The challenges of securing the IoT supply chain

Jeff Costlow of ExtraHop

IoT brings opportunities across the whole technology stack, making it an extremely high growth market. In Europe, IoT spending is expected to increase to $202 billion (€179.97 billion) in 2021 with spending projected to grow at 26.7% every year thereafter, especially with the arrival of 5G,

Not only have workforces moved to a more remote working environment, but many other industries are using IoT for a more connected experience across their businesses. For example, manufacturing and healthcare providers have increased IoT spending significantly over the past few years.

Although manufacturers were hit hard during the pandemic, the traditionally highly manual sector leveraged IoT to monitor and maintain equipment without a full team of staff, for tasks such as temperature and usage monitoring, says Jeff Costlow, CISO at ExtraHop. The healthcare industry implemented IoT in response to the pandemic, using the tech to help healthcare professionals improve the quality of life and care they offer patients through health monitoring solutions. This tech can also be used for home medical care, which will propel the industry to become the fastest-growing industry for IoT technology in the next few years.

But, as IoT expands across the globe to offer a more connected experience, security undoubtedly takes a hit. IoT technology is creating a broader attack surface, leaving businesses at risk to unknown vulnerabilities in their environments and exposing them to threats of attack.

The increasing attack surface of IoT devices

IoT devices are notoriously hard to monitor and secure. Today’s cybersecurity tools are far more advanced than the devices used on production lines, meaning many of them use legacy software which lack encryption capabilities. In addition, other IoT devices connect to the network infrequently, making them hard to track.

This means companies struggle to monitor and secure the increasing amount of devices used by businesses – a job many CISOs and security teams find frustrating. How are security experts expected to secure and patch IoT devices if they don’t know the device is there?

Additional threats arise when software updates need to be installed by individual employees who, in many cases, lack the skills to do so. This means important updates are not installed properly or when they are needed, leaving the network exposed.

In IT systems, end-point or logging technology can be deployed but with these small, unadvanced IoT devices, normal security telemetry can’t be. The lack of device inventory and vital updates to secure these connected devices cause a monitoring gap, leaving systems vulnerable and open to attacks.

IoT security nightmares

Without robust security and monitoring capabilities, insecure IoT devices open up the possibility of a cyber attack which could disrupt supply chains and cause chaos. This has been seen several times in 2021 with some of the ransomware attacks, such as those on the Colonial Pipeline, JBS and Kaseya, an IT software firm.

In the healthcare industry, a cyber attack could mean life or death for patients. Hospitals’ expansive networks are renowned for using legacy systems, which make them an easy target for attackers who know they’ll pay up to avoid the possible repercussions. This nightmare became reality in Germany, when the first human death from a ransomware attack happened as a hospital was targeted by unidentified hackers who are still unknown to this day.

Other examples of healthcare sector attacks include the infamous WannaCry attack in May 2017. WannaCry was the largest ransomware attack in history, and is still active today. The UK’s NHS was brought to a standstill for several days, and patient data was put at risk as trusts, care providers and general practitioner practices were all affected. This resulted in the cancellation of thousands of appointments and operations, and the relocation of emergency patients from targeted emergency centres. Most recently, the Irish Health Service fell victim to hackers threatening to sell the stolen data.

While it is unknown that these ransomware attacks involved IoT devices, there are attacks where unmanaged devices have caused cyber attacks. In August 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and Mandiant, a threat intelligence firm, disclosed a critical vulnerability in ThroughTek. This vulnerability allowed attackers to access millions of IoT cameras to view and record live feeds and compromise credentials for further attacks. The vulnerability impacted an estimated 83 million recording devices, ranging from enterprise security cameras to smart baby monitors.

This discovery highlights the increasing challenges of IoT supply-chain security, which often demands immediate action by the software supplier, the manufacturer, and the end user to release patches and apply necessary software updates. Connected devices need to have the same cybersecurity as other IT systems to avoid exploitation which can have major consequences.

Monitor IoT with network detection and response

By looking at the evolving threat landscape and the rise in attacks which exploit IoT vulnerabilities, it’s clear organisations need to upgrade their security to protect themselves. More sophisticated network segmentation is needed, or a different approach, like Zero Trust, so that no asset is implicitly trusted.

At the same time, a device discovery plan should be in place for all IoT component producers to manage device inventory and containment. They also need to be able to gather deep forensics insights to investigate the cause of a threat and ensure it doesn’t happen again.

Connected devices require a more advanced network security tool, such as network detection and response (NDR), which shows organisations east/west movement and can display thorough device inventory taking the pressure off security teams.

It’s not enough to rely on endpoint or Endpoint Detection and Response (EDR) tools. Although these tools give an internal view, they can only monitor a device if they are able to be deployed on it. NDR solutions, however, can see everything on the network each device, traffic and activity.

It’s important for security teams to have an actionable plan in place to rapidly eradicate a vulnerability or risk from the business environment, leaning on deep forensic insight to help. These capabilities give teams everything they need at their fingertips to hunt, investigate and remediate threats quickly providing a full spectrum of response and streamlining the workflow.

From looking at the data, the growth of IoT is going to continue to explode – but so will sophisticated cyber attacks. Organisations need to ensure they are prepared by putting the right tools in place now to reduce response time when an attack inevitably hits. Being left in the dark is no longer an excuse.

The author is Jeff Costlow, CISO at ExtraHop.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


Cubic Transportation Systems expands customer focus in partnership with New England Traffic Solutions

Posted on: September 27, 2022

San Diego, USA – ITS World Congress 2022, Cubic Transportation Systems has expanded its partnership with longstanding customer New England Traffic Solutions (NETS), a provider of advanced technologies enabling the safe, dynamic movement of pedestrian and vehicular traffic. The collaboration now provides a single point of contact for their combined customers, coupled with the focus on customer service and

Read more

ABB partners with Samotics to expand condition monitoring services with electrical signature analysis

Posted on: September 27, 2022

Leiden, Netherlands. 22 September 2022 – Engineering and technology company, ABB and Samotics, a provider of electrical signature analysis (ESA) technology based in the Netherlands, have entered a strategic long-term partnership. The aim is to provide enhanced condition monitoring services. They will deploy each company’s capabilities to deliver insight into machine health and energy efficiency. As a

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox