i-PRO joins with the U.S. department of homeland security cyber and infrastructure security agency (DHS CISA) to raise awareness around cybersecurity for NCSAM (national cyber security awareness month). The world has seen a significant increase in cyber-attacks aimed at critical infrastructure and security products in the last few years, with Industrial Internet of Things (IIoT) devices such as security cameras, becoming prime targets for hackers. According to a Kaspersky analysis of its telemetry from honeypots shared with Threatpost and extrapolated for all of 2021, there were over 3 billion IoT breaches, and that’s just the recorded number, the actual number is probably much higher, says Will Knehr, senior manager of information security and data privacy at i-PRO.
In an i-PRO poll of almost 100 LinkedIn users we asked, “Who is typically responsible for ensuring the cybersecurity of security systems in an organisation?” 55% of respondents said that the IT department was responsible, while 23% said that it was the device manufacturer. Only 13% said it was the system integrator, while 10% said it was the safety security department. While the answers vary based on the requirements of the installation, it’s clear that IoT and IIoT manufacturers must do more to help secure these devices and educate the market on security best practices. So, as part of cybersecurity awareness month, i-PRO is releasing our “Internet of Things cybersecurity pillars” to help educate the market on IoT security. The pillars focus on what we believe are the four core tenets that should be the foundation of any IoT security program. The four pillars are resiliency, cyber hygiene, product security, and proper configuration.
In this article, we will briefly explore each of these pillars, and over the next few weeks, we will release more detailed explanations of each pillar. We hope that you will join us on this journey and together we can work to make IIoT safer for everyone!
What is IoT and IIoT? Since we will be using these terms a lot throughout these articles, it’s probably best to go ahead and make sure that we are all on the same page. IoT is the Internet of Things, and it is typically defined as small computing devices, sensors, or software that communicate and exchange data over the internet. Still confused? No sweat, you interact with these devices every day and maybe don’t even realise it. These are devices like smart refrigerators, vacuums, dryers, thermostats, home security systems, wearable fitness and wellness tracking, light switches, and even healthcare devices like pacemakers. Unfortunately, most of these devices were not made with security in mind, they were just made to function and provide convenience to the consumer. IIoT is just like IoT but developed for an Industrial market. IIoT includes devices used in manufacturing, heating and cooling of commercial facilities, smart fire control systems, commercial security systems, and smart farm devices. These devices automate a lot of commercial processes which increase efficiency and often help to reduce costs, but they have also introduced a new set of vulnerabilities to organisations. To alleviate any confusion, for the rest of the article we will use the terms IoT and IIoT interchangeably.
Without any further ado, let us hop into these pillars and see what we can do as a team to make our IoT devices better.
The first pillar focuses on resiliency, which simply put, means that your IIoT device or security system will be there when you need it the most. Will your security system work during a power outage, severe weather, communication disruption (telephone or internet outage), or cyber-attack? These are the types of questions that will help your organisation determine if your devices are resilient. One of the toughest challenges in achieving true resiliency is marrying physical security and cybersecurity together.
The best thing you can do to protect your IoT devices is put deodorant on them and wash them every day….just kidding, we aren’t talking about that kind of hygiene. What we are referring to is the care and maintenance of IoT devices. When was the last time you updated your IoT firmware or software? Do you have an inventory of all IoT devices on your network? Are you using strong passwords or authentication for your IoT devices? Did you ever change the default passwords on your IoT devices? These questions will give you a sense of your cyber hygiene. IoT devices need to be updated and inventoried just like any other device on the network, however, they are often overlooked or forgotten about once deployed.
Product security refers to the security features on the device itself. Many IoT devices, especially cheap ones or devices made by fly-by-night companies, don’t build security features into their devices. We recommended purchasing devices from reputable companies that will fix security flaws as they are reported. Some of the security features to look for in an IoT device are encryption (protecting usernames, passwords, and device traffic), authentication (does the device ensure that it only takes instructions from an authenticated source), and the support of secure network standards like 802.1x.
In the previous pillar, we focused on the security features that an IoT device has, but those security features are pointless if they aren’t configured or set up properly. Proper configuration focuses on ensuring the devices have the security features turned on and turning off any features that aren’t in use, but it also includes making sure that the network is set up properly. Often these IoT devices are hacked because attackers can get to the devices in the first place, one way to help with that is by ensuring that your IoT devices aren’t visible from the internet. This can be done by properly configuring the network and using network security best practices such as network segmentation.
The author is Will Knehr, senior manager of information security and data privacy at i-PRO.