In 2015, a couple determined they could hack a 'smart' sniper rifle and change its target. A few months later, the FDA issued an alert about a connected hospital medicine pump that could be compromised and have its dosage changed. Earlier that same year a cyberattack on a German steel mill left a blast furnace running with no perceived means of shutting it down.
The Internet of Things (IoT) has the potential to create numerous benefits for businesses and consumers in terms of big data and new levels of automation, but it also creates new vectors for cyberattacks.
These days, objects as innocuous as your toaster or alarm clock can be collecting, using, or sending data. This creates a whole new world for hackers to exploit, and you'd better believe they're doing just that.
Cyberattackers typically don't discriminate -- they'll take any weakness or vulnerability they can access. Chris Witeck, principal technology strategist at Citrix Labs, points out that each new connected device or sensor introduced to a network can become a path or entry point into the network. In cybersecurity, these 'paths' are referred to as attack vectors, and the goal is to minimize them.
Or, as John Pironti, president of IP Architects puts it, "A lot of adversaries, and a lot of people who are looking at this problem, aren't looking at it as 'let me go and attack your toaster': they're looking at it as 'let me attack your toaster to use it as a way to get into the rest of your network'."
In the enterprise, this danger is compounded as the bridge between traditional IT systems and IoT systems is strengthening, and IT managers can no longer rely on tried-and-true security methods. According to Steve Grobman, CTO at Intel's Security Group, most organizations don't have the resources to rebuild their infrastructure from the ground up, so they're forced to rely on legacy systems that may never have been designed to be connected in the first place, and may therefore contain inherent vulnerabilities.
"All of those latest vulnerabilities are essentially waking up and becoming prime targets of exploitation," warns Grobman.
As well as the sheer number of newly-connected devices on the network, there's the broad nature their uses cases and the speed at which they're being developed. These devices will create different risks depending on the industries concerned, and also within the home.
"When developing and marketing new IoT devices and solutions, in order to beat the competition, people build the solutions without thinking of the security implications beforehand. It's often only when the product is developed that basic security steps are taken, such as analyzing the code and implementing back-end security elements," says Reiner Kappenberger, global product manager at HPE Security.
The truth is, the level of code scrutiny for most IoT devices is simply not at the same level as smartphones or similar devices. And, as IP Architects' Pironti notes, they typically lack the computing power to support proper security tools. Processes like patching are already difficult -- Pironti goes as far as to say we're "woefully behind" in this respect -- and only get harder as more IoT devices are introduced.
So, what can be done? The solution, unfortunately, is far from straightforward. Most industries understand some of the issues presented by the IoT, but it can be hard for them to respond quickly. There's also a great deal of variation in the specific threats faced by different industries. Still, there are some steps that will help organisations to begin addressing the risks.
Intel's Grobman says he would encourage them to begin by considering the the overall environment, focusing on the concepts of least privilege and least access: "They should add only enough connectivity and access required to achieve the goals that they're working towards around automation and enhanced control."
Consider how you, or your organization, are 'onboarding' new devices. In terms of asset inventory, you should be asking three key questions:
Various network segmentation models should be considered as you determine which devices you want connected to which network elements. You should also ensure that each connected device has the ability to encrypt network traffic in order to reduce its vulnerability, says Citrix Labs' Witeck.
"Take a look carefully at IoT device manufacturers to see if they are adhering to any of the competing IoT standards and understand how they wrap security into their devices," Witeck adds.
As you implement IoT devices, make sure that the proper protocols are being used relative to your network and that you are making every effort to eliminate potential back doors. Remember, not all protocols are designed the same way.
"Some protocols are designed for private networks where security is already part of the network," says HPE's Kappenberger. "IoT does not have that luxury and requires using protocols that are safe and do not allow attackers the possibility of a man-in-the-middle attack or other ways to gain access to the device."
Finally, apply data analytics to determine use patterns so that you have better visibility if something begins to go awry.