“How many of you or your staff had trouble getting on the internet Friday?”
That was how cybersecurity consultant Bryce Austin kicked off his talk Tuesday at SIMposium 2016, a big gathering of CIOs and IT execs at the Mohegan Sun resort in Connecticut, on the "Unintended Consequences of the Internet of Things."
Uncomfortable laughter ensued.
Austin, who then went on to make attendees even more uncomfortable, swears that even though his session didn't make the original program, it wasn’t added to the agenda as a result of the now notorious IoT-exploiting Dyn DDoS attack that unfolded Friday.
(Not that Society for Information Management members have been ducking the topic: Earlier this year SIM launched a Cybersecurity special interest group and just last week, SIM’s annual IT Trends Study was released, with cybersecurity a huge focus.)
Austin, who said no thanks to an internet-connected thermostat in his house, described one scary scenario in which bad actors could manipulate such devices to turn temperature down and freeze your water pipes or turn them way up and kill pets. Or scarier still, as one of his past presentation attendees suggested: What if a company trying to get a multibillion nuclear energy plant installed in a city created a brownout by turning down a bunch of thermostats by a few degrees and convinced voters that way to fork over the tax money to pay for the unneeded facility?
“That’s pretty dark thinking, isn’t it,” Austin said. “Who would do that? Oh, Enron!”
TCE Strategy's Bryce Austin recommends asking your IoT vendor how its products communicate and why does it communicate that way.
Austin said that awareness of security basics, such as avoiding default passwords like those that helped enable the Mirai botnet to flood Dyn's DNS last week, isn't a problem for the types of higher up IT personnel attending SIMposium. The bigger challenge is figuring out just how big of a threat such attacks could be to an organization as it heads into its budget cycle. He asked: "Is our company willing to accept that risk? Are they willing to spend more mitigating that risk? Or do they want to consider insuring against that risk?"
It should be interesting to see the legal fallout from last week's DDoS attack. "Who's responsible for this?" he asked.
It's also a good opportunity for IT organizations to talk to their CFOs about the changing security landscape, Austin said. "Security and maintenance are processes, they are not events, and they have to be [part of a budget process] that goes on every single year, for every single system we have," he said.
Sign up for Computerworld eNewsletters.