While self-adjusting lighting levels and remote-conference facilities that simply work make employees lives easier, behind the scenes, smart devices have created a new cybersecurity paradigm – one filled with risks that need to be addressed.
As Rahul Lobo, Director, Cyber Solution Lead – Security Architecture, at EY sagely warns: “IoT increases the threat landscape in Cyber due to its pervasiveness across aspects of our lives.” We have even covered the IoT threat as one of our top cybersecurity trends in 2019.
With the number of IoT devices expected to rise globally to 80 billion by 2020, this means a lot more network-connected cybersecurity risk vectors for security professionals to be concerned about.
We investigate the root risk vectors in the IoT landscape and how cybersecurity professionals are working to mitigate these risks.
What are the major IoT security risks?
- Insecure device-to-cloud interfaces
- Insecure device management (firmware/software update/FOTA/etc.) mechanismUse of old/outdated software components across device/edge/cloudWeak authentication – authentication protocols as well as credentials (username/password)
- Lack of physical hardening of IOT devices – weak security/credential storage (onboard SRAM/mem/etc.)
- Actual physical security of the device (easy for an attacker to gain access)
Let’s take a closer look at each and what can be done to mitigate the risk involved.
Device to cloud interface risks
This entry/exit point is where transferred data connects to cloud computing resources. For example, as Spyridis says, “devices in the edge by their very nature exist outside the typical perimeter (trusted zone), where most security policies and controls are enforced.”
To be able to sufficiently manage risk beyond internal networking boundaries, we need to come up with policies and procedures surrounding how data transfer is conducted.
Device management risks
IoT devices should not be managed in isolation. Even if we have a set of rules to follow when it comes to purchasing a device, connecting, upgrading, running on a cloud platform, etc., if devices are considered only on a case-by-case basis, it leaves businesses open to risk due to insufficient device insights as a whole. But even when managed as a whole, it’s important to sufficiently oversee security ops.
Sprydis identifies “The core in the IoT topology (as) responsible for managing a large number of devices and the data they produce. The sheer volume of the data makes it possible for attack behaviour to hidden within the numbers and a single or small group of compromised devices can be used to interrogate the overall topology of the system and identify potential attack vectors that exist with other components within the system.”
Security command and control centres that take a holistic approach help to mitigate this risk. Here, securing the core is integral.
Old/outdated software components
The systems software aka firmware that any device is running is a security risk. If device manufacturers aren’t on their toes with security patching once vulnerabilities are discovered, it leaves devices open to attacks.
TrendMicro recently discovered a Mirai botnet variant “targeting smart signage TV and wireless presentation systems commonly used by businesses.” Botnets assemble a large number of network resources (in this case TVs and presentation systems), typically to perform DDOS attacks against businesses. If a patch isn’t released for the device, and management processes can’t catch the malware, you’re at risk. Equally, the software used in the edge/cloud must remain up-to-date.
Automating over-the-air patches and updates can go some way to reducing this risk, as well as shutting down systems or careful monitoring in the event of a discovered vulnerability.
How can you make sure that a device isn’t easily hacked by its network configuration? Many IoT devices suffer from poor authentication controls, as they have been built for functionality with security a mere afterthought. There’s even the risk of data being captured during transmission if left unencrypted over a wifi network.
There are ways to combat this risk, though. ETSI have released the TS 103 645 standard for consumer IoT devices, so you can check it meets this standard. Other than industry security standards, careful vetting of devices, standard device network configurations, identity management, and scheduled maintenance/scans will go a long way to mitigating authentication risks.
Depending on where IoT devices are located, they may also be easily accessed by malicious actors. For instance, if a security camera is set up outside your building, then perhaps someone could come up and physically access the device without too much trouble.
While it may be difficult to contain physical access to devices, increasing their physical security to become more tamper-proof, or alerting IoT command and control centres to ‘strange’ changes to an IoT device in a relatively unsecure physical location can help to mitigate risk.
Dedicated IoT cybersecurity management plans are the answer
It’s not enough to slot IoT cybersecurity management into existing plans and frameworks. The nature of the landscape is simply too different from ‘normal’ IT and network infrastructure.
Spyridis notes what’s necessary for management:
- Comprehensive review of the threat landscape for all projects across device, edge/gateway, cloud and external interfaces/endpoints
- Clearly articulate risks and stages of deployment (dev/POC/trials/production)
- Clearly put in place security failure analysis – what is the cost to business if data is compromised, etc.
So, what does that look like in action? Cybersecurity Consultant Dylan Holloway gives us a glimpse into EY’s cybersecurity framework: “EY teams use strong endpoint protection technology and token based multi-factor authentication on all network connections. In addition to the technical controls, EY teams conduct regular user training and awareness sessions to keep cybersecurity fresh in employees’ minds.”
He notes a need to stay current with industry expertise and best practices, too: “We have acquired specialist firms and individuals to bring in expertise across industries and cyber domains.”
While each company’s framework and plan will be different, there are guides such as NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks and the European Union Agency For Network and Information Security’s Good Practices for Security of Internet of Things in the context of Smart Manufacturing that can provide a stable jump-off point for new initiatives.
Want to explore opportunities at top Australian companies leading the charge in IoT and cybersecurity? Take a look at the latest job listings: