gr - security economics in iot 150817- rel.1

Wireless Strategy & Business Development for the Connected World

Guide Report: Security Economics for IoT


Copyright © 2015 RMAC Technology Partners, Inc.

1

Attribution

Executive Editor: Clay Melugin Authored by Clay Melugin Contributors: Jim Riley, Gary Lizama Quality Assurance: Clay Melugin Published by RMAC Technology Partners, Inc. Copyright © 2015 RMAC Technology Partners, Inc. San Diego, California 92130 All rights reserved. No part of this report may be reproduced, in any form or by any means, without permission in writing from the publisher. Printed in the United States of America

Disclaimer RMAC Technology Partners, Inc. has made every reasonable effort to ensure that all information in this report is correct. We assume no responsibility for any inadvertent errors.

Revisions: 8/17/2015 v1.0 – Initial Public Release



2

Table of Contents

1 Introduction ........................................................................................................................ 3 2 Why Security is important in IoT ................................................................................. 4

Developer Intentions; ................................................................................................................... 4 Government Intentions on IoT Security; ................................................................................ 5

3 Economics of Security ...................................................................................................... 6 Components of Economic Risk ................................................................................................... 6 Data Breach Liability ..................................................................................................................... 6 Damages ............................................................................................................................................ 7 Company Devaluation or Destruction ..................................................................................... 8

4 Calculating the Economic Cost ...................................................................................... 9 Calculation Example: .................................................................................................................. 10

5 Summary ........................................................................................................................... 11

6 Learn More ....................................................................................................................... 12 7 Credits, Source Links & Disclaimer .......................................................................... 13



3

1 Introduction The Internet of Things (IoT) ecosystem is a valuable marketplace for developers of devices and applications that increase productivity, efficiency and awareness, but it’s also a rich target for hackers seeking to gain access to data and potentially disrupt operations. An IoT strategy needs to include a reasonable security strategy as a fundamental requirement from concept through product support, to appropriately protect and serve the market. Security should be an economic decision that is rooted in the product concept. We focus on the value a product in the market, but the financial risk (liability) of shipping the product should also be part of decision-‐making process. When the financial liability is accrued into product cost, security technology becomes a key tool to reduce the product cost. You will learn in this guide how to define a reasonable level of security for an IoT solution. Understanding the financial liability of security breaches empowers developers to make practical and reasonable security decisions for implementing best practices to secure devices, data and networks. This not only mitigates costly liabilities from hacking, but also delivers an IoT product that is competitive in the market. Explained below are key definitions to get everyone on the same page;

Security: The state of being free from danger or threat. Cyber-‐security: The state of being protected against the criminal or

unauthorized use of electronic data, or the measures taken to achieve.

Cyber-‐warfare: The use of computers to disrupt the activities of an enemy

country, especially the deliberate attacking of communication systems and infrastructure.

Security critical system:

A system whose failure would put the safety of people at risk.

Privacy: The ability of an individual or group to seclude themselves,

or information about themselves, and thereby selectively decide what is shared publicly.



4

2 Why Security is important in IoT

Developer Intentions In the beginning of every product concept, there is a vision of a world changing product or device that enriches the lives of people or businesses that are seeking solutions to problems. A nefarious motive to damage or destroy the lives of people or businesses does not drive the creative concept of most developers. What we sometimes miss is the fact that great intentions and inventions can have unintended consequences outside the vision of the creator. So here we begin the process of making decisions to keep the product on track and in the control of those who it is designed to serve. You never want to be in the situation of realizing that your product has been turned into a weapon. Even the most basic of products can be turned against the consumer infringing on their privacy, safety and that of society. As has been increasingly reported in the news.

There are people and organizations that exist to exploit devices to meet their agenda, be it theft, invasion of privacy or even cyber warfare. We don’t know these people and they should not engage our creative talents; they simply need to be recognized and addressed by design.

Decisions made in the concept, design development, distribution and field support phases of a product life cycle can reduce the risk of giving up access or control in a reasonable, balanced and risk-‐appropriate manner. Ignoring the security aspects of any product can have devastating unintended consequences.



5

Government Intentions on IoT Security The US Federal Trade Commission hosted an industry workshop “Internet of Things – Privacy & Security in a Connected World” in late 2013 as part of their responsibility to protect consumers in the commercial environment. The Workshop participants highlighted the risks of IoT: “IoT presents a variety of potential security risks that could be exploited to harm consumers by:

1. Enabling unauthorized access and misuse of personal information 2. Facilitating attacks on other systems 3. Creating risks to personal safety

Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time” The FTC Staff Report 2015 demonstrates the intention of the FTC to monitor and control IoT security not by direct regulation of IoT, but through enforcement of existing regulatory statutes, and education on existing Fair Information Practice Principles (FIPPs) for companies manufacturing IoT solutions to incorporate “reasonable security” into their IoT solutions and products.

