(A map of internet outages in Europe and North America caused by the Dyn cyberattack. Source: DownDetector.)

On Friday October 21, the Internet flickered: a massive Distributed Denial of Service (DDoS) disrupted access to some of the Internet’s most important commercial sites, including Twitter, PayPal, Reddit, Netflix, Spotify, Comcast and Verizon. The attack was especially successful because it attacked a major domain name system (DNS) provider, Dyn, and because it operated through malware that dragooned Internet of Things (IoT) devices into a botnet that executed the directed DDoS attack. The attack was a reminder about known vulnerabilities of IoT devices; it was also a wake-up call for the insurance industry at a time when the IoT seems a very promising strategic direction for the industry.

The attack has potentially serious implications for insurers, according to Donald Light, Director in Celent’s (Boston) North America Property/Casualty Insurance Practice. Light listed a few of those implications in a blog post entitled “It’s not Just Twitter’s Problem: What Insurers Need to Know about DDoS and the Snake in the IoT Garden of Eden”:

• An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
• If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
• As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.

The promise of the Internet of Things is that it will bring greater safety and convenience to our lives; but—as with all technologies—it also brings added risks and added angles for attack, comments Jeffrey Goldberg, VP, Research & Consulting, Novarica (Boston). “IT security has always been an arms race between the security experts and the world-be hackers, but the more connected we grow and the more reliant we grow on that connection the higher the stakes become,” he comments. “In this case the results were downtime for major websites, but as IoT expands the systems at risk are not just websites but also physical residences, businesses, and vehicles.”

Insurers should expect further attacks, according to Craig Beattie, senior analyst in Celent’s Insurance practice. “Increasingly cyberattacks are becoming automated with tools sold on to the highest bidders or teams available for hire,” he says. “This is at least the second attack of its type and it would be foolish to think it won’t be repeated.”

The challenge insurers and other companies face I responding to DDoS attacks like that of Oct. 21 is that devices on legitimate networks are creating this traffic, Beattie notes. “Simply blocking IP address and certain types of traffic could turn off access for real customers to services they want access to,” he elaborates. “If the attacks become frequent we may see network operators turning to this to force people to deal with hijacked device. I doubt this nuclear option will be operated.

Firms looking to secure their internal networks have turn to detailed analytics and even machine learning to distinguish between normal and abnormal net behavior, according to Beattie. “It may be that in here lies the answer to spotting and responding to these attacks but right now it will be hard for anyone to deal with the scale and impact of these assaults,” he comments.

DDoS and the Future of Insurance IoT

The events of Oct. 21, 2016 do indeed have sobering implications for the future of insurance IoT, but that shouldn’t dissuade insurers from preparing to exploit the opportunity, Beattie suggests. The onus for making the IoT safe is on developers to harden their devices, he says.

“The fact is that many of the devices have rudimentary capabilities and little or no security,” Beattie explains. “This poses a threat in the shape of these attacks but also in exposing the data insurers and others hope to leverage. Much of this data could be dangerous in the wrong hands with footage from internet connected cameras an already well publicized privacy issue.”

The security of IoT devices is simply not as mature as it needs to be, and their vulnerability is a long-recognized problem, according to Beattie. “IoT has turned the Internet upside down in many ways with endpoints that are now capable of producing a great deal of data rather than just consuming it as in the days of the simple browser at the end of a dial up connection,” he comments. “We are in a new age of the Internet and the old models of protecting it and monitoring it are perhaps, no longer fit for purpose.”

Relearning the Same Security Lessons 

The device security issue could even be seen as reason for hope, since the bar for improvement is so low. Existing measures are almost comically inadequate, such as using factory default passwords—such as “12345” or “password”—notes Mitch Wein, a VP of Research and Consulting at Novarica. “It appears that we need to relearn the same security lessons for each generation of connected devices:  Passwords need to be changed frequently and should be in a pattern or phrase that cannot be guessed easily,” Wein comments

“A focus on stronger security may make IoT devices more expensive or slow adoption in the short-run, but the long-term utility of IoT across economic sectors makes it likely that general adoption will proceed over the next decade and continue to supply new data and new opportunities for the insurance industry,” Wein adds.

10 IT Security Planning Musts from Novarica