By Argha Bose, Head Cyber Security and Risk Business, TATA Advanced Systems Limited- Cyber Security Practice
Security risks in the world of IoT or the Internet of Things are constantly on the rise with the growth in its popularity. Although IoT has provided businesses with opportunities to create more value and improve efficiencies, the continual connectivity (along with constant information sharing) has provided adversaries with options to compromise the integrity and confidentiality of sensitive data. Consequently, the risks have grown significantly.
There is a broad range of smart devices available nowadays, which are being widely used by individuals in every business vertical. These connected devices include Alexa-enabled digital assistants, smartwatches/fitness bands, smart bulbs, etc. While, if we talk about IoT technology on the industrial level, multiple organizations had already incorporated IIoT and are reaping its benefits. For instance, Magna Steyr, an Austrian automotive manufacturer, is using the concept of smart factories to offer production flexibility. Also, ABB, a power and robotics firm, is utilizing connected, low-cost sensors to observe the maintenance of its robots to timely repair parts before they go down.
I believe that the adoption of IoT & IIoT will keep increasing with time. It is expected that the total number of IoT devices globally will reach 30.9 billion by 2025 (Source: Statista), while the global IIoT market is projected to reach USD 1.1 trillion by 2028 (Source: Grand View Research). Hence, it becomes important for us to step up and understand the security challenges of IoT technology so that the defence can be strengthened.
IoT: Things of Benefit for Threat Actors
Cyber attacks are not new to IoT, the difference is that they are becoming complex than before along with the increasing IT threat landscape. Threats actors view connected devices as an extremely valuable asset because of several reasons, including:
• Interoperability Issue: Industrial IoT (IIoT) environments usually include numerous devices, software, hardware and legacy equipment, which were primarily not designed to work collaboratively. This engenders a space for configuration (or design) errors that could let threat actors compromise the whole network.
• Lack of security features in the devices: It is seen that a majority of IoT devices are designed after keeping customer experience and ease in mind. They do not have sufficient security mechanisms. For instance, they do not feature encryption. Most IoT devices do not apply encryption while transferring data, creating a gap in the security perimeter of any organization with IoT connected devices. Additionally, I have also observed that these IoT devices often come with guessable and weak default passwords. If they are installed with the same password, it becomes easy for hackers to brute force and breach.
• Seamless connectivity with other devices: Cybercriminals always try to make more benefit in their every intrusion. Since IoT devices have access to the network (business/home), a single successful breach can enable threat actors to get hold of sensitive data like usernames, passwords and even banking details.
Just imagine if your smartwatch got hacked, how valuable it can be for the hackers. The attackers can get access to your smartphone, computer or even tablet and steal your critical data.
• Application of legacy OT communication protocols: Cybercriminals are now well aware of the vulnerabilities of legacy protocols, which enterprises are still using as a part of smart factories. They are using different methods like self-propagating worms and peer-to-peer (C2) communications to penetrate industrial IoT devices and interrupt crucial processes.
• Chances of a large-scale attack: If a threat actor can penetrate your IoT device and enter into the network, the door to launch a series of big-scale attacks open up. The “seamless connectivity”, which seems to be an astonishing feature, can lead to devastating results such as the attackers can drop malware on the network, steal and encrypt sensitive data, etc.
• Lack of awareness among the workforce: As IoT is a relatively new technology, there are so many individuals who are still oblivious to its functionalities and risks. Consequently, people perform actions without being mindful of the outcomes, resulting in exposing vulnerabilities.
How Security Leaders can Cope with IoT Security Challenges
I believe, for any organization – be it small, medium or large, it is important to have deep visibility in IoT devices within their networks. IoT security is no more subjective for businesses as it is increasingly becoming an integral part of their daily operations. Ensuring the security of IIoT ecosystems is critical as the weak defence could have destructive consequences.
There are multiple things that organizations can do to optimize IoT security and minimize risks, including:
• Do a little research work before buying any IoT devices: As prevention is always better than cure, taking out some time to analyse the product and review its security aspects can help in identifying the potential risk and minimize the possible damage.
• Continuously monitor all the IoT assets: It is recommended for organizations to keep an inventory of all the IoT devices in their network and constantly monitor these assets to proactively detect and remediate security issues. By following industry best practices and investing in leading solutions, enterprises can manage and secure their critical IT infrastructure against IoT security threats.
• Apply/Install latest updates: Delaying patches or updates can result in increased risk for an organization. There must be a regular schedule for updating security patches for any IT assets but specifically for IoT assets given their weak inherent security layer. This can help in preventing hackers from exploiting any previous security vulnerability.
• Limit access to IoT devices: Do not open the access to IoT devices to everyone. Prepare a list of all the individuals who are allowed to access devices and for what reasons.
• Secure communication: To safeguard data from being compromised or modified, the communication channel between the systems sending and receiving the data should be secured.
• Develop regulatory controls: Since there are no official rules/policies that specify how IoT data should be gathered, accessed and distributed, organizations (on their own) must devise a plan to ensure adherence to privacy protection, industry-specific data management protocols, and securely manage sensitive information.
• Conduct training and upskilling programs: Insightful workshops and security awareness sessions helps businesses to make the workforce aware of the features and potential risks of the IoT technology. We can educate people about the basic security practices that they need to follow in their daily routine to avoid any security incident.
In my opinion, IoT is the face of tomorrow. No industry vertical is untouched by the benefits of this technology and as a result of which we are witnessing a boom in its popularity and growth. But the more we use IoT, the more we get susceptible to cyber-attacks targeting this technology. Therefore, in-depth visibility of the existing IoT networks is critical to determine the potential risk and implement necessary security mechanisms.