Securing the IoT threat vector
Organisations today know that they need to have a cybersecurity strategy in place to protect their intellectual property (IP) and sensitive data from getting into the hands of cybercriminals.
However, a security strategy will only be effective if tailored to the threats that an organisation faces and many are failing to learn what they’re up against from a cybersecurity perspective. As a result, countless organisations do not properly implement the best cybersecurity approach and this, in large part, is why we are seeing increasing numbers of ransomware and malware attacks globally, says Mark Hearn, director of IoT security at Irdeto.
The problem is that the pace of change in business models has not been matched by the evolution of organisations’ approaches to security. As consumers increasingly demand flexibility, ease of access and convenience, not to mention delivery of services and content across a range of devices, companies are increasingly relying on connectivity.
While this is beneficial and critical to expansion of business opportunities, this connectivity also introduces vulnerabilities from more third-party sources, and this will only extend further with the proliferation of IoT services and devices. Hackers exploit these vulnerabilities to bypass safeguards in place to gain entry to a device, and from there apply pressure against a service or business.
The threat to businesses in relation to IoT is clear, but what about protection of IoT devices themselves and the services that run on them? Gartner has predicted that there will be more than 20 billion IoT devices by 2020 and the deployment model for IoT devices is very often build, ship and forget.
With the increased levels of connectivity to IoT devices, often deployed outside of a company’s IT security perimeter, manufacturers must now think about the protection, updates and upgrades of IoT devices as a critical part of their IoT security strategy. Threats are constantly evolving, so it is also crucial that IoT security is renewable and consists of diverse advanced security technologies, all reinforcing each other.
Ransomware beyond the PC
The threat to IT systems and PCs has been demonstrated spectacularly over the past year or so. In May, the WanaCrypt0r 2.0 ransomware attacks struck, followed quickly in June by a global attack that was originally thought to be a variant of Petya ransomware, but was subsequently determined to actually be malware.
As the threat evolves, we must realise that many IoT devices are also susceptible to ransomware and increasingly will be attack targets. The attacks against automobiles that we have seen to date are basic, but illustrate the ease with which a fleet or entire model year could be compromised and held for ransom. Ransomware is a whole different ball game that requires preparation and a robust cybersecurity strategy.
IoT as a concept is still a relatively early in its maturity across many industries and there are still many different versions of operating systems and chipsets controlling the various devices. With convergence and standardisation in the future, we will see a definite increase in threats to the IoT devices on the edge of our networks, which in turn, will become the risk battle ground for our businesses.
Ransomware attacks against factories and hospitals has had clear impact on the bottom line, as well as potentially putting consumer safety at risk. However, when it comes to IoT and automotive, we will also likely see ransomware attacks executed that threaten brand damage – the next generation of Ransomware will be about holding a company’s customers or their brand hostage in the hacker’s hopes of a bigger pay off.
Take the example of an expensive consumer appliance, or any other expensive consumer good that carries a warranty. Once critical mass is reached, an attack would only need to threaten the possibility of the appliance doing something strange to ensure a mass warranty call from consumers.
The potential brand damage and cost of replacement would likely motivate the manufacturer to pay a ransom based on the threat. When you throw in the potential for the attackers to make public claims about the vulnerability and its impact on consumers, brands will certainly be running scared.
Evolving your security strategy
With increasing vulnerabilities providing new targets for hackers, the “check box” security approach that many companies take today simply isn’t effective. Without knowing what you’re up against, an organisation’s approach to cybersecurity is destined to fail.
With a threat-risk analysis of how a hacker operates, organisations are more prepared to address cybersecurity challenges head-on by implementing the proper safeguards that secures their sensitive information, including an organisation’s IP and customer data.
It’s important to understand what hackers are after and how they gain access, despite security measures that are already in place. It is also important to disrupt a hacker’s business model by making it difficult to exploit vulnerabilities from IoT services and connectivity that exist in an organisation’s IT infrastructure. It’s not about making yourself un-hackable, as this is pretty much impossible, but it’s about making yourself unattractive as an attack target.
With this in mind, organisations must implement an ever-evolving defense in depth approach to cybersecurity on their edge devices (whether still in their network, or deployed to the consumer), and continually raise the security bar against the latest attack vectors. This approach needs to involve many layers of security being implemented throughout their product ecosystem, rather than just a simple perimeter defense or hardware-only security approach.
The first target for any attack is always going to be the least secure device (particularly pertinent in IoT) or system, so organisations must focus on making themselves more secure than the environment around them, to ensure the reward from any attack is not worth the investment in making it happen. Mitigating attacks against connected devices is crucial to the protection of their consumers, their brand reputation and, ultimately, their revenue.
The author of this blog is Mark Hearn, director of IoT Security at Irdeto