When ‘Things’ Attack
Cyberattacks highlight security risks of a connected society
Tens of millions of electronic devices were hijacked in October by unknown hackers and used to shut down large portions of the internet, affecting companies such as Twitter, Netflix, PayPal and Amazon.1-3
Using devices such as wristwatches, home-monitoring cameras and children’s toys, these attacks surfaced security vulnerabilities in the Internet of Things (IoT)—a developing technology many organizations see as a gateway to a brave new world of process efficiencies, cost savings and revenue generation.
Proponents of the IoT, which refers to objects that are connected to the internet, cite benefits that touch almost every industry. These connected objects could be water pipes that can automatically report leaks, medical devices that remotely analyze patients’ vital signs and report them to physicians, or tags and sensors used in logistics that shipping organizations estimate could save global supply chains $1.9 billion.4, 5
Experts, however, worry that the push to bring more connected devices to market is expanding the risk of more attacks. Without regulation to force device-makers to build better security into their products, a more connected society could strengthen hackers’ abilities to spread malicious software (also known as malware). These security loopholes could lead to future internet disruptions, stolen data and other threats that could risk consumer’s safety and cost organizations millions of dollars.
A security virus
October’s historic cyberattack relied on malware called Mirai that controlled millions of devices and spread itself like a virus. Mirai scanned the web for connected devices protected by weak or default passwords and forced those compromised products to search for more vulnerable devices. This created a network for hackers to carry out a distributed denial of service (DDoS) attack—jamming connectivity services from the internet infrastructure company Dyn and affecting services in the United States, Europe and Asia.6
"It’s a very smart attack," said Kyle York, Dyn’s chief strategy officer. "Literally, picture tens of millions of things attacking a single data center."7
Newer devices from low-end manufacturers that make cheap products without regard for security were among the vulnerable products, said Ben Herzberg, security group research manager at the cybersecurity company Imperva. Because some of these devices can’t receive updates against newly found security risks or have default password protecting them, they will continue to be exposed to attacks such as Mirai.
DDoS attacks aren’t new, but today’s volume of unsecure connected devices made these attacks particularly severe, said Craig Labovitz, co-founder and chief executive of Deepfield Inc., a network analytics company.8
The expansion of the IoT market is speeding up. According to the Consumer Technology Association, 170 million people will receive IoT-related gifts this holiday season, and there are no regulations forcing device-makers to improve their products’ security.9
"It would be great if we could say, ‘If you want to produce a device connected to the internet, you must go through basic security checks.’ But we don’t have that right now," Herzberg said. "These attacks are not going away."10
Maneesha Mithal, an associate director with the U.S. Federal Trade Commission, said IoT security is a "huge priority" and "companies are not investing as much time and effort as they should" in this area.11
Disconnected auto security
The rise of devices such as smartphones, tablets and connected wearable electronics have weaved internet connections into nearly every part of society. For many organizations, this expansion offers great potential for improving and streamlining how they do business.
Consumer demands are pressuring automakers to add connected features to vehicles, and three-quarters of new vehicles could have internet connections by 2020. Renault and Nissan, for example, announced in October they would hire hundreds of software engineers to focus on developing vehicles with capabilities similar to those of smartphones—such as being able to receive over-the-air updates or information about areas in which they’re traveling.12, 13
Creating virtual assistants is another promise of connected cars. These are systems that could offer a driver advice for the most fuel-efficient route or provide post-trip feedback about his or her driving. This feedback could reduce emissions by 5 to 20%, according to the European Automobile Manufacturers’ Association, but these benefits come with risks.14
In 2015, hackers Charlie Miller and Chris Valasek demonstrated their ability to remotely, through its internet connection, control a Jeep Cherokee driving on the highway. Using a laptop, they brought the Jeep to a stop.15
"If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers," Miller said. "This might be the kind of software bug most likely to kill someone."16
U.S. regulators took notice of the auto industry’s technology potentially outpacing its ability to protect consumers, and in October they issued cybersecurity guidelines to provide a roadmap for the industry to show how it will protect connected vehicles from attack.17
For healthcare, the IoT could significantly reduce patients’ cost of care and improve drug management. On average, it costs a patient $1,700 for a one-day hospital stay, but sending them home with connected body monitors allows doctors to still receive observation data and prevents a need for some inpatient care.18
By transferring data to a mobile app, pharmaceutical companies also are developing "smart" inhalers, which could track patients’ use and remind them to take the next dose. This data also could be sent to physicians and drug manufacturers for analysis.19
Implanted medical devices, such as those made by St. Jude Medical Inc.’s Merlin@home, use external transmitters to monitor an implant while a patient sleeps and sends information to a patient care network—avoiding a visit to the doctor.
