Burned by the Internet of Threats
© Shutterstock / aapsky
IoT is one of the hottest trends in tech right now. But as businesses rush to the Internet of Things, they need to take care. As Christian Buhrow explains, when companies push IoT to production too quickly, security features are all too often forgotten to potential catastrophic results.
The Internet of Things (IoT) is a hot topic, and for good reason. Businesses across multiple verticals see its potential to streamline and accelerate everything from production to payment processing, as well as tap into new sources of consumer demand. In the rush to capitalize on IoT’s potential, however, many companies push IoT offerings to production too early, without implementing critical security features. Without these, suppliers and customers may get burned.
The issues are significant. Stolen identities, credit card fraud, and leaked insurance information or medical records are just the tip of the iceberg but the damage could run deeper. Comparatively, IoT breaches in the infrastructure, manufacturing, and healthcare sectors may not be as pervasive, but the possibilities are terrifying.
The damage inflicted by the STUXNET cyber attack on the Iranian nuclear program demonstrates attacks against critical infrastructure projects that can have a major national impact. A large-scale breach in a hospital setting could shut down critical testing and diagnostic equipment, delaying patient care and leading to life-threatening outcomes. These environments more closely resemble the Internet of Threats, not things.
The lessons learned from the STUXNET attack, not to mention the explosion of sophisticated IT security threats like the recent WannaCry ransomware is that an IoT breach is inevitable. But while native IoT security catches up to the hype, there are things businesses can do to reduce their risk.
Steps to reduce the risk of cyber attacks
The first step is to gain visibility, as you can’t manage what you can’t see. This is even truer for IoT, a connected fabric of devices and systems that lack native auditing and accountability among one another. If you can’t understand the interactions between these devices, you have no control. Monitoring and performance management technologies that leverage the network as a data source see all interactions between IoT devices and other systems. Look for offerings that are real-time, focusing on IT analytics, not packet capture.
It is important to remember that visibility should extend to all users and consumers can’t be left in the dark either. They need to make themselves aware of the risks to their privacy when they opt into IoT-based devices. And businesses need to help them with clear warnings about the risks, and simple steps to keep devices locked down.
Another critical step is to ensure that IoT systems are standardized on what protocols and encryption levels are acceptable. While hacking a neighbor’s Bluetooth-enabled speaker system is annoying, it has nowhere near the impact of an Iranian centrifuge spinning out of control, or a hospital unable to perform diagnostic testing or administer life-saving treatments.
It is vital to regularly test IoT devices for security weaknesses and continually patch systems as new updates arrive. However, this is not always possible as in the rush for the IoT goldmine; some vendors are launching immature products, some with known vulnerabilities, and then simply ignoring newly discovered issues in favor of trying to sell a new product. Keeping up to date with security bulletins related to new IoT issues is critical.
Like any new software-based technology, there are always going to be a few vulnerabilities that emerge and it’s only a matter of time before your organization becomes a target. You must be prepared. With Cisco claiming that there will be 50 billion IoT devices by 2020, it’s not an issue that is going away anytime soon. Everything you can do to minimize damage to your organization, customers, and brand, the better.