“Smart” connected devices are just about everywhere these days. From wearable health monitors to autonomous appliances and sensor-enabled logistics tracking systems, the Internet of Things (IoT) is quickly becoming embedded into industrial processes, transportation systems, municipal infrastructures, healthcare facilities and the homes of consumers.
Technologists estimate that 127 new IoT devices are being connected to the internet every second, with the total number of active device connections poised to approach 14 billion by the end of 2021. These physical objects with digital connectivity rely on software, embedded sensors and wireless communication protocols to transmit data to remote computing systems (usually in the cloud), where the data can be analyzed and the devices programmed to perform a variety of functions.
Though the term “Internet of Things” was coined over two decades ago, it’s only in the past few years that the technology has truly caught on in the global marketplace. Today, however, it can be challenging to find certain types of consumer devices (think air conditioners or garage door openers) that don’t have any digital connectivity. As many as 30% of the devices currently connected to enterprise networks are IoT-enabled.
The widespread adoption of the IoT brings numerous benefits to businesses and consumers alike. Intelligent sensor-enabled devices enable greater efficiencies in production processes and supply chains. Their use can lower costs, save time and energy, and improve product performance.
IoT Cybersecurity Challenges
However, as more and more of these devices come online, these are mounting concerns about their security. By nature, having large numbers of “smart” devices interacting with a network has the potential to increase its attack surface, especially if security teams aren’t keeping track of how these devices communicate, what risks they pose or how they’re expected to behave.
The issues are complicated by the fact that many traditional IT security controls and technologies don’t work for IoT devices. It’s impossible, for instance, to run antivirus software on an IoT-enabled HVAC system controller because the equipment lacks the necessary processing power. Its firmware may be difficult if not impossible to patch when security vulnerabilities are discovered within it. And the strong passwords and other access controls that protect IT assets usually aren’t extended to cover IoT devices.
What’s more, the majority of these devices were not designed with security in mind. Because this is an emerging technology, regulations governing IoT security are still in their infancy. Without pressure from legislators, manufacturers have felt little incentive to boost IoT devices’ built-in security or even disclose information about known vulnerabilities to consumers.
Tips for Protecting Your Organization
Given the complexity of the current IoT security landscape, how can you mitigate the risks that these devices may pose to your business? We recommend that you take the following steps:
#1: Be an advocate for stronger IoT security and ask the right questions.
Far too few consumers consider a device’s security features something that’s important to evaluate as part of the purchasing decision. In order for the current climate — in which built-in vulnerabilities are mostly ignored — to change, public awareness of these risks must increase.
For security professionals tasked with protecting their organizations’ IT environment, it’s especially important to understand what’s connected to the network. Ask questions of vendors you work with, whether they’re installing HVAC systems or smart lightbulbs. Understand the capabilities of all the smart and not-so-smart devices in your environment. How do they connect to the internet? What protocols do they use? Do they store any data locally? Do they leverage any sort of encryption when they communicate?
#2: Make sure you can identify all internet-connected devices in your organization.
Device discovery is a critical part of improving your IoT security posture, since you can’t protect things you don’t know about. As consumer-grade IoT devices become increasingly commonplace, the possibility that employees will bring smart speakers into the office or set up a new connected coffeemaker in the break room without your knowledge increases accordingly.
Without investigating, you can’t know how secure these devices are or where they’re sending data on your employees’ taste in music or coffee consumption.
#3: Segment your network based on risks and consider isolating IoT devices from business-critical systems.
Consider creating a segregated network for inherently insecure devices that’s isolated from sensitive customer and corporate financial information. In order for this strategy to be successful, however, you’ll have to weigh the security benefits of such logical isolation from any loss of device functionality that it might cause. The primary benefit of automating industrial processes is that you can analyze production data in real time — a benefit that’s lost without extensive connectivity. On the other hand, your smart coffeemaker might still brew an excellent cup of joe even if deprived of its ability to talk to your phone.
#4: Think about the bigger picture when evaluating IoT security risks.
Nation-state level attackers capable of turning a single smart lightbulb on and off couldn’t do much damage, but what if they became able to do this on a city-wide or regional scale?
The same principle is at work in distributed denial-of-service (DDoS) botnet attacks. These attacks harness the processing power and remote communication capabilities of large numbers of connected devices to flood a target with enormous volumes of illicit traffic, which can bring down servers or otherwise disrupt operations. In isolation, a single compromised security camera poses little danger. Bring together more than 25,000 of them, and you’ve got the power to overwhelm any web server.
Today’s criminals are more likely than ever to be thinking about ways to cause harm on a large scale. To protect your organization, it’s important to consider the small but significant role that your connected devices could play in this sort of attack.
Want to hear more of our best thinking on how to protect your organization from today’s latest threats? Check out our latest blog articles.