ISF says containing the chaos caused by such an attack will require coordination by central governments through their national critical national infrastructure programs. Individual organizations must also understand the extent of their reliance on the internet and have plans in place to address the risk of attacks that recur on a relatively frequent basis.
The ISF recommends you do the following:
- Engage with internal and external stakeholders to agree to alternative methods of communication
- Develop relationships with regional bodies (e.g., governments, competitors, industry forums) to create new, standardized contingency plans for when internet communications fail
- Assess communications providers' contingency plans; insist that they align with standardized or organizational plans , while partnering to ensure gaps are addressed
- Plan for alternative supply chain models for critical systems and services
Ransomware hijacks the internet of things
Criminals are increasingly profiting from ransomware — encrypting a victim's data and then demanding payment for the encryption key. According to a report released by Symantec last year, the average ransoms for data demanded by criminals jumped from $294 in 2015 to $679 in 2016. And the U.S. Federal Bureau of Investigation (FBI) estimated last year that cybercriminals would generate about $1 billion in revenue from ransomware by the end of 2016.
The ISF believes that over the next two years, cybercriminals will increasingly focus their ransomware efforts on smart devices connected to the Internet of Things (IoT). Attackers may hold specific devices for ransom, but the ISF believes they will also use the devices as gateways to install ransomware on other devices and systems throughout organizations.
Such attacks have the potential to disrupt business operations and automated production lines. But they could also prove deadly if they affect medical implants or vehicle components.
"Medical devices, manufacturing, we've put all of these 'things' out there," Durbin says. "Driverless cars, transportation, railways, financial services. We've embedded smart devices in all these areas, but we never really thought things through to this next stage. All of these things are out there in the real world. It's a bit like shutting the stable door after the horse has bolted."
Durbin says manufacturers of connected devices need to work with their customers to address security vulnerabilities and, at minimum, ensure that basic security features are always enabled. All organizations need to identify how they currently use connected devices, how they plan to increase use in the future and what the impact would be if one or more devices are affected by ransomware.
The ISF recommends you take the following actions:
- Apply pressure on manufacturers (e.g., via industry bodies) to build comprehensive security features into devices.
- Engage with industry bodies to lobby for (and influence) regulation ensuring minimum security standards for IoT devices.
- Raise the profile of the ransomware threat across your organization and mandate minimum security requirements for procurement of IoT devices.
- Incorporate IoT-related ransomware scenarios into your business continuity planning and run regular simulations.
- Collaborate with manufacturers and customers to gather threat intelligence about the IoT devices you use.
Privileged insiders coerced into giving up the crown jewels
Sign up for CIO Asia eNewsletters.