• Fair Information Practice Principles (FIPPs) o Data Security o Data Minimization o Notice o Choice

• Fair Credit Reporting Act (FCRA) • Health Insurance Portability and Accountability Act (HIPAA)

The FTC Staff Report 2015 also requested legislative action. “Recommendation for Congress to enact strong, flexible, and technology neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a data breach.”



6

3 Economics of Security

Security increases a products value to consumers and simultaneously lowers both liability and operating expenses for the Original Equipment Manufacturer (OEM). When security is designed into IoT solutions as part of the new product concept, the impact is significant in effectiveness yet minimal on product cost impact. Adding security after the original product design is completed can be costly and time consuming and is rarely as effective. The challenge is deciding on the level of security for the IoT solution, namely to balance the risk of the threat and potential liability in a “reasonable” manner. The best-‐known practice is to value the risk and liability using industry metrics on the probability of being hacked, recognizing the magnitude of damages that would result and implementing security that cost effectively reduces that risk.

Components of Economic Risk

1. Data Breach Liability 2. Damages (economic compensation) 3. Company Devaluation (share-‐holder loss)

Data Breach Liability There are regulatory-‐mandated actions required when revealing any person’s identity, plus at least one non-‐public personal information item.

• Social Security number • Credit/Debit card account number • Health records • Financial Records

Notifications, remediation and recovery of trust have been economically researched on a regular basis giving us a clear financial cost for each data record breached. The IBM & Ponemon Institute “2014 Cost of Data Breach Study: United States” shows an average cost of $246 for each data record in a breach of 10,000 records. This number varies by industry served with healthcare being at the most expensive end of the economic scale at $316 per record breached.



7

Damages When products are compromised there are clear risks of regulatory penalties and civil damage claims. The regulatory and court system remedies claims through penalties and economic compensation to victims. The victim(s) can be either your customer or a 3rd party who was damaged as a result of your product. Examples;

• IoT Refrigerator -‐ hacked so as to destroy the food it was intended to preserve, and used as a tool in email phishing campaigns and coordinated denial of service attacks.

• HVAC Thermostat – hacked and used to launch a coordinated attack against the electric grid, resulting in the shutdown of a town, city or region creating economic loss for many.

• Traffic Signal Light – hacked to turn all lights green or red, resulting in traffic accidents and extreme congestion.

• Irrigation Controller – hacked to enable excessive watering while you are away on vacation or asleep, resulting in huge water bills, damage to property and wasting resources.

In 2011 an electrical grid in Southern California experienced an outage that lasted 18 hours and caused an estimated $100 million total economic impact. The impact on the utilities involved (20 incidents occurred in an 11 minute period on 5 grids) lead to two nuclear reactors going offline and a major metropolitan area being left in total darkness. The potential of such incidents is hard to ignore as IoT device population grows.



8

Company Devaluation or Destruction Valuation of many companies today is based on the size of their database and the content integrity of the database. Industry research on database value ranges from $ 40 -‐ $176 per user record, with larger and more complex data bases driving the higher end (Facebook), and customer contact data at the lower end. The effect of hackers stealing a database as part of a breach is significant enough, but deliberate and undetected corruption of data for months or years impacts confidence in the data retained as it significantly erodes archive and backup system confidence. Each company needs to evaluate and appropriately value database assets, as well as the potential impact on revenue and recovery costs from such incidents. Today this is the cost of doing business but knowing the financial impact of such events enables appropriate investment in security to reduce risk, and most importantly to avoid devaluation of the company’s brand.



9

4 Calculating the Economic Cost Using financial estimates for the impact of the three components of risk.

1. Data Breach Liability 2. Damages (economic compensation) 3. Company Devaluation (share-‐holder loss)

Combined with the probability of occurrence, we can estimate the financial impact that should be considered in the business model as well as in new product solutions. Economic Risk = Data Breach Liability * PB + Damages * Po + Assets Liability * PL PB = Probability of a Data Breach Po = Probability of Damage Occurrence PL = (PB + Po) = Probability of Assets being destroyed Each existing and new product market plan should contain a model of economic risk and the probability of occurrences to understand the realistic future impact on the business. Once these economic risks are quantified, then investments in security can be made to reduce the cost impact these risks have on the business. A report released by HP Fortify revealed that 70% of IoT solutions currently shipping to customers have 25 or more known vulnerable points when tested against the OWASP Internet of Things Top 10 Project. Each vulnerability vector has a value and probability of occurrence that must be accounted for to enable appropriate investment in security. The following chart is a top-‐level calculation example at a high level covering the three components of economic risk. For each of these components there are multiple subcategories of threat vectors, each with its own liability value and probability of occurrence. The more detailed the threat identification and liability estimation, the more valuable it will be in making decision on where to invest in security. Liability and probabilities change with time as technology advances and the population of fielded devices increases. An economic model is not an exact science; it is a guide on understanding the risks and addressing them to a reasonable level. Professional evaluations of risk and liabilities from legal, technical and financial experts help build a better model.



