The Internet of Things (IoT) is a powerful boon for businesses. But it also represents a massive potential expansion of the cybersecurity attack surface. So far, the inclusion of IoT in many organizations has been poorly organized, haphazard, and poorly planned. This must change. After all, IT security depends on the security of the IoT.
Why IoT Security Matters
The IoT brings many benefits including lowering costs, improving efficiency, improving security, improving customer service and more.
IoT makes dumb and disconnected devices smart and connected, including thermostats and coffee makers. It adds sensors for tracking things like trucking, warehouses and shipping, as well as connected monitoring of critical infrastructure. And, of course, it makes new business models possible. IoT systems are the concept of a smart building.
By nature, IoT devices connect to the internet. And, by nature, IoT security issues arise when a malicious actor or bot gains access to these devices, or intercepts or interrupts their connection to the network.
Anything connected to the Internet or corporate networks can be a backdoor to the connected network. If you ignore the processing power of devices and focus only on the fact of connectivity, IoT increases the number of devices connected to the network tenfold, i.e. increases the attack surface.
The function of most IoT devices is to capture data of some sort and transmit it somewhere. This increases the amount of data that is circulated, stored and processed, which creates more potential risks.
To many, adding all those little, low-wattage devices may seem like a no-brainer. But for security personnel, they represent a massive increase in attack surface, data to manage, data flow over networks, and potential physical attack targets.
IoT security is about both the device itself – protection against physical cyber attacks – and the protection of networks, systems, applications and data to which it could provide a gateway.
Notable IoT attacks
You might be thinking about the security of IoT when planning a new line of warehouse sensors, installing tracking on the corporate fleet, or adding a new system. video surveillance. In cases like this, it can be hard to imagine how these tiny sensors could lead to a cyber attack. It is therefore useful to come back to three that really happened.
The attack that took over a jeep
A team of researchers in 2015 not only managed to gain access to a Jeep’s computer systems, but were able to control the car as well. They did this by accessing the car’s CAN bus via a firmware update vulnerability. They could have speeded up the car, slowed down, or pulled off the road in a ditch, all out of the driver’s control.
The IoT botnet that broke the internet
In 2016, the world’s largest direct denial of service (DDoS) attack was launched against a service provider called Dyn using an IoT botnet using malware called Mirai. The Mirai botnet has infected PCs, pulling them into service to track down vulnerable IoT devices. Once they found one, they used known default usernames and passwords to log in and infect it with malware. Many of these devices were cameras. When the DDoS attack happened, it brought down major sites like Netflix, Reddit, and CNN.
The IoT Aquarium security flaw that exposed a casino
The first large-scale and flashy IoT attack returned in 2017 when attackers gained access to a casino’s network through a thermometer connected to an aquarium in the lobby. From there, the attackers gained access to a “high-roller” database. Although the details have been kept private, reports reveal that the attackers transferred around 10 GB of data to a device in Finland.
Each of these examples shows a very different outcome of a lack of IoT security. The first shows how controlling IoT devices themselves can cause damage. (This is a particular risk with medical devices.) The second shows how attackers can exploit large numbers of IoT devices to perform DDoS attacks, and all in an automated fashion. And the third example, the one that most concerns businesses, is how a single device can act as a gateway to the corporate network.
How to include IoT security from the start
IoT security solutions aren’t something you use after the fact. Build your IoT infrastructure securely from scratch. Here are a few ways to do it:
- Choose the right products. Buying secure IoT devices takes some research as the industry still lacks universal standards and certifications. Look for reputable suppliers with an excellent reputation for safety.
- Avoid unnecessary capabilities and features. If you don’t need USB ports, for example, avoid them. Any function which could give access to the device, but which you will not need, should be avoided.
- Isolate your IoT devices as much as possible from the network. Consider using Wi-Fi networks only for IoT devices. Use perimeter network firewalls. Set up as many roadblocks as possible for potential attackers.
- Make sure tampering is difficult and will be detected with alerts.
- As in the restaurant industry, location is key with IoT security. You can install IoT devices indoors and surround them with physical security; you can place others in the open where the public has access (and everything in between).
- Make sure you physically keep the IoT device credentials and their authentication keys.
- Make sure you have a clear update schedule and update when new fixes become available.
- Audit devices on a schedule – and after an incident – for safety status.
- Use a centralized approach to give you visibility across all network devices.
- Always change the default passwords and replace them with strong passwords. Or, better yet, embrace public key infrastructure security instead.
- Use endpoint and network discovery tools.
- Use encryption or digital certificates to secure data streaming from IoT devices.
- Make sure you develop and enforce strong cybersecurity policies around IoT.
- Document your policies and procedures on what to do in the event of a cyber attack.
- Use intrusion detection systems and intrusion protection systems.
- Include your IoT infrastructure in vulnerability scans, penetration testing, and red team exercises.
IoT security is a profession and an art. But above all, it’s about covering all the bases and using the best tools and practices at our disposal to limit the capacity and access of each device to its intended function.