By Richard Blech, CEO of Secure Channels Inc.
The rise of connected devices has led to new challenges in today’s cybersecurity landscape. With an increase in device threats and the population of cybercriminals, IoT security has quickly become a top concern and big issue for businesses worldwide. If organizations want to continue to innovate, they will need to invest in the growth of their network, adapt to change and position IoT security as a key priority in their cybersecurity playbook. They need it to produce data about their products or services, to more efficiently control processes and vastly improve customer experiences. It’s here to stay — even with all of its inherent flaws.
It’s a numbers game
The sheer number of connected devices simply provides more attack vectors and opportunity. And the industry is only recently waking up to the need for improved security for this growing behemoth that poses significant risks. Gartner predicts there will be more than 20 billion connected things by 2020, a number that is now looking conservative, as companies within all verticals see the potential for connected data. All of these things, from sensors on tractors to smart door locks or environment monitoring sensors, are all potential exploits and gateways to networks and information.
The stakes are rising
In the acclaimed series Mr. Robot, hackers exploit temperature sensors in a server room to cause an explosion. While fictional, the premise underscores the risks that are present when IoT devices control the physical environment. Sensors manage temperature, humidity, chemical levels in manufacturing and a host of other physical levels that must be expertly controlled. Consider an IV drip armed with a sensor that controls the amount of medication a patient receives based on attached body sensors. An exploit and subsequent error to that type of machine would be disastrous.
The stakes are high, and security controls for IoT must exponentially increase in order to provide the right protections. Previous data breaches could be damaging to the brand and cause financial harm, but they didn’t involve actual physical safety. IoT connections that relate to the personal safety or possible harm are now ripe targets for hackers looking to conduct ransom or even terror organizations searching for remote attack methods.
New data is produced
IoT produced data is also becoming more and more valuable. Cities use traffic management data to plan construction routes. Health insurers use connected data to determine coverage levels and other adjustments. Product manufacturers might be pulling in invaluable user data from their connected things — data that would release trade secrets if exposed.
And the data itself is more “open” and designed to be collaboratively shared. In a traditional network, the data is tied to a certain application, so you get the classic silos where information is used, but not shared. IoT creates data from measuring, sensing and so forth, but the data could then be used by a wide range of departments and people. While its openness is necessary for modern businesses, it also means there is much more exposure to information which in turn creates vulnerable points that could be open to attacks. There’s also the question of who ultimately owns the data when information is collected about individual customers. For example, does the data on smart thermometer habits belong to the user or the manufacturer? What about blood pressure readings? These types of questions further complicate the security around the IoT data.
New types of attack methods
A large business might operate hundreds of connected security cameras. A hacker could find an exploit for the camera and then target the connected router. Through some sleuthing, the hacker could find out the router’s address and other data, and then explore further vulnerabilities. Once he has compromised the router, then the bad actor can maybe reach a file server and then grab valuable data. The problem is these types of actions are difficult to spot without the right security tools in place. Such possibilities are shifting how firms think about connected devices and the downstream implications of so many avenues into the network. Many IoT devices are also controlled by one-time password systems, which further open them up to exploits. Organizations should utilize the latest password key management tools that require multiple routes of authentication and allows users to use unique resources to create security keys.
The industry will need to produce new technologies, such as encryption protocols, that are perfectly suited for IoT devices and encourage a broader shift towards a security-focused culture. There’s also a pressing need to stem the tide of ransomware by improving patching and updating. Two-factor authentication and the use of biometrics and advanced digital certificates are also needed to restrict access to only authorized users. Senior leaders and IT security professionals need to work together to employ best practices in their corporate environment in order to mitigate threats and attacks. Additionally, technology training is essential for all staff members and should occur early and often to create a front-line defense against hacking exploits that are due to human error. Security solutions typically occur after widespread adoption, as companies are eager to explore functionality, but at the expense of strong security. However, if the 20 to 30 billion coming connected devices are to prove beneficial, then firms need to embrace proactivity.
Find the original article on IoT Agenda here.