The Internet of Things garnered plenty of attention at the recent Consumer Electronics Show in Las Vegas, with a smorgasbord of connected devices on display. That is no surprise: almost $2 billion was spent on Internet-enabled devices for the home in 2014, and a report from the US National Security Telecommunication Advisory Committee predicts that there will be 50 billion such devices by 2020. The Internet of Things is big business, and everyone wants a piece of it.
There was, however, a sobering voice amid the excitement. Edith Ramirez, chairwoman of the US Federal Trade Commission, outlined the risks associated with the swelling numbers of connected devices and emphasised the technology industry’s duty to protect consumer data stored in, shared between, and transmitted by such devices.
But the Internet of Things also brings with it the potential for physical damage – to property and life – if devices and networks are not properly secured. Imagine, as Symantec CTO Amit Mital suggested, the possible consequences were hackers to gain control of automated thermostats, particularly in industry.
This scenario is not hard to imagine. Amid the media maelstrom surrounding the latest Sony hack, a major attack on a German steel mill over Christmas caused massive physical damage when it stopped a blast furnace being properly shut down. Hackers accessed the plant’s corporate network with a phishing attack, then moved into production networks to control equipment-operating systems. It was only the second time – after the Stuxnet digital weapon launched by the USA and Israel on an Iranian uranium enrichment plant in 2008 – that a cyber attack is known to have caused substantial physical damage in an industrial setting.
While it is unclear whether the damage was intentional, the case highlights the threat posed to industry by vulnerabilities in the Internet of Things. Autonomous vehicles exist and will be rolled out to the public in the coming years, and concerns have been raised as to the potential for chaos were systems to be hacked – but what about other industries, such as food manufacturing and refrigeration, or critical national infrastructure such as air traffic control?
Energy companies, for example, are now doubling as IT providers – a role for which they are not necessarily suitably equipped. Spain has seen commonly-used smart meters easily hacked to reduce bills, but the potential for more damaging activity is obvious. One might expect large corporate or public sector organisations to have sophisticated systems in place, but much still depends on legacy infrastructure: recent reports revealed that retailers’ continued reliance on Windows XP, for which Microsoft has long-since stopped fixing security issues, leaves consumer payment card data vulnerable.
The damage caused by a cyber attack can have far-reaching "ripple" effects, and apportioning liability for the physical damage and its consequences, both direct and indirect, is complex. Who, for instance, is to blame if shipments are missed, or contracts breached? Who is entitled to claim compensation, from whom, and in which jurisdiction?
Much will depend on the limitations and exclusions written into contracts, which can themselves be complicated by the international nature of supply chains. The attacked company in this situation has limited options for recovery, and may be left "holding the baby" as a result: the hackers, if they are ever identified, are unlikely to be worthwhile targets for compensation (unless the attack is found to have been corporate- or state-sponsored).
There is an emerging market for cyber insurance globally, so businesses may be covered for some risks. The scope of these new policies varies, though, and they have rarely been tested. Businesses must pay close attention to the wording and any exemptions that apply. This due diligence should start at the outset, though, when businesses are making their IT security arrangements, whether in-house or outsourced. It may be difficult to find an IT services provider that will accept a suitable liability cap: standard practice among providers is to insist on broad exclusions and tight caps on liability, given that the costs involved when a major security issue does arise can dwarf the price being paid for their solutions and services. Many SMEs, in particular, will accept standard pro-supplier terms, leaving them with little in the way of genuine protection should the worst happen.
If there is a lesson to be learned, it is that businesses need to more effectively separate corporate and production networks to prevent cross-contamination by malware and movement between one and the other by hackers.
Technology by itself is no defence against security threats. People remain key to security: staff awareness, training, and internal policies are paramount when the threat may be as simple as opening an e-mail attachment from an unknown sender or connecting over social media. The German steel mill incident was the result of a phishing attack – proof enough that human error can undermine any amount of due diligence and planning.
Authors: Alan Owens is Head of Technology at law firm DWF; Rob Sheldon is Partner and Joint Head of Privacy