Way before IoT security was on everybody's mind, something happened in late 2016 that was straight out of a sci-fi movie: the Internet went down. Well, only parts of it, but it was pretty big. So big, in fact, that it has been described as the biggest DDoS attack in history. A DDoS (Distributed Denial of Service) attack is used to bring Internet sites and web servers to a standstill.
This attack was so massive that it took down sites like Twitter and Spotify. The attack utilized a ‘botnet’ which is a collection of Internet-connected, malware infected devices and became known as the Mirai botnet. The botnet infected 150,000 Internet of Things (IoT) devices and turned them into slaves.
The Mirai DDoS attack was able to work on this large scale because of the IoT.
Over the last ten years or so, business computing has changed beyond recognition. Our once controlled enterprise perimeters have been smashed by Cloud computing. And now, we are seeing even this expanded perimeter becoming ever fuzzier, as devices become connected up through distributed computing. Edge computing is the new perimeter, but it has no defined edge.
The end result of this movement is to create amazing innovation in communications and plenty of big data to optimize our services. According to research by Business Insider, there will be 55 billion IoT devices, and an investment of $15 trillion, by 2025.
With ying comes yang. The IoT, as well as generating big data, opens up the attack surface to cyberthreats and it is massive and growing. And, as business embraces the technology, attacks on our data and infrastructure are at an all-time high.
A survey by the Ponemon Institute has found that 70 percent of respondents were very concerned about the security of IoT devices. This isn't surprising when you see further research by Thales which shows that 94 percent of organizations are implementing IoT devices within a climate where 67 percent of companies are breached.
The Mirai botnet attack was an example of where poor IoT security had dire consequences. Here are a few others that demonstrate some of the security issues of IoT devices:
The security flaw behind many IoT device hacks has been the humble password.
Researchers at Ben-Gurion University looked at a number of devices and found that the default passwords were being made available online for all to see. Hacks that use guessable or well-known default passwords include baby monitors, and the devices behind the Mirai botnet. In Q1 of 2018, malware infection of IoT devices grew 3-fold, mainly because of password brute-force. In California, this situation is being legislated for with Senate Bill No. 327 coming into force in 2020. This bill will require IoT manufacturers to apply “Security by Design” to their IoT devices.
The IoT is, by default, connected. This means that any data that is sent from a device to the Cloud or from device to device needs to be protected. This isn’t always the case, yet, encryption and authentication are basics of IoT security.
You can imagine the state of play if your vendor network is IoT-enabled and your encryption and authentication measures are lacking.
Armis recently identified a Bluetooth vulnerability, “BlueBorne” which is based on a number of zero-day vulnerabilities, i.e. software flaws that manufacturers are not yet aware of. The vulnerability means that billions of devices that use Bluetooth to connect are open to data exposure or malware infection.
The IoT is setting organizations new challenges around compliance too. Data privacy has become an important issue.
Regulations such as the EU’s General Data Protection Regulation (GDPR) have been designed to take modern hyper-connected computing into account. In California, the Californian Consumer Privacy Act (CCPA) also sets out a data privacy agenda.
High stakes are at play with large fines for non-compliance. The IoT opens up new challenges around data exposure and compliance, with regulatory requirements such as the GDPR “Right to be forgotten”. When personal data is dispersed across multiple endpoints, data management and asset mapping can become onerous.
Related Post: GDPR Frequently Asked Questions
The above shows 4 of the most common IoT security and privacy issues. However, you can see more issues in the Open Web Applications Security Project (OWASP), which keeps track of IoT security issues in their Top Ten IoT Vulnerabilities report.
As with everything in business, with every benefit, there is a challenge.
The IoT is no exception. The security issues of the IoT are real and we cannot ignore them. However, the benefits of the IoT in business means that the market for IoT devices is strong.
The Industrial Internet of Things (IIoT) for example, which allows industry to control and optimize industrial systems, is predicted to be worth $232 billion by 2023. Healthcare IoT devices will be worth a healthy $268 billion by 2023. The IoT is touching every aspect of our businesses. Vendor ecosystems are becoming increasingly dependent on the ease of communication offered by the IoT.
But, all of this connectivity and data sharing across disparate systems comes at a price and that price is ensuring security and privacy.
►Tip: If you’d like to better understand, evaluate and meet your various privacy obligations (such as GDPR, PIPEDA or the CCPA), you may want to conduct a Privacy Impact Assessment.
Our company data, Intellectual Property, and IT infrastructure is impacted when IoT security is not robust. Let’s have a look at some of those areas that we need to think about when we use Internet-enabled devices and systems:
If your company manufacturers or your products are in any way reliant on Internet-enablement, then you need to consider your customer expectations.
In a CapGemini survey into the impact of IoT cybersecurity on consumer choice, they found that 71% of executives believe purchase decisions are influenced by security concerns. This isn’t surprising in a climate where data breaches and other hacks regularly make the headlines.
The 2017 IP Commission Report found that the cost to the US economy of “economic espionage” via hacking could be as high as $400 billion a year. Internet-enabled vendor networks and the IIoT can mean that company sensitive data and Intellectual Property are regularly shared across external networks.
For example, Internet-connected printers have been shown to be vulnerable to attacks - many well-known brands being open to hijacking. But it isn’t just printers, any connection that is not secured is open to hacking.
The mass of data that the IoT generates helps us to innovate and improve productivity. But this also opens up data security and privacy compliance nightmares.
To ensure compliance is met, we need to know what we are dealing with.
Hitting regulation tick lists means being able to map assets and data. The IoT across remote locations makes this more complex. Add in vendor ecosystems and remote workers and the challenge is even greater. Regulations are tightening up around areas such as breach notifications, where time to notify is decreasing and fines increasing.
Related Post: Data Breach Notification Laws: Canada, U.S. & Europe
Keeping tabs on data across a complicated life cycle with multiple endpoints is a challenge in maintaining inventory and data asset registers. When industrial systems like SCADA and ICS units are Internet-connected, data can be at risk if security is not hardened across the entire expanded network.
This was the case when a U.S. water treatment plant was breached and 2.5 million customer data records, including financial details, were exposed. In addition, the attack also affected the water supply.
A study has shown that 70 percent of workers are working remotely at least one day a week.
When they are out of the office, they connect back using connected devices. Digital assistants are likely to become a means of connecting back to work too, as Amazon and Google have opened up funds for innovation in the use of the devices.
Remote working is another area that is expanding company IT assets and making data lifecycle management more onerous.
Gartner predicts that by 2020, 25% of all cyber-attacks will be IoT based.
As we add connected-devices to our corporate communications and sharing of data, we need to make sure that they meet the needs of a modern world where cybercriminals are looking for new ways to hack our organizations.
All is not lost, however, and in our next article, we will look at 10 tips to secure the IoT.[/vc_column_text][/vc_column][/vc_row]