In just a few short years, the Internet of Things (IoT) has radically reshaped the way we live and work. From the gadgets on our wrists and in our homes to the connected buildings and smart factories we spend our working lives in, it’s making us safer, happier, and more productive whilst offering new growth opportunities for organisations. The technology is at the vanguard of a digital transformation revolution that is already permeating the vast majority of businesses, helping to make them more efficient, agile, and customer-centric.
However, digital expansion also means greater digital risk: the latest figures reveal a 100% year-on-year increase in IoT attacks. The key for IT teams, therefore, is to support business growth whilst minimising these cyber risks through best practice security adapted for the new connected era.
IoT has come a long way in a relatively short space of time. Gartner predicts that there will be 14.2 billion connected things in use in 2019, with the total reaching 25 billion by 2021. With this soaring volume of devices has come an explosion in data. Cisco estimates that the total amount of data created by all devices will reach 600Zettabyte per year by 2020, up from only 145Zettabyte annually in 2015. This is a huge amount of data – a single Zettabyte is the equivalent of 1billion Terabytes.
Why has the IoT begun to permeate business environments so completely over the past few years? A Forbes Insights poll of 700 execs from 2018 helps to explain. It finds that 60% of firms are expanding or transforming new lines of business, a similar number (63%) are delivering new/updated services to customers, and over a third (36%) are considering new business ventures. Across the coming 12 months, nearly all (94%) respondents predicted profits would grow by 5-15% thanks to IoT.
IoT sensors, the data collected, and sent to the cloud for analysis offer major new opportunities to enhance the customer experience, streamline complex business processes, and create new services thanks to the insights revealed. This could include utilities firms monitoring for the early warning signs of water leaks or power outages, manufacturing companies improving operational efficiencies on the factory floor, and hardware-makers providing new after-sales services for customers based on predictive maintenance.
Risk is everywhere
The challenge facing any firm ramping up its use of IoT and industrial IoT (IIoT) systems is that it will have expanded the corporate attack surface in the process. A quick look at OWASP’s IoT Attack Surface Areas document illustrates just how many new possible points of weakness are introduced. These range from the devices themselves — including firmware, memory, and physical/web interfaces — to backend APIs, connected cloud systems, network traffic, update mechanisms, and the mobile app.
One of the biggest risks to such systems is that they are produced by manufacturers who don’t have an adequate understanding of IT security best practices. This can result in serious systemic weaknesses and vulnerabilities that can be exploited by attackers, from software flaws to products shipping with factory default logins. It could also mean the products are hard to update and/or there is no programme in place to even issue security patches.
Such flaws could be exploited in a variety of attack scenarios. They could be used to breach corporate networks as part of a data-stealing raid, or sabotage key operational processes — either to extort money from the victim organisation or simply cause maximum disruption. In a more common scenario, hackers can scan the internet for public-facing devices still protected only by factory default or easy-to-guess/crack passwords, and conscript them into botnets. This is the model used by the infamous Mirai attackers and subsequently adapted in many other copycat attacks. These botnets can be used for a variety of tasks including distributed denial of service (DDoS), ad fraud, and spreading banking trojans.
In the dark
The difficulty for IT security teams is often gaining visibility over all the IoT endpoints in the organisation, and some IoT devices that are detected can often be operating without the knowledge of the IT department. This shadow IT factor is in many ways the successor to the enterprise BYOD challenge — except instead of mobile phones, users are bringing in smart wearables, and other appliances that then get connected to the corporate network, increasing cyber risk. Just consider a smart TV being hijacked by attackers to spy on board meetings, for example, or a smart kettle in a staff cafeteria used as a beachhead to launch a data-stealing raid against the corporate network.
Even worse for IT security bosses is that they have to manage this growing cyber risk with fewer skilled professionals to call upon. In fact, demand for IoT roles soared 49% in Q4 2018 from the previous three months, according to one recruitment group.
Regulators catch up
The impact of any major IoT-related cyber threat could be severe. Data loss, IT systems outages, operational disruption, and similar can lead to financial and reputational damage. The cost of investigating and remediating a security breach alone can be prohibitive. A serious outage could require a major investment of funds into IT staff overtime. Regulatory fines are another increasingly important cost to bear in mind. Not only is there the GDPR to consider for any issues affecting customer or employees’ personal data, the EU’s NIS Directive also mandates best practice security for firms operating in specific critical industries. Both carry the same maximum fines.
This regulatory oversight is encroaching on both sides of the Atlantic. A new piece of proposed legislation in the U.S. will require the National Institute of Standards and Technology (NIST) to draw up minimum security guidelines for IoT manufacturers and demand that federal agencies only buy from suppliers that meet these baseline standards.
Visibility and control
If passed, this U.S. legislation could well build on a European ETSI TS 103 645 standard, which itself was based on a UK government-proposed code of practice for the industry. It’s certainly a great start and will hopefully push the industry to be more security aware, while empowering consumers and businesses to seek out the more secure products on the market. But in reality, it will take a while for such steps to filter through to the market, and even then organisations may already be running thousands of insecure legacy IoT endpoints.
IT security teams must act now, by gaining improved insight into their IoT environment. IT asset management tools should be able to help here by providing the all-important first step: visibility. Next, ensure device firmware is up-to-date via automated patch management tools and that this process is monitored to make sure it is working correctly – some security updates are buried deep within a vendor website and require human intervention to ensure these have been enabled. Additionally, IT teams must check that any usernames/passwords are immediately changed to strong and unique credentials. Even better, replace them with multi-factor authentication. Other best practices could include encryption of data in transit, continuous network monitoring, identity management, network segmentation, and more. Finally, don’t forget the people aspect of cybersecurity: employees should be taught to understand the security risks associated with IoT, and how to use systems and devices safely.
This is the way to gain most value from any IoT initiatives, without exposing the enterprise to unnecessary extra risk. It takes just one serious security breach to undermine the innovation-powered growth so vital to the success of the modern digital business.