IoT security: What we can learn from recent threats
The Internet of Things (IoT) promises more flexibility and functionality for enterprises than ever before. More connected devices hold the promise of helping enterprises streamline supply chain operations, increase efficiencies and reduce costs within existing processes, enhance product and service quality, and even create new products and services for customers.
With a myriad of benefits available to the enterprise, says Avinash Prasad, head of Managed Security Services at Tata Communications, IoT is set to enhance or even overhaul business models for the better.
While the mass generation, collection and analytics of IoT data will certainly provide the enterprise with immense opportunity, potentially easy access through unsecure networks and other vulnerable entry points – including IoT devices – are enticing cybercriminals.
According to Gartner, nearly 20% of organisations have observed at least one IoT-based attack in the past three years. With a staggering 75 billion connected devices expected worldwide by 2025, exposure to cybersecurity vulnerabilities and data breaches will have increased five-fold from today.
So, as we enter a new IoT-dominated era, it is imperative to re-examine the threats that loom over enterprises when deploying multiple connected devices and incorporate the same into the enterprise security strategy. Here are three examples of IoT vulnerabilities that all enterprises should take into consideration for cyber defense planning – these range from breaches on seemingly innocuous products to the downright malicious.
- Even the simplest connected devices are vulnerable
Many people who go to Vegas come back with far less money than they went with, but it’s not usually been linked to any cyber-attack, much less one that started in a fish tank. However, that’s exactly how an unnamed casino in Sin City experienced its first cybersecurity infraction.
The connected thermometer, used for remote monitoring and feeding within the casino’s aquarium, provided the perfect access point for hackers looking to acquire data on the highest-spending visitors. The hackers stole 10GB of personal data in total, sending it to a remote server in Finland.
IoT devices are increasingly being used across diverse sectors, and as seen by the Vegas fish tank example, even the simplest connected devices can be potential gateways to other private segments of an enterprise’s network. Given that 80% of the world’s data is kept on private servers, keeping hackers out has never been more crucial.
- The physical protection and disposal of connected devices can be troublesome
Sometimes it’s not hackers you need to be wary of but the behaviour of IoT devices themselves. In 2018, cyber-security blog Limited Results took a hacksaw to a LIFX Mini White lightbulb and discovered vulnerabilities with the smart bulb itself. Anyone with physical access to the product could extract the owner’s Wi-Fi password as it was stored in plaintext on the device, along with the RSA private key and root passwords.
LIFX fixed the vulnerabilities with a firmware update but it raises important questions around the physical state of the devices including protection during use and disposal of old or defective smart devices. As enterprise businesses continue to adopt and upgrade IoT, this often-forgotten aspect of vulnerability exploitation must stay front of mind.
- Malware on an industrial scale – the cyber physical threat
The world has grown accustomed to malware stealing private information, but as seen by the Vegas fish and LIFX examples, rarely has it posed a physical threat to its victims. That is until 2018 when the Triton industrial malware was discovered targeting the safety systems of a Saudi Arabian oil refinery. It is said to be the first malware ever designed to compromise industrial safety systems, giving hackers the ability to disable sensors and enable allow lethal catastrophes. The hackers moved deliberately, taking their time to infiltrate more and more of the refiners systems and develop more precise malware.
That instance was fortunately uncovered before any more attacks could be executed, but that does not stop hackers from developing even more dangerous forms of malware. So, as industrial control systems become increasingly connected and dependent on IoT devices, enterprises must take steps to build in security for these layers.
The compliance conundrum
Even without the widespread adoption of IoT, many enterprises are being challenged by innovation that can open potential loopholes for data protection. Over the last few months, British Airways, Marriott Hotels and various local authority organisations have been fined heavily under the European Union’s General Data Protection Regulations (GDPR) for the accidental exposure of vast amounts of personal data. In fact, the Marriott data breach alone exposed 7 million records connected to UK residents.
All fines levied demonstrate how aggressively regulators within the European Commission (EC) are willing to tackle security and compliance failings to ensure that personal data remains private. New UK-based IoT security laws on the horizon will look to hold device manufacturers accountable for vulnerable entry points within the connected device itself. Yet, enterprises will also need to accept more responsibility for the weaknesses – security and compliance – within their own IT architecture.
So, what’s the solution?
The fledgling nature of IoT is likely to make it an attractive target to hackers for the foreseeable future. As more technologies emerge and IT environments become ever-more complex, the IoT attack surface will increase. Enterprises must take the right precautions today to prevent serious damage that can be caused by Successful attacks on newly implemented IoT environments.
One way to strengthen cybersecurity is to use IoT data processed by advanced analytics like machine learning (ML) and artificial intelligence (AI) in a security context. By implementing advanced analytics technologies, it is possible to monitor for anomalies in behaviour and usage across all connected devices and thus identify critical security incidents or misuse. What’s more, by adopting Blockchain, enterprises can remove the need for a central authority in the IoT network. This means connected devices in common groups can alert administrators if they’re asked to carry out an unusual task.
The enterprise must also look to their partners when shoring up IoT-laden environments. Advanced security defence centres to respond to cyberattacks in real-time, operated by specialised cyber security players, can provide enterprises with a one-stop shop for their cybersecurity, compliance and emerging technology needs.
Such a cybersecurity centre should be powered by a host of sophisticated tools and platforms including log and behaviour analytics, cyber threat intelligence, cloud-based security framework, advanced attack predictions platform driven by machine learning, integrated into an automation and orchestration platform.
These centres can therefore provide enterprises with a comprehensive security dashboard – a bird’s eye view of the IT and IoT network and its security. Such centres are very difficult to build and maintain from a cost and skills perspective, so enterprises could leverage the deep expertise of an expert partner to help bolster their system and data protection posture and cope with ever-changing regulations.
It’s only by taking a holistic approach to IoT security – one that embraces cloud-based pervasive controls with extended visibility and protection through emerging technologies – that one can ensure the enterprise is protected end-to-end and remains compliant with data protection standards.
In summary though, there is no need to fear IoT. With the correct safeguards in place it can deliver on its promises, improving the processes and services it is designed to provide.
The author is Avinash Prasad, head of Managed Security Services at Tata Communications.