(In)security in IoT and What Can Be Done
The Internet of Things (IoT) is a vast and growing network of connected devices capable of interacting and exchanging data. Some IoT machines are consumer devices – refrigerators, light switches and thermostats – but many other IoT devices operate in business settings, helping to monitor and run factories and logistics operations, for instance.
Security has not been a primary consideration for many of the IoT device designers. It means IoT devices are relatively easy to hack. Secondly, the end customers who use these IoT devices also do not care much about security. Therefore, the lack of concern for security by both the seller and the buyer, raises serious security risks that could impact other third parties.
In fact, data shows that IoT devices are vulnerable to attack. In 2017, networking solutions company Aruba announced the results of a survey1 showing that 84% of the respondents with IoT deployments had already experienced an IoT-related security breach.
What makes the Internet of Things so susceptible to being compromised? The IoT infrastructure is a combination of hardware, sensors, connectors, gateways and application software in a single system making it complex and vulnerable. In addition, real-time stream analytics, complex event processing, and existence of large data volume and variety exposes the entire system to various risks.
A typical IoT system has four major components namely, devices, communication channel, cloud interface and application interface. Each of these have different attack surfaces.
For example, every device is vulnerable to failures in memory, firmware, and physical interfaces like USB ports, web interfaces, and admin interfaces.
Communication channels like Bluetooth, Wi-Fi can be intercepted via an open network or unsafe device network traffic.
Cloud is often weakened by inadequate passwords, default credentials, and insecure transport encryption.
Application interfaces often provide an easily hackable route to sensitive data or personal data.
None of these concerns about securing the Internet of Things are stopping firms from implementing IoT. Impressed by the potential of IoT to help reduce costs, improve efficiency and provide more visibility into all facets of operations, manufacturers are pushing ahead with plans to rollout connected IoT technology.
Hacking the Path Less Traveled
As billions of weakly protected IoT devices come online worldwide, attackers are increasingly targeting these devices with hacks that may be off-the-radar of most cyber security strategies or are done so stealthily that they are hard to detect until much damage is already done. For example:
In April 2018, Business Insider2 reported on incident where hackers gained access to a casino network and stole information from a high-roller database by hacking into the IoT thermostat in the casino’s lobby aquarium. In another episode, attackers hacked into a bank through its Internet-connected CCTV security cameras.
Some IoT hacks could be a matter of life or death. In 2017, the FDA3 issued an alert that St. Jude Medical’s implantable IoT cardiac devices were vulnerable to ‘cybersecurity intrusions and exploits’ that could allow hackers to gain access and remotely deplete the battery, or even administer inappropriate pacing or shocks. This is likely just the tip of the iceberg. Security researchers have shown that many other IoT medical devices including insulin pumps, ventilators, infant incubators, MRI machines and patient monitors are highly vulnerable to hack attacks.
Six Steps to Managing IoT Risk
Manufacturers & consumers cannot afford to be complacent about IoT deployment anymore. As the above examples show, unsecured IoT devices leave enterprises vulnerable to data theft, physical damage, revenue loss, reputational damage and more.
On the other hand, IoT also offers many benefits around efficiency, productivity and innovation. Companies cannot afford to hold off indefinitely on deploying IoT technology. Inaction carries its own serious risk of losing ground to competitors that act more quickly to seize the advantages of IoT.
The best approach is to deploy IoT carefully by using disciplined processes to minimize danger. Here are six steps that companies can take to find solutions to IoT security issues:
- Determine which parts of the business might be most vulnerable or exposed to attacks on IoT devices. Start by compiling a full inventory of IoT devices deployed throughout the organization. Then assess the extent to which those devices pose a risk to various enterprise platforms, networks and cloud integrations. Companies should work to protect all vulnerabilities, but they should prioritize securing those IoT devices where hackers could cause the most mayhem if they managed to find a way in.
- Build a collaborative, multi-layered defense. IoT devices typically have many stakeholders, so any successful plan to mitigate IoT risk will depend on strong collaboration across business units. By working together, these diverse stakeholders can build multiple layers of security that harden the company’s defenses and improve the company’s ability to contain the damage from any IoT-related attack.
- Practice and prepare for worst-case scenarios. Good cyber security operations regularly run trial ‘fire drill’ exercises that simulate breaches in order to test the organization’s response plan. Given the unique challenges involved in detecting and responding to IoT breaches, it makes sense to run IoT-specific attack simulations. Companies can use their experience with these simulations to create defense playbooks. In case of a real IoT attack, these playbooks will help the cyber security team respond nimbly and effectively to repair the breach, contain the damage, and maintain a positive customer experience.
- Develop comprehensive IoT security skills. The cyber security team tasked with IoT protection should be able to secure the operating systems and firmware of the devices themselves, while also providing API security in case of platform or third-party integrations. To offer the best possible IoT protection, the team should also have expertise in authentication, device hardening, and strong encryption through proper crypto key management.
- Work for stronger security in the IoT devices themselves. Companies can communicate their security concerns to IoT device manufacturers and announce that built-in device security will play a major role in future purchasing decisions. Companies can also try to lobby governments and regulatory authorities to impose stricter security rules on the IoT industry. There are signs that some jurisdictions are starting to impose such rules. For example, by 2020, any IoT device sold in California will either need to ship with a unique password or make users choose their own password the first time they use the device. There is some evidence that IoT device manufacturers can be encouraged to self-regulate. In the healthcare industry, some major IoT device manufacturers have formed a consortium to push for tighter industry standards on privacy and security. To protect patient privacy, these manufacturers are working to ensure that IoT devices do not store any personally identifiable information (PII). This is also a policy issue and we expect governments will come out with more and more security standards for embedding the “Secure by Design” concept for all high impact IoT systems.
- Continuously audit and monitor IoT device settings and health. As in other areas of cyber security, threats against IoT are always changing and evolving. To maintain strong IoT security, companies must have procedures in place to make sure IoT devices are always equipped with the latest patches against known threats. They should also constantly scan their networks to detect IoT-related anomalies so they can investigate suspicious activity and contain the damage in case any breach does occur. Implementation of cyber security controls is that much harder due to lack of tools and solutions available at the moment, however this will rapidly change once the threat from such devices starts becoming more real.
Strengthening the Weakest Link
It does organizations no good to build a massive cyber security fortress composed of firewalls, intrusion detection and event management systems, spam filters, access control protocols, data encryption, strong password requirements and two-factor authentication, only to leave the IoT back door unlocked and wide open to anyone skulking past.
IoT breaches pose serious threats to a company’s reputation and its entire operations. Attackers who compromise IoT devices can cause all sorts of mayhem – not just stealing data, but potentially shutting down factories, damaging equipment, blacking out utility grids, or even introducing subtle manufacturing defects into sophisticated products that can lead to expensive recalls months or years in the future.
Given all these threats, organizations should place a high-priority on strengthening the weakest link in their security chain by taking all the necessary steps to harden their IoT defenses before hackers strike again. Also there should be a strong demand made on governments to issue security and safety standards for all IoT systems and ask manufacturers to build security by design in their IoT products.