Recently, Muddy Waters Research reported it was able to gain access to this device and to turn off functions or send shocks that could kill patients. St. Jude Medical denied such an attack was possible. While this highlights one of the worst fears surrounding IoT hacking in healthcare, data breaches also are a major concern, considering the amount of personal information that’s available on healthcare systems.20
"When you have these IoT attacks, not only can it disrupt services and access to information, if those devices are connected to the hospital network, there’s nothing to say they can’t focus on hospitals and create a DDoS," said Mac McMillan, cofounder and CEO of the healthcare IT consulting firm CynergisTek.21
Changing strategies necessary
According to a recent survey of 2,000 security officers from organizations worldwide, three-quarters of executives had confidence in their security strategies. The survey report, however, also found one-third of targeted attempts to breach organizations’ cyber securities succeed despite organizations spending about $85 billion to protect their data.22
According to respondents, it also can take months to identify breaches, and 98% are reported by employees outside the security team. It’s estimated data breaches collectively cost organizations $2 trillion. That figure could go up to $90 trillion by 2030.23
"There needs to be a fundamentally different approach to security protection starting with identifying and prioritizing key company assets across the entire value chain," said Kevin Richards, managing director of Accenture Security North America.24
Over the past two years, there was a 70% increase in the number of IoT devices, and experts say there will be more than 50 billion devices online by 2020.25 Michael Walker, a program manager and computer security expert at the Pentagon’s advanced research arm said, "If we want to put networked technologies into more and more things, we also have to find a way to make them safer … It’s a challenge for civilization."26
—compiled by Tyler Gaskill, assistant editor
References and note
- Larry Greenemeier, "IoT Growing Faster Than the Ability to Defend It," Scientific American, Oct. 26, 2016, www.scientificamerican.com/article/iot-growing-faster-than-the-ability-to-defend-it.
- The identities of those responsible for October’s distributed denial of service attacks were unknown at the time of print.
- Andrea Peterson, "Can Anyone Keep Us Safe From a Weaponized Internet of Things?" Washington Post, Oct. 25, 2016, www.washingtonpost.com/news/the-switch/wp/2016/10/25/can-anyone-keep-us-safe-from-a-weaponized-internet-of-things.
- BI Intelligence, "$1.9 Trillion Dollars of Economic Value Could Be Created by the Use of IoT Devices and Asset Tracking Solutions," Business Insider, Nov. 1, 2016, www.businessinsider.com/2016-11-1-asset-tracking-in-the-supply-chain-and-logistics-2016-11.
- Caroline Gorski, "Five Ways the Internet of Things Could Change the Way You Do Business," Telegraph, Nov. 2, 2016, www.telegraph.co.uk/connect/small-business/business-solutions/how-the-internet-of-things-will-change-business.
- Peterson, "Can Anyone Keep Us Safe From a Weaponized Internet of Things?" see reference 2.
- Greenemeier, "IoT Growing Faster Than the Ability to Defend It," see reference 1.
- Peterson, "Can Anyone Keep Us Safe From a Weaponized Internet of Things?" see reference 2.
- Peter Suciu, "Ransomeware: The Next Big Automotive Cybersecurity Threat," Car and Driver, Oct. 26, 2016, blog.caranddriver.com/ransomware-the-next-big-automotive-cybersecurity-threat.
- Sean McLain, "Renault and Nissan to Fuel ‘Connected Cars’ Push With Tech Hiring Spree," Wall Street Journal, Oct. 25, 2016, www.wsj.com/articles/renault-and-nissan-to-fuel-connected-cars-push-with-tech-hiring-spree-1477392964.
- Anca Gurzu, "Connected Cars Could Be Big Energy Savers, or Not," Politico.eu, Oct. 20, 2016, www.politico.eu/article/environmental-pluses-and-minuses-of-connected-cars.
- Andy Greenberg, "Hackers Remotely Kill a Jeep on the Highway—With Me in It," Wired, July 21, 2015, www.wired.com/2015/07/hackers-remotely-kill-jeep-highway.
