Aon’s latest Global Insurance Market Opportunities release —
By Emma Karhan, Kelly Superczynski, and Matt Wyckhouse —
The Internet of Things (IoT) promises to pioneer new ways for businesses to create value and organizations of all types are already benefiting from the new functionality and efficiency gains. However, the constant connectivity and data sharing through the anticipated 20.4 billion connected devices by 2020 (Gartner) also invites new opportunities to compromise security.
Increasingly, connected devices for both personal and business use ushers in vulnerabilities that cyber-attackers can exploit. In fact, IoT devices are notoriously easy to infiltrate. NETSCOUT estimates that IoT devices are, on average, likely to be compromised within five minutes of connectivity to the Internet.
The rise of IoT devices has introduced an overlap of the physical and digital worlds, increasing dependence upon devices for critical business operations like physical security, building automation, energy management, industrial processes and transportation. In the IoT era, physical damage – like destroying a data center, shutting down a machine in a production facility or crashing a vehicle – is now possible from digital attacks.
These new and more prevalent IoT cyber risks present an opportunity for insurers to support organizations by raising awareness of risk management and exploring new cyber insurance products and services to provide protection.
IoT Changes Risk
IoT and other unmanaged devices increase exposure to typical cyber-loss events due to their growing volume and relative lack of security. Commoditization and globalization also play a role as most IoT devices involve a long, complex supply chain.
Catastrophic risks like business interruption, fire, explosion and sabotage can now be activated by hostile cyber actors. Attackers need only one trivial vulnerability to enter a network, and from there it’s relatively easy for them to take control.
Traditional IT security tools and methods simply do not work for IoT devices, partially due to their diversity and because they cannot easily be secured as they are black boxes. IoT device security varies from traditional enterprise security in many ways, including:
- Visibility: Many organizations do not know what devices are on their network, and if they do, that is not enough: security teams must obtain deep visibility into the device including make, model and detailed vulnerability information about the firmware, which is the combination of software, applications, libraries, etc built into the device.
- Vulnerability management: According to research by Finite State, only 1% of IoT vulnerabilities are reported about a specific device, but the underlying firmware often has numerous known common vulnerabilities and exposures (CVEs) that only the manufacturer can easily see.
- Detection: Most security teams have visibility into what software is running on traditional IT devices and their traditional security processes are built around controlling user behavior to minimize risk. In the IoT era, end users rarely interact with the device and the risk, instead, is buried in the device firmware. Now specialized models and AI have been designed specifically for the unique behaviors of IoT devices to robustly detect attacks.
- Response: Incident response on IoT devices is virtually impossible today, and new techniques are required to enable post-breach cleanup efforts.
This new risk demands a new response.
Read the rest: Why the Internet of Things should be on insurers’ radars.
Browse more of Aon’s Global Insurance Market Opportunities reports.
About the Authors
Emma Karhan is Head of Terrorism Specialty and Public Sector Partnerships at Aon’s Reinsurance Solutions business. Emma drives collaborations with emerging technology companies in the UK to help meet insurers’ strategic goals. In addition, Emma is committed to closing the protection gap and driving Aon’s reinsurer management strategy in the UK.
Kelly Superczynski is the Americas head of Capital Advisory team at Aon’s Reinsurance Solutions business. Capital Advisory encompasses the Rating Agency Advisory, ReSolutions structured reinsurance and Corporate Finance teams. Kelly has been with Aon for 16 years, spending time in Chicago, Toronto, Paris and most recently London, in leadership positions within Analytics and Strategy Consulting. Kelly is a CPA and started her career at PricewaterhouseCoopers after graduating from Marquette University.
Matt Wyckhouse is the founder and CEO of Finite State. He has more than 15 years of experience developing advanced software to support offensive and defensive cyber operations that led him to co-found Finite State in 2017 to focus on the unique challenges of cybersecurity in the IoT era. Matt spent most of his career at Battelle, the world’s largest private R&D company, where he was the technical founder and CTO of Battelle’s Cyber Innovations Business Unit. In this role, Matt oversaw dozens of intelligence and security programs supporting strategic global missions, many of which were focused on discovering vulnerabilities in IoT and other embedded devices. Through that experience, he saw how devastating IoT device attacks can be, which is especially concerning given the explosive growth of IoT.
About Finite State
Headquartered in Columbus, Ohio, Finite State gives cyber defenders a tactical advantage by identifying devices running on a network and proactively analyzing firmware buried inside the IoT devices for hidden vulnerabilities. For more information, please visit finitestate.io.
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance. For more information, visit www.aon.com.
SOURCE: Aon plc