10

Calculation Example

Data Breach: Section 3.1 shows that a database of 10,000 records has a

19% probability of occurrence in the next 24 months, with an impact of $246/record exposed.

Breach Cost ($/yr) = $246 * 10,000 * 19% / 2

= $ 232,750/ year Damages: A systemic hack could result in 10,000 devices in the field

becoming permanently inoperable, resulting in $ 6500/unit in property damage, and $450/unit in field replacement cost. The probability of occurrence is 0.1%.

Damages ($/yr) = 10,000 *$6950* 0.1% = $ 69,500 /year Company Value:

Asset rebuilding and validating the database will take 2-‐3 months. Sales are stopped for 90 days as security measures are put into place and the company focuses on recovery and rebuilding trust with customers and prospects. Estimated impact of the recovery effort is $3.5 million.

Value Loss ($) = $3.5M * (0.19 +0.001) /2 = $ 334,250./yr

Total Economic Cost = $ 636, 500 /year = $6.365 /unit shipped



11

5 Summary There is no such thing as perfect or impenetrable security. Over time, new and improved approaches to hacking and exploitation evolve as unknown vulnerabilities are discovered that can cause risk factors to change. The three core components of economic risk can guide your thought process as you develop a new product concept, and it will enable decision making throughout the development process and life cycle for the product.

1. Data Breach Liability 2. Damages (economic compensation) 3. Company Devaluation (share holder loss)

Understanding and modeling financial risks that a product introduces to the business model enables developing reasonable approaches to security and builds confidence with customers and shareholders. Without an economic model, companies have few guidelines on making reasonable and appropriate decisions on security investments. In today’s market there are a multitude of security approaches available to developers, ranging from physical hardware security through network transport layers and even into cloud/database/server systems and BYOD (bring your own device) applications. There are also measures that can be taken in the product definition and development process, as well as in how a business operates, that can dramatically impact the risk factors and financial liability. Consumers and users decide if the risk of a security breach is worth the value that IoT solution delivers. Building a credible and proven brand reputation for security makes your IoT solution more valuable.



12

6 Learn More Look for our follow-‐on Guide Reports:

• Guide Report: Security Decisions in IoT There are many decision points in the development of an IoT product that need to be held accountable for security. In this guide we walk through the product development path, giving the security perspective for how to ensure security is integrated effectively in the product life cycle.

• Guide Report: Security Effectiveness & Testing Security is an ongoing effort in the life of a product, but when you are making design decisions, how do you know the effectiveness of the multiple approaches to security? In this guide we provide useful insights and direction to the process.



13

7 Credits, Source Links & Disclaimer Thank you for reading our Guide Report. This series of reports on IoT security were researched and written to help the IoT industry develop a common approach to decision making on how security is implemented in products. We understand that the hard work is ahead as you develop products and make key decisions that impact both your company’s financial outlook and the security of your customers. We assume no liability for your reliance on this information and to use your best judgment in the effort. As you go through the economic model process avoid making uninformed assumptions that impact the modeling of financial risks. We recognize the significant contributions of sources cited below for openly sharing valuable research to the developer market.

• Wikipedia “Canadian Privacy Law” sourced at http://en.wikipedia.org/wiki/Canadian_privacy_law

• Hewlett-‐ Packard Development Company “HP Study Reveals 70

Percent of Internet of Things Devices Vulnerable to Attack” July 29, 2014 by Daniel Miessler. Sourced from http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-‐4759ENW&cc=us&lc=en

• OWASP – The Open Web Application Security Project. Sourced at

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014

• Ponemon Institute and IBM “2015 Cost of Data Breach Study: Global

Analysis” sourced at http://www-‐03.ibm.com/security/data-‐breach/#

• United States Federal Trade Commission “Internet of Things” FTC

Staff Report January 2015 sourced at https://www.ftc.gov/system/files/documents/reports/federal-‐trade-‐commission-‐staff-‐report-‐november-‐2013-‐workshop-‐entitled-‐internet-‐things-‐privacy/150127iotrpt.pdf

gr - security economics in iot 150817- rel.1

Documents