- Joseph White, "U.S. Calls on Automakers to Make Cyber Security a Priority," Reuters, Oct. 24, 2016, www.reuters.com/article/us-autos-cyber-iduskcn12O2jg.
- Bruce Harpham, "How the Internet of Things Is Changing Healthcare and Transportation," CIO, Sept. 8, 2015, www.cio.com/article/2981481/healthcare/how-the-internet-of-things-is-changing-healthcare-and-transportation.html.
- Sarah Pringle, "The Internet of Things Is Transforming Healthcare, But There’s One Huge Risk," Thestreet.com, Oct. 29, 2016, www.thestreet.com/story/13854428/3/the-internet-of-things-is-transforming-health-care-but-there-s-one-huge-risk.html.
- Kevin Parrish, "Hackers Can Use Heart-Rate Monitors to Send Jolts to Cardiac Implants, Experts Say," Digitaltrends.com, Oct. 24, 2016, www.digitaltrends.com/computing/st-jude-pacemaker-defibrillator-merlinhome-hacked-shocking.
- Harpham, "How the Internet of Things Is Changing Healthcare and Transportation," see reference 18.
- Matthew Kalman, "Accenture Says One-Third of Corporate Cyber Attacks Succeed," Bloomberg, Nov. 2, 2016, www.bloomberg.com/news/articles/2016-11-02/accenture-says-one-third-of-corporate-cyber-attacks-succeed.
- Steve Lohr, "Stepping Up Security for an Internet-of-Things World," New York Times, Oct. 16, 2016, www.nytimes.com/2016/10/17/technology/security-internet.html.
QFD Pioneer Dies
Yoji Akao, known for creating quality function deployment (QFD) and developing the hoshin kanri strategic planning method, has died. He was 88.
Akao, who was named an honorary member of ASQ in November 2009, taught at Yamanashi University in Kofu, Japan, and Tamagawa University in Machida, Japan, where he eventually held the position of dean of the faculty of engineering. After retirement, he accepted a position as professor of management at the Asahi University School of Business Administration in Mizuho, Japan.
Akao was awarded ASQ’s Distinguished Service Medal in 2001 and the Shainin Medal in 2006. In 1978, he was awarded the Union of Japanese Scientists and Engineers Deming Prize for Individuals.
To read more about Akao’s contributions to quality, visit http://asq.org/about-asq/who-we-are/bio_akao.html. Visit http://tinyurl.com/akao-tribute-blog, to read a tribute written by Lotto Lai, former chair and fellow of the Hong Kong Society for Quality.
STATISTICS SCHOLARSHIP OPENS Applications for the 2017-18 Ellis R. Ott Scholarship are now available through ASQ’s Statistics Division. The $7,500 scholarships are for students in master’s degree or higher programs with concentrations in applied statistics or quality management. The 2016-17 scholarship recipients were: Andrew Walter of the University of Kansas and Matthew Keefe of Virginia Tech. For more information and an application form, visit http://asq.org/statistics/about/awards-statistics.html. Applications are due April 1.
2017 RAMS SET The Reliability Division’s annual Reliability and Maintainability Symposium (RAMS) will be Jan. 23-26, 2017, in Orlando, FL. Visit www.rams.org for more details about the event.
THE ASSOCIATION FOR Manufacturing Excellence (AME) recently announced five recipients of its AME 2016 Excellence Award. They are: Accuride de Mexico in Monterrey, Mexico; Goodyear Innovation Center in Akron, OH; Littelfuse in Wuxi, China; MillerCoors Trenton Brewery in Trenton, OH; and O.C. Tanner in Salt Lake City. For more about the award and the recipients, visit http://tinyurl.com/ame-award-recip.
THE 11TH ANNUAL Massachusetts Institute of Technology Sloan Sports Analytics Conference will be held March 3-4, 2017, in Boston. For details, visit http://tinyurl.com/mit-sports-conf.
THE BALDRIGE PERFORMANCE Excellence Program’s 2017-2018 Baldrige Excellence Framework (Business/Nonprofit) booklet will be released this month. The education and healthcare booklets will follow in mid-January. All three versions include the Baldrige Criteria for Performance Excellence, core values and concepts, and guidelines for evaluating your organization’s processes and results.
