IoT security is not an oxymoron

The growing number of Internet-connected devices open organizations up to additional cyber vulnerabilities. Nonetheless, almost half of IT decision-makers and security decision-makers say that cybersecurity is an afterthought when implementing more Internet-of-Things (IoT) devices into corporate networks.

According to IoT Analytics, the number of installed IoT devices will increase from roughly 7 billion today to over 21 billion by 2025. The opportunities for various parties to effect data breaches due to more vulnerabilities will grow correspondingly.
Examples of IoT devices include:

1. Consumer: thermostats, smart home systems, cameras, appliances, cars.
2. Business: process control sensors, computing infrastructure components, physical access systems, cameras.
3. Government: cameras, traffic control, infrastructure monitoring sensors.

To reduce the added cybersecurity risks your growing number of IoT devices are introducing, implement the actions below.

Risk of IoT devices

IoT devices can be particularly risky because they typically sit where the digital world meets the physical world. As a result, hacking into IoT devices can have dangerous real-world consequences. Infrastructure hacking examples include damaging electricity generating stations, water processing plants, oil & gas refineries, railroads.
The major consequences of an IoT data breach are:

1. Loss of customer trust leading to loss of reputation, sales and closed accounts.
2. Financial loss caused by a ransomware payment.
3. Financial cost to restore normal operation after a fire, explosion or manufacturing facility outage.
4. Extended loss of business continuity leading to bankruptcy.
5. Financial cost of fines levied by regulators for data privacy breaches.

Examples of data breaches

Recent examples of data breaches, initiated via compromised IoT devices, include:

1. Casino Data Leak. Via a Wi-Fi-connected aquarium smart thermometer, hackers gained access to the corporate network, retrieved data about high-paying customers, and then extracted the data back through the temperature sensor and into the cloud.
2. Equifax was hacked for credit information of about 143 million consumers. This hack was successful due to an Apache Struts vulnerability that was a months-old issue that Equifax knew about but failed to fix.
3. Mirai malware recruited vulnerable Linux IoT devices into botnets to then deliver major DDoS attacks that crashed multiple websites. The malware searched for IoT devices still using the factory default usernames and passwords.
4. Dallas, Texas city-wide sounding of all 156 emergency sirens in the middle of the night. This hack sent a fake instruction through the radio control system for the sirens.
5. Orvibo is a Chinese company that operates an IoT smart home device management platform. The company left a database containing detailed information for over one million customers exposed to the Internet without any password to protect it. This hack only required typing a simple URL into the browser address line.

Benefits of IoT devices

The benefit of business IoT devices, through the data they collect, is an enhanced ability to improve business performance as well as product and service capability.

The rapid growth in IoT devices is occurring because IoT devices provide organizations with easy access to vast amounts of data about the:

1. Health and performance of their own processes. Examples include supply chain, distribution or manufacturing.
2. Effectiveness of their products in the hands of customers. Examples include frequency of use, outages or looming problems.
3. Performance of their internal systems. Examples include throughput, crashes, common errors or data quality.

Management actions to reduce IoT risk

Management actions that will reduce risk of data breaches or facility damage arising from compromised IoT devices include:

1. Don’t wait for a serious data breach incident to occur before taking proactive action to reduce risk.
2. Broaden the responsibility of security professionals (CSO/CISO) to include security of mobile and IoT apps. Many of these individuals tend to focus on firewalls, servers, workstations and routers.
3. Provide sufficient resources for security professionals to perform logging, monitoring and reporting tasks for the computing infrastructure.
4. Avoid excessive pressure on development teams to release apps quickly. This pressure causes inadequate development and testing of security features.
5. Strengthen processes and systems to track and manage IoT devices.

Technical actions to reduce IoT risk

Technical actions that will reduce risk of data breaches or facility damage arising from compromised IoT devices include:

1. Patch all devices expeditiously as software vendors provide such patches. Malware creators follow the patch announcements of software vendors carefully because most of these announcements describe a vulnerability that malware creators can exploit. The WannaCry ransomware attack is an excellent example.
2. Protect against malicious activity by operating with the latest antivirus and antimalware capabilities.
3. Operate with strong authentication.
4. Change all factory default usernames and passwords. These values are widely known because all IoT devices are shipped with them for ease of setup.
5. Stamp out the “if it ain’t broke, don’t fix it” attitude that allows vulnerabilities to persist.
6. Scan backups regularly to ensure they’re complete and unencrypted.
7. Protect IoT devices against unauthorized physical access.
8. Don’t buy IoT devices that lack the capability to be patched.
9. Close Telnet ports especially since most organizations have switched to SSH for more secure remote command-line, login, and remote command execution.

How should you respond when your app developers ask for more time to test a new app for security vulnerabilities? What should you say when your security staff ask for more budget to check IoT devices for security vulnerabilities? Let us know in the comments below.