The rise of the Internet of Things (IoT) has created a magnitude of new connected devices and in turn, a magnitude of entry points waiting to be breached. An even bigger issue is that many IoT devices are easier to target than conventional devices, making them the new endpoint of choice for cybercriminals everywhere.
Security can often be an afterthought with many IoT projects, while innovation, agility and cost savings take priority. While these objectives are important, without a robust IoT security strategy firmly in place, businesses are at risk of exposure to a growing number of security threats that directly target IoT systems. According to research, 84% of organisations have experienced an IoT-related security breach and trends reveal that the increased risk of data breaches remains one of the greatest barriers to IoT adoption.
The threats are real
In October 2016, the world experienced the largest Distributed Denial of Service (DDoS) attack to date. Known as the Mirai botnet, the attack caused havoc across the internet by exploiting unsecured IoT devices and using them to cause widespread disruption of a number of services including Twitter, CNN, Reddit, Spotify, and Netflix.
More recently, Cisco Talos uncovered a Russian botnet that was affecting at least 500,000 vulnerable network-access storage (NAS) devices and routers located around the world. These vulnerabilities were made possible with malware known as VPNFilter, which allowed hackers to control infected devices, including the ability to take them offline. Additionally, the malware allowed hackers to snoop on data as it passed between affected routers and learn more about the software used to manage the critical infrastructure.
What is notable about these high profile attacks, remarkable even, is that they were carried out via simple, innocuous IoT devices. By compromising devices ranging from home routers to air-quality monitors and surveillance cameras, criminals found a way to exploit systems, hijack networks and steal sensitive business information.
IoT presents a major opportunity for businesses and organisations everywhere to fuel digital transformation and compete more efficiently in today’s digital economy.
IoT presents a major opportunity for businesses and organisations everywhere to fuel digital transformation and compete more efficiently in today’s digital economy. The number of connected devices worldwide is expected to exceed 20 billion in 2020 and we are becoming increasingly reliant on the advance of life-sustaining and practical use cases for IoT. From control systems that deliver power and water to self-driving cars and smart meters, this growth in dependency on network-connected technology is outpacing the means to secure them effectively.
While Mirai’s actions may have prevented users from accessing their favourite movies or playlists, the threat of more devastating attacks remains. As the number of IoT devices increases exponentially, here is a brief sample of the mayhem that nefarious agents could cause if they took control of IoT devices:
- Control of temperatures that causes servers to overheat and malfunction
- Disruption of critical infrastructure, transportation, telecommunications and the power grid
- Aiding criminals in infiltrating buildings by taking control of electronic security systems and devices
- Hijacking medical devices with the intent to injure, kill or hold organisations to ransom
- Infiltration of smart city devices causing widespread disruption to parking and traffic safety systems
Working toward a more secure IoT framework
When developing a security strategy, it is important to take a multi-layered approach and prepare for unexpected threats and challenges. This means simulating IoT-specific breaches, conducting risk assessments and creating security playbooks that allow the organisation to respond quickly and effectively to breaches while still maintaining efficient operations and positive customer experience.
Secure products and advanced security functions and features should be the foundation of this strategy. However, traditional blacklisting and antivirus products are not going to be enough to secure IoT devices and protect them from the avalanche of threats that dynamic IT environments face. One example is a centralised management platform delivered over a standards-based secure mobile network that offers the option of private end to end connectivity of IoT devices without any exposure to the Internet.
No magic bullet
IoT devices can be situated anywhere on a distributed network. They operate across a variety of systems and in different locations. Most are managed remotely. For this reason, a comprehensive and consistent security strategy is required.
There is no magic bullet solution or all-encompassing security solution for IoT.
There is no magic bullet solution or all-encompassing security solution for IoT. Taking an existing IT security strategy and applying the same elements to your IoT infrastructure could be a costly mistake. Business leaders should instead focus on creating an IoT security ecosystem that integrates with all aspects of security, including physical security, cybersecurity and operational technology security. In doing so they can experience the opportunities and possibilities that IoT has to offer without unnecessary exposure to risk.