The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable and/or controllable via the internet. This incorporates physical objects communicating with each other including machine to machine, and machine to people. It encompasses everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital world.
By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices. State of the IoT 2020: 12 billion IoT connections (iot-analytics.com). According to The McKinsey Global Institute, 127 new devices connect to the internet every second.
That is a whole lot of IoT devices and protecting such an enormous attack surface is no easy task, especially when there are so many varying types and security standards on the devices. The prevailing perspective from a security operations perspective on those billions of IoT devices is that anything connected can be hacked.
The IoT Connectivity Threat
Each IoT device represents an attack surface that can be an avenue into your data for hackers. A Comcast report found that the average households is hit with 104 threats every month. The most vulnerable devices include laptops, computers, smartphones and tablets, networked cameras and storage devices, and streaming video devices, a new report found. Cybersecurity report: Average household hit with 104 threats each month – TechRepublic
And unlike laptops and smartphones, most IoT devices possess fewer processing and storage capabilities. This makes it difficult to employ anti-virus, firewalls and other security applications that could help protect them. At the same time, edge computing intelligently aggregates local data, making it a concentrated target for sophisticated threat actors. Ransomware can also target applications and data in addition to IoT device hardware. In the third quarter of 2020, Check Point Research reported a 50% increase in the daily average number of ransomware attacks compared with the first half of the year. IoT Security Trends, 2021: COVID-19 Casts Long Shadow (itprotoday.com)
As there is a growing rate of IoT attacks, especially when trends of remote work and remote offices are factored. It is important to know and understand the threat landscape. The U.S. General Accounting Office GAO identified the following type of attacks as primary threats to IoT:
- Denial of Service
- Malware
- Passive Wiretapping
- Structured query language injection (SQLi controls a web application’s database server)
- Wardriving (search for Wi-Fi networks by a person in a moving vehicle)
- Zero-day exploits
Also, some of the threat actors using GAO mentioned attack methods are becoming more sophisticated as vulnerabilities and kits are shared on the Dark Web and Web forums. These threat actors not only include hacktivists, but criminal enterprises and nation states. In addition to know the types of threat vectors and attackers, it also is important to explore areas with special implications to IoT cybersecurity:
Supply Chain Vulnerabilities and Endpoints:
The Internet of Things (IoT) exacerbates supply chain vulnerabilities. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices. The increased integration of endpoints combined with a rapidly growing and poorly controlled attack surface poses a significant threat to the internet of things. By using the IoT endpoints, hackers can bombard websites with large amounts of traffic requests, which causes the sites to crash. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, nearly half of U.S. firms using the Internet of Things have experienced cybersecurity breaches. It is likely that many more firms were victims and did not report breaches. Nearly Half of U.S. Firms Using IoT Hit by Security Breaches – ABFJournal
With 44 billion IoT endpoints today (and that number is expected to triple by 2025), hackers have many attack options and entries for inserting malware and can also employ DDoS (distributed denial of service) attacks to devastating effects. IoT endpoints 2020: the industries and use cases driving growth (i-scoop.eu)
In fact, 2017, a variant of a ransomware called “WannaCry”, the ransomware spread swiftly in May reaching over 100 countries and thousands of IoT devices. WannaCry disrupted governments, and many organizational and company networks that had connectivity to IoT.
Another security challenge posed is the interaction between OT and IT operating systems, particularly to critical infrastructure. Adversaries have gained a deeper knowledge of control systems and how they can be attacked and can employ weaponized malware and the connectivity driven by the adoption of industrial internet of things and operational technology has further expanded the attack surface and that energy infrastructure operators should implement “security by design” to counter cyber threats. GovCon Expert Chuck Brooks: Security by Design Needed to Safeguard Energy Infrastructure from Cyber Attacks (govconwire.com)
Every form of cybersecurity attack method can apply to the IoT ecosystem, including It and OT. In the future, IoT connected by 5G will increase connectivity, speed, performance, capacity, and will necessitate the need for even stronger security for all IoT endpoints.
