Is It Time for Internet of Things Security Standards?

Late last week, our (friends and fellow Granite Staters) at Dyn were subject to a massive Distributed Denial of Service (DDoS) attack that affected websites like Netflix, Twitter, Spotify, CNN, and many more.  In a typical DDos attack, a network of computers are infected with malware (called a “botnet”) are coordinated into bombarding a server with traffic until the server shuts down under the strain.  What was remarkable about the attack was not that it happened, but the manner in which it was executed.

According to a blog post published by Dyn on Wednesday, the primary source of the attack was the Mirai botnet.  Unlike other botnets made up of computers, the Mirai botnet is largely made of up connected Internet of Things devices like cameras and DVRs.  The Chinese company Xiongmai Technology Co issued a statement after the attack indicating that their security cameras were used as part of the attack.

The security risks of the Internet of Things have been discussed at length, but the sophistication and scale of the DDoS attack on Dyn remind us how important this discussion is.  Today, our team installs intelligent LED Lighting systems that include hundreds of network-connected sensors.  As we work to expand beyond lighting systems and create intelligent buildings, this network of sensors will grow quickly to include thousands of points in a single facility, all network-connected and exchanging data.

In a global economy and a rapidly proliferating market, it is difficult to develop a security standard for Internet of Things devices; there are too many different manufacturers of devices and versions of software.  However, the manner in which the attack on Dyn was executed should make commercial facility owners and managers think about how and what they are procuring for their facility.  As the products in this market become more commoditized, the temptation to purchase low-cost products becomes greater.  Our team continues to witness the reliability issues of those types of products, but the potential security concerns associated with them present an even greater risk.  The rise in availability of products should increase the due diligence performed when selecting a building-wide system, not decrease it.

The DDoS attack on Dyn impacted several big websites but it is easy to see how easily a botnet like Mirai could be utilized maliciously to impact a facility’s infrastructure.  Although we are supporters and early adopters of the possibilities that the Internet of Things brings to commercial facilities, we are also steadfastly committed to thorough product and manufacturer analysis before any purchasing decisions are made.  We encourage all of our customers to do the same.