A hacker recently shut down Bycyklen, Copenhagen’s public city bikes system, forcing employees to hunt down and manually reboot the Android tablet attached to every bike. The company said that restoring all bikes to working order would “take some time”. Naturally, the costs of restoration will be significant.
This is just one example of the tremendous financial cost that can result from malware being allowed to infect IoT devices.
Return on Security Investment calculation
Cybersecurity managers have long used the Return on Security Investment (ROSI) method to measure the cost-effectiveness of their security operations, justify their budget and provide supportive arguments for their next budget claim. Unlike other business investments, security does not fall under the classic return on investment calculation:
The reason for this is that security is not usually an investment that provides profit, but rather an investment designed to prevent loss.
As such it is usually calculated in the following manner:
This is a quite standard calculation that has been around for a while, but how does it apply to IoT?
To answer this, we need to estimate the cost of a single incident and multiply it by the probability of the incident occurring. The costs of an IT-related cyber incident have been debated in the past. Potential factors include downtime, the cost of stolen or lost records, theft of money and IP and more. But what are the costs of an IoT-related attack?
To find out, a group of researchers from UC Berkeley examined the famous Mirai botnet attack in order to gauge its commercial impact on consumers. They began by running a simulated attack on the same types of devices that were susceptible to Mirai, including cameras, DVRs and routers. They then measured the additional energy and bandwidth consumption, and multiplied it by the cost of power and bandwidth at different locations/times of day. Finally, they added the additional costs resulting from lost productivity and the need to repair or replace all of the faulty devices. (The actual cost per device varied according to the DDoS attack type and duration.). Their calculations showed that, on average, the attack cost each device owner $13.50.
Differentiating between a one-time attack and perpetual malware
However interesting this may be, the calculation is somewhat irrelevant to real-world, commercial IoT deployments and corresponding risks. The UC Berkeley researchers examined the impact of IoT devices’ participation in a denial of service attack — a relatively short-term activity that lasts only a matter of hours. In contrast, most malware targeting IoT devices works continuously to infect other machines. As such, the devices consume additional power, CPU and bandwidth, and wear out much more quickly than a device that is just used for one, albeit exhausting, attack. Devices engaged in cryptocurrency mining also suffer from ongoing resource consumption and wear-and-tear.
Infected IoT devices constantly try to infect other devices or use their resources to mine crypto. The result is that they are less capable of performing the task they were designed for, be it capturing facial images, recording license plate numbers, or any other task that demands processing and computing power.
Naturally, devices that constantly communicate are less available, and sometimes bottlenecks and disconnections occur, leading to lower availability. Service providers are required to deliver a certain availability and could face fines if they fail to meet these criteria.
IoT devices that are in constant operation suffer greater wear and malfunction sooner. The cost of malfunction mostly comes from the cost of the human technician required to physically access the device.
Some aggressive malware types intentionally “brick” devices and are even resilient to rebooting. If this happens, the device will need to be fixed in a lab or replaced altogether.
In addition to the direct costs listed above, there can be significant indirect costs associated with IoT infection. These include ransomware payments for the unlocking of critical IoT devices, and liability/legal costs resulting from a large-scale IoT deployment being utilized to attack another entity.
As we’ve seen, infected IoT devices can have a substantial commercial impact on IoT service providers. The larger the IoT deployment, the greater the risk and potential for financial loss. To mitigate the financial and operational risk, IoT service providers must deploy real-time detection and mitigation solutions that enable quick remediation of cyber threats before they can infect large portions of the IoT solution and result in massive monetary losses.