The Internet of Things Presents Unaddressed Cybersecurity Vulnerabilities
The Internet of Things is a powerful tool that grants organizations access into granular data, which helps to improve productivity, efficiency and informed decision making. However, implementing an IoT system, in which dozens or even hundreds of new connected devices gain access to your network, carries with it increased security risks. After all, more potential points of entry increase the attack vector for would be hackers.
So, how can your business reap the benefits of the IoT without befalling serious harm? With so many threats out there – from ransomware to malware and beyond – security is imperative. Business News Daily spoke to several experts about the problems facing IoT cybersecurity today and how best to move forward.
IoT and network vulnerabilities
Rather than a monolithic system, IoT is a fabric of disparate devices connecting with one another to work together, as the name suggests. Historically, organizations have implemented IoT in a bid to reap the enormous benefits the technology promises; however, there was often little regard for security, and as the network of connected things proliferated, so too did the security risks.
“For a long time … the IoT push was just to connect the unconnected,” said Matt Morris, VP of strategy, products and marketing for NexDefense. “So, people started to incorporate more and more of these systems, bringing in manufacturing plants, oil rigs, utility substations and so on. In their push to get things connected, they failed to solve the issue of security.”
Today, most companies understand that secured connectivity is the true value of IoT and are working to protect themselves, especially in the wake of high profile attacks like Shamoon, which impacted Saudi Aramco and sent shockwaves through the oil and gas industry, or the more recent Wannacry ransomware attack that impacted companies all over the world. In some ways, though, Morris said, security efforts that emanate from boards of directors are misguided.
Mitigating against attacks with cyber defenses
Many companies are trying to apply IT security solutions in operational environments, such as the manufacturing industry or for oil and gas production. The trouble with this, according to Morris, is that the two are very different animals – companies then think they’re protected when their security still has holes in it.
Utilizing typical IT solutions in an operational or industrial environment, such as a manufacturing plant, can have dire consequences. Scanning systems, for example, can cause essential features to shut down, like safety features that protect humans working alongside robots on a production line. At worst, serious harm could befall employees. But even if this worst-case scenario doesn’t come true, you’re still looking at a slowdown in production, Morris said.
“The type of security needed to protect manufacturing lines, oil rigs, etc., is newer tech,” he added. “There … is technology out there that is purpose built for these environments. If … companies are aware and invest and implement, they can actually strengthen the IT security they are using today that they think is protecting them but really is not.”
Instituting strong security policies to reduce human error
Many security vulnerabilities can be mitigated by establishing a policy based on best practices and disseminating these policies to employees. Protecting credentials and restricting access to the network are major ways a company can protect itself from outside threats.
“The greatest challenge I see among all our clients is a lack of standards and governance in the way they will support and provide access and control measures to all these devices,” said Mike Sanchez, CISO of UDT. “There’s not a clear strategy in terms of who has access, which group and why. Generally, what I see is they do these blanket rules and policies allowing most devices to connect merely just by basic configuration settings to access things like emails and share files or folders on the company network.”
Sanchez said establishing directives regarding “bring your own device” (BYOD) policies, network access, and how employees interact with others through channels like email can help insulate the organization from would-be attackers. It’s also wise to prioritize the assets that you truly depend on, rather than taking a one-size fits all approach.
“Over and over again, I see people trying to protect things that don’t have a big impact to organization,” Sanchez said. “It all comes down to governance, frameworks and standards. Doing these basic things, whether it’s an IoT device, legacy systems or remote PC, the fundamentals still remain. There isn’t a magic bullet that’s going to address this challenge from a tech standpoint.”
IoT manufacturers improving inherent product security
Some of the security challenges of IoT are out of the organization’s hands. Manufacturers can build-in better security protections to their products on the device level. Many have moved to improve their products already, and security will continue to become a bigger sticking point as IoT continues to proliferate.
“Manufacturers and vendors of these devices need to do their part as well in the chip sense, and how they build these devices,” Sanchez said. “Attackers use basic methods in attack vectors and manufacturers need to account for any type of attack.”
Often, a major motivation is creating a seamless, intuitive user interface, but this can also compromise security if overdone, Sanchez said. Tightening things up without sacrificing an acceptable amount of user friendliness will be the challenge software developers and device manufacturers face in the future.
“There’s always a balance we strike between user interface accessibility and security,” Sanchez said. “We’re always struggling against those two points and how to provide or mitigate the risk at the best possible UI experience.”
An evolving understanding of IoT cybersecurity
The IoT security issue isn’t going to be solved overnight. It’s going to take years of learning new behaviors, implementing new defenses, and upgrading technology to combat the threats. And even then, new attacks will develop and new defenses will rise to meet them.
“It’s a challenge that will be around for a while, I think, given the magnitude of the different areas you have to deal with and address, Sanchez said. “Companies are really struggling in the way that they define the strategy for their own infrastructure and legacy systems.”
But security challenges shouldn’t scare organizations away from IoT, Morris said. The benefits the technology offers are very real, and if the hurdles surrounding security could be overcome there’s no telling what these connected environments can help us achieve.
“If … that awareness doesn’t get out there and get [security] implemented the way it needs to, I don’t think we’ll ever see IoT reach its full fruition that everyone really wants it to,” Morris said. “But if that can be solved, then I think sky’s the limit in terms of what can be achieved.”