exploit.
According to a recent report, 978 million victims lost $172 billion to cyber crime in 2017. Most risk professionals believe that a data breach or cyber attack caused by insecure IoT devices could be “catastrophic” for their organization.
Tools like the IoT search engine Shodan have made it easier than ever before for hackers to pinpoint vulnerable devices in a network. They might be looking for refrigerators, heating systems, or in the case of hackers targeting a casino in North America, a fish tank.
The casino hackers were able to transfer 10 GB of data out of the network, via a smart thermostat and up to the cloud, including the bank account details of wealthy patrons. The crux of the matter is that when connected to a network, any device with weak security poses a risk to the whole organization.
Malware gives hackers an even quicker route into a network if their targets can be tricked into opening infected documents. Secret papers leaked last year revealed that CIA agents regularly use malware to turn connected televisions into bugging devices.
Sometimes called Industrial IoT, operational technology (OT) refers to hardware and software that controls physical processes, industrial devices and infrastructure. For example, the manufacturing industry is fast proving a popular target for hackers as it becomes better connected.
Elsewhere, protecting energy security and critical energy infrastructure against cyber attacks is rapidly emerging as an absolute priority. A May 2017 report by the FBI and Homeland Security warned that hackers were penetrating the computer networks of nuclear power stations and other energy facilities in the US and around the world.
Seven months later, in December 2017, a cyber attack shut down a power plant, believed to be in Saudi Arabia. Attacks targeting nuclear power plants (NPPs) could have devastating consequences for the entire power network and the ability to trigger an environmental catastrophe.
The IEC has issued 235 OT and IT security-related publications. Some 160 have been developed in cooperation with ISO, including the ISO/IEC 27000 family of Standards.
Staying one step ahead
In the fight against cyber crime it is of critical importance to understand when, if and how an intrusion into a network, system or application occurs. Security systems must be able to identify what vulnerability was exploited in order to implement the right checks and controls so as to prevent similar intrusions in the future.
“Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively,” says Frank Abagnale, a man who knows a thing or two about the criminal psyche. Abagnale, whose life story became the subject of a film by Steven Spielberg, worked for the FBI and a host of organizations as a security consultant, but in his youth was one of America’s most wanted criminals.
Adhering to International Standards is the most effective way to stay one step ahead. They provide a robust and reliable framework for cyber security, based on best practices identified by the leading industry and technology experts around the world.
While organizations must continue to be vigilant, they can at least count on International Standards for help. For example, the widely known ISO/IEC 27000 family of Standards provides a powerful framework for benchmarking against best practices in the implementation, maintenance and continual improvement of controls.