IoT security: What we can learn from recent threats

An unnamed Las Vegas casino was hacked via its fishtank, IoT-connected to monitor feeding and water temperature

The Internet of Things (IoT) promises more flexibility and functionality for enterprises than ever before. More connected devices hold the promise of helping enterprises streamline supply chain operations, increase efficiencies and reduce costs within existing processes, enhance product and service quality, and even create new products and services for customers.

With a myriad of benefits available to the enterprise, says Avinash Prasad, head of Managed Security Services at Tata Communications, IoT is set to enhance or even overhaul business models for the better.

While the mass generation, collection and analytics of IoT data will certainly provide the enterprise with immense opportunity, potentially easy access through unsecure networks and other vulnerable entry points – including IoT devices – are enticing cybercriminals.

According to Gartner, nearly 20% of organisations have observed at least one IoT-based attack in the past three years. With a staggering 75 billion connected devices expected worldwide by 2025, exposure to cybersecurity vulnerabilities and data breaches will have increased five-fold from today.

So, as we enter a new IoT-dominated era, it is imperative to re-examine the threats that loom over enterprises when deploying multiple connected devices and incorporate the same into the enterprise security strategy. Here are three examples of IoT vulnerabilities that all enterprises should take into consideration for cyber defense planning – these range from breaches on seemingly innocuous products to the downright malicious.

  1. Even the simplest connected devices are vulnerable

Many people who go to Vegas come back with far less money than they went with, but it’s not usually been linked to any cyber-attack, much less one that started in a fish tank. However, that’s exactly how an unnamed casino in Sin City experienced its first cybersecurity infraction.

The connected thermometer, used for remote monitoring and feeding within the casino’s aquarium, provided the perfect access point for hackers looking to acquire data on the highest-spending visitors. The hackers stole 10GB of personal data in total, sending it to a remote server in Finland.

IoT devices are increasingly being used across diverse sectors, and as seen by the Vegas fish tank example, even the simplest connected devices can be potential gateways to other private segments of an enterprise’s network. Given that 80% of the world’s data is kept on private servers, keeping hackers out has never been more crucial.

  1. The physical protection and disposal of connected devices can be troublesome

Sometimes it’s not hackers you need to be wary of but the behaviour of IoT devices themselves. In 2018, cyber-security blog Limited Results took a hacksaw to a LIFX Mini White lightbulb and discovered vulnerabilities with the smart bulb itself. Anyone with physical access to the product could extract the owner’s Wi-Fi password as it was stored in plaintext on the device, along with the RSA private key and root passwords.

LIFX fixed the vulnerabilities with a firmware update but it raises important questions around the physical state of the devices including protection during use and disposal of old or defective smart devices. As enterprise businesses continue to adopt and upgrade IoT, this often-forgotten aspect of vulnerability exploitation must stay front of mind.

  1. Malware on an industrial scale – the cyber physical threat

The world has grown accustomed to malware stealing private information, but as seen by the Vegas fish and LIFX examples, rarely has it posed a physical threat to its victims. That is until 2018 when the Triton industrial malware was discovered targeting the safety systems of a Saudi Arabian oil refinery. It is said to be the first malware ever designed to compromise industrial safety systems, giving hackers the ability to disable sensors and enable allow lethal catastrophes. The hackers moved deliberately, taking their time to infiltrate more and more of the refiners systems and develop more precise malware.

That instance was fortunately uncovered before any more attacks could be executed, but that does not stop hackers from developing even more dangerous forms of malware. So, as industrial control systems become increasingly connected and dependent on IoT devices, enterprises must take steps to build in security for these layers.

The compliance conundrum

Avinash Prasad

Even without the widespread adoption of IoT, many enterprises are being challenged by innovation that can open potential loopholes for data protection. Over the last few months, British Airways, Marriott Hotels and various local authority organisations have been fined heavily under the European Union’s General Data Protection Regulations (GDPR) for the accidental exposure of vast amounts of personal data. In fact, the Marriott data breach alone exposed 7 million records connected to UK residents.

All fines levied demonstrate how aggressively regulators within the European Commission (EC) are willing to tackle security and compliance failings to ensure that personal data remains private. New UK-based IoT security laws on the horizon will look to hold device manufacturers accountable for vulnerable entry points within the connected device itself. Yet, enterprises will also need to accept more responsibility for the weaknesses – security and compliance – within their own IT architecture.

So, what’s the solution?

The fledgling nature of IoT is likely to make it an attractive target to hackers for the foreseeable future. As more technologies emerge and IT environments become ever-more complex, the IoT attack surface will increase. Enterprises must take the right precautions today to prevent serious damage that can be caused by Successful attacks on newly implemented IoT environments.

One way to strengthen cybersecurity is to use IoT data processed by advanced analytics like machine learning (ML) and artificial intelligence (AI) in a security context. By implementing advanced analytics technologies, it is possible to monitor for anomalies in behaviour and usage across all connected devices and thus identify critical security incidents or misuse. What’s more, by adopting Blockchain, enterprises can remove the need for a central authority in the IoT network. This means connected devices in common groups can alert administrators if they’re asked to carry out an unusual task.

The enterprise must also look to their partners when shoring up IoT-laden environments. Advanced security defence centres to respond to cyberattacks in real-time, operated by specialised cyber security players, can provide enterprises with a one-stop shop for their cybersecurity, compliance and emerging technology needs.

Such a cybersecurity centre should be powered by a host of sophisticated tools and platforms including log and behaviour analytics, cyber threat intelligence, cloud-based security framework, advanced attack predictions platform driven by machine learning, integrated into an automation and orchestration platform.

These centres can therefore provide enterprises with a comprehensive security dashboard – a bird’s eye view of the IT and IoT network and its security. Such centres are very difficult to build and maintain from a cost and skills perspective, so enterprises could leverage the deep expertise of an expert partner to help bolster their system and data protection posture and cope with ever-changing regulations.

It’s only by taking a holistic approach to IoT security – one that embraces cloud-based pervasive controls with extended visibility and protection through emerging technologies – that one can ensure the enterprise is protected end-to-end and remains compliant with data protection standards.

In summary though, there is no need to fear IoT. With the correct safeguards in place it can deliver on its promises, improving the processes and services it is designed to provide.

The author is Avinash Prasad, head of Managed Security Services at Tata Communications.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Panasonic and Jasmy unveil Web3 Platform for IoT data control

Posted on: March 28, 2024

Panasonic has joined forces with Jasmy (JASMY) blockchain to introduce a Web3 platform that will facilitate the connection of personal data on the Internet of Things (IoT). The collaboration between the Japanese-based blockchain and Panasonic Advanced Technology was initiated in February, but the official announcement was made on March 26.

Read more

Driving connected personalised user experiences with Generative AI

Posted on: March 27, 2024

As the world continues to rapidly move towards digitalisation, customer expectations are also on the rise. Around the globe, telcos are grappling with meeting these expectations. As well as ensuring connectivity in a secure, seamless, and consistent manner 24/7, to compete and differentiate, operators now need to provide personalised experiences that are as unique as

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more