Despite all their advantages, IoT devices were not designed with security in mind. This can lead to huge problems.
The Internet of Things (IoT), has brought many benefits. It has also changed the way businesses and IT risk are managed. Over the past few years, reports have surfaced about hijacked cameras, hacked medical devices, and compromised industrial control systems. The problem will only get worse as 5G becomes mainstream and embedded IoT devices become more common.
The IoT adds another layer of security to existing protections. This is what makes it so difficult. Because the IoT potentially touches everything within an enterprise -- and outward to partners and supply chains -- it involves firmware, operating systems, TCP/IP stacks, network design, data security tools, and much more.
Merritt Maxim is vice president and research director at Forrester. "Vulnerabilities in this wide ecosystem are easier to overlook," he says.
This is a serious problem. It can be extremely difficult to identify all IoT devices in a network. This is not the end.
Many IoT devices were not designed with security in view. "People who deploy and set up IoT systems don't always have an excellent grasp of security. The addition of multiple devices from different manufacturers increases complexity," Joe Nocera, the Cyber and Privacy Innovation Institute leader at PwC.
Out of Controls
Every discussion on IoT security begins with a simple fact: The Internet of Things is fundamentally different from conventional IT in terms of security. Many IoT devices don't have a user interface so attacks are often carried out directly on the device or via the device to gain access to an enterprise network. Maxim also points out that attacks can have a different dynamic from ransomware or other attacks.
He says, "The motivation is often for a larger scale of disruption."
In fact, an attack can cause devices that aren't repairable or business disruptions that could be financially or politically motivated. For example, In February, a hacker breached a water treatment plant in Florida through an industrial control system and attempted to tamper with water quality. Back in 2018, cyber thieves hacked a gambling casino in the UK through an Internet-connected thermometer in an aquarium located in the lobby. The casino's customer data was stolen by thieves.
Manufacturers often create their own firmware, protocols and design standards. They don't always do a great job of maintaining and patching systems. Many IoT devices are dependent on older versions of Windows and Linux. The IoT is bringing more headaches to the table: Industrial control systems and machinery that were not intended to be connected to the world are now part.
Remarkably, 74% of firms surveyed by Ponemon Institute last June said their IoT risk management programs were failing to keep pace with the risks posed by the ubiquitous use of IoT devices.
PwC's Nocera states that knowing the IoT devices running on the network, and what data they have, is the first step in building strong protection.
He says, "Many companies don't know."
This is made more difficult by the fact some manufacturers use obscure names or codes that don't clearly identify their devices. Nocera suggests that you assign responsibility to a group and conduct an inventory to identify potential failure points and risks. Sometimes, an organization might need specialized asset management or discovery solution.
It is crucial to establish visibility and control over the entire IoT landscape.
Nocera says, "An organization should be able to turn on and off various devices and configure them accordingly."
It's possible with the right tools to ensure that only necessary services are running on a device and that all other devices are turned off. Another problem that configuration management addresses are ensuring devices doesn't use default passwords or factory settings.
Ulf Mattsson (chief security strategist at Protegrity), says that passwords should be changed regularly. He recommends using tokens, data anonymization, and multifactor authentication (MFA) as well as biometric authentication. Data encryption in motion and at rest, next-generation firewalls, and intrusion prevention systems (IPS) are all necessary. He says that it is crucial to keep these systems up-to-date and patched.
Nocera also notes that network segmentation is another useful tool. It is important to isolate key systems such as industrial controls, enterprise applications, and other critical information so that hackers can't hack into networks through IoT devices.
He says, for example, that "if you're a shipping company and logistics company, maybe IoT devices used to manage your fleet don't need to talk to IoT device and other systems used in a warehouse," This way, if any devices are compromised, you lose only one warehouse and not all of your warehouses.
It's safe to play IT
There are many other strategies that can be used to build a more resilient IoT infrastructure. These strategies include locking down cloud credentials that can then be used to reconfigure devices. Disabling features that don't get used. Regularly auditing IoT infrastructure and retiring unneeded devices. Keeping malware protection up-to-date and replacing less secure devices. You should also be aware of how 5G impacts an IoT framework.
Maxim says it's also wise to look for newer IoT devices that use secure silicon and root of trust (RoT) technologies. This reduces the likelihood that the BIOS or operating-system-level can be altered. Another area worth observing is the increasing use of connectors, application programming interfaces (APIs), that extend and sometimes mask data sources and devices.
A holistic approach that uses a range of tools and strategies to secure devices and data is the best defense. Maxim states that any IoT device or system should undergo the same rigorous review as enterprise applications and should be subject to strict security standards after it is deployed.
He adds that the IoT poses new and sometimes more serious risks, which could disrupt businesses or cause death.