THE BALDRIGE PROGRAM is seeking qualified candidates for the 2017 Baldrige Executive Fellows Program, a one-year, leadership-development experience to facilitate dialogue on all aspects of leadership and how it relates to visionary focus, strategy, operational intelligence, engagement and sustainability. The deadline to submit applications is Dec. 15. For more information, visit http://tinyurl.com/baldrige-fellows.
THE 28TH ANNUAL National Forum on Quality Improvement in Healthcare is being held Dec. 4-7 in Orlando, FL. The event is being organized by the Institute for Healthcare Improvement. For more information, visit www.ihi.org/forum.
THE LEAPFROG GROUP, a national patient safety watchdog, released its hospital safety grades for more than 2,600 U.S. hospitals. The program assigns A, B, C, D and F letter grades bi-annually and has become a standard measurement of patient safety in the United States. For more information, visit www.hospitalsafetygrade.org.
A CALL FOR PRESENTATIONS has been issued by GS1 US for its annual conference June 19-22, 2017, in Las Vegas. GS1 US is a not-for-profit, nongovernmental organization that maintains global standards for bar codes, radio frequency and other identification systems, data synchronization and electronic information exchange. For more information, visit http://tinyurl.com/gs1-need-speakers.
Who’s Who in Q
NAME: Tracy Owens.
RESIDENCE: Columbus, OH.
EDUCATION: Master’s degree in international business from Seattle University.
INTRODUCTION TO QUALITY: Negative experiences as a consumer drove Owens to start searching for ways to uncover the root causes of errors and delays. In 1998, he moved to a Black Belt position with his employer, Kenworth Truck Co., and learned how lean and Six Sigma help personnel quickly investigate problems and make lasting, positive improvements.
CURRENT JOB: Director of continuous improvement at LexisNexis. Owens also is a volunteer examiner at the Partnership for Excellence, the Baldrige program for Ohio, Indiana and West Virginia.
PREVIOUS JOBS: Owens served in the U.S. Army from 1988 to 1994 and was deployed to Operation Desert Storm and Somalia. Owens said training for a job and putting your training to the test in battle was incredibly rewarding.
ASQ ACTIVITIES: Chair-elect of ASQ’s Innovation Division and engaged in planning the 2017 Innovation Conference, which will be held Oct. 13-15 in Dayton, OH.
RECENT HONORS: Elected to ASQ’s 2016 class of fellows.
PUBLISHED WORKS: Author of Six Sigma Green Belt, Round 2 (ASQ Quality Press, 2011) and coauthor of The Executive Guide to Innovation (ASQ Quality Press, 2013).
PERSONAL: Owens and his wife, Jeanne, have been married 16 years and have three children.
FAVORITE WAYS TO RELAX: Distance running, soccer, bike rides and walking through a good labyrinth.
QUALITY QUOTE: Language differences complicate discussions, so use math and laughter as unifying forces.
Date in Quality History
QP looks back on a person or event that made a difference in the history of quality.
Dec. 10, 1976
Harold F. Dodge, one of the principal architects of the science of statistical quality control, died on this date.
Dodge was born in Lowell, MA, in 1893. He earned a degree in electrical engineering from the Massachusetts Institute of Technology in 1916, and a master’s degree in physics and math from Columbia University in 1922.
Dodge was a statistician at Bell Laboratories from 1917 to 1958. At Bell in the 1930s, Walter Shewhart introduced the theory of using statistical methods to solve quality control problems. Dodge and a colleague, Harry G. Romig, are credited with building on Shewhart’s statistical process control concepts by introducing acceptance sampling methods.
The Dodge-Romig Sampling Inspection Tables have been called Dodge’s most important work. During his tenure at Bell, he developed the basic concepts of acceptance sampling, such as consumer risk, producer risk, double sampling, lot tolerance percent defective and average outgoing quality limit. He originated several types of acceptance sampling schemes, continuous sampling plans, chain sampling plans and skip-lot sampling plans.
Dodge chaired the ASQ Standards Committee for many years. He was the second recipient of ASQ’s Shewhart Medal (1949), sixth recipient of the Grant Award (1972) and fifth honorary member (1965). He also was a fellow and founding member.
In "Diving Deeper" (October 2016, pp. 34-41), a table was mistakenly omitted from the print version of the feature article. The web presentation of the article, as well as the PDF versions of the article and the complete QP issue, have been updated to include Table 2 at this article’s webpage at http://asq.org/quality-progress/2016/10/statistics/diving-deeper.html .