The Cybersecurity Improvement Act:
Good news is that policy makers are finally recognizing the imperative to protect IoT. Recently the Cybersecurity Improvement Act was passed in Congress: “The Cybersecurity Improvement Act and other guidelines for cybersecurity, device identity and encryption provide an additional compliance layer that forces OEMs in other industries like medical devices, automotive and critical infrastructure, to design secure products to support vulnerability reduction during operation. The Cybersecurity Improvement Act offers guidelines specific to the use of IoT and the management of security vulnerabilities. Cybersecurity Improvement Act signed into law inching IoT toward more robust security | Security Info Watch
IoT Cybersecurity Readiness: Potential Solutions and Services
A risk management approach is fundamental to anything involving security, whether it be physical or digital. The IoT combines both those elements. A significant part of cyber-securing IoT involves understanding what is connected in the IoT landscape, knowing how to best protect the most important assets and effectively mitigating and remediating a security incidents and breaches. Based upon a risk management architecture, there are a variety of solutions, services, and protocols to evaluate when a business or organization to consider as no one size fits all. Below is an example list for the C-Suite, CISOs, CTOS and CIOs to heuristically use to help meet their IoT security challenges:
- Use an established IoT Cybersecurity framework that draws on industry experience and best practices, such as those provided by NIST.
- Do a vulnerability assessment of all devices connected to your network (on Premises and remote)
- Create an IoT/Cybersecurity incident response plan
- Compartmentalize IoT devices to minimize attack surfaces
- Add security software, containers, and devices to “digitally fence” network and devices
- Monitor and share threat intelligence
- Scan all software for vulnerabilities in networks and applications
- Update and patch vulnerabilities to both networks and devices
- Do not integrate devices into your network with default passwords and other known vulnerabilities
- Establish privileged access for device controls and applications
- Use strong authentication and perhaps biometrics for access control
- Use machine authentication when connecting to a network
- Encrypt IoT communications, especially for data in transit
- Use strong firewalls
- Use secure routers and WIFI
- Use multi-layered cybersecurity protections, including antivirus software
- Back up all data
- Consider Managed Security and outside subject matter experts
- Consider Cloud security as a service
- Integrate emerging technologies for protections including machine learning/artificial intelligence
- Continually audit and use real time analytics (including predictive analytics)
- Implement security awareness training for all employees
- Be Vigilant
Unfortunately, despite all efforts, when it comes to securing IoT, there are no failsafe solutions. It is a daunting challenge. Eventually deployment of better automated cybersecurity tools enabled by machine learning will greatly reduce breaches. In specific regards to IoT security (and any security), there is an adage that rings true; it is better to be more secure that less secure (and make yourself less of a target). Using a comprehensive risk management approach to understand and mitigate the threats of the Internet of Things can be of major help to that regard in helping mitigating security gaps. Being more cybersecurity ready should a priority pursuit for everyone connected.
About Chuck Brooks:
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and evangelist for Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech Experts to Follow on LinkedIn.” Chuck was named as a 2020 top leader and influencer in “Who’s Who in Cybersecurity” by Onalytica. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was named by The Potomac Officers Club and Executive Mosaic and GovCon as at “One of The Top Five Executives to Watch in GovCon Cybersecurity. Chuck is a two-time Presidential appointee who was an original member of the Department of Homeland Security. Chuck has been a featured speaker at numerous conferences and events including presenting before the G20 country meeting on energy cybersecurity.
Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Programs. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES. He has also been featured speaker, author on technology and cybersecurity topics by IBM, AT&T, Microsoft, General Dynamics, Xerox, Checkpoint, Cylance, Malwarebytes, and many others.
Chuck Brooks LinkedIn Profile:
Chuck Brooks on Twitter: @ChuckDBrooks
More Stories
The Radical Scope of Tesla’s Data Hoard
How a Small Metal Box May Boost Internet Connectivity
Hackers Pick Up Clues From Google’s Internet Indexing