While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security attacks (i.e., the Mirai botnet, connected Cardiac devices, etc.).
IoT in all its flavors (e.g., physical security systems, lights, appliances, heating and air conditioning systems, as well as artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats.
In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a recent security breach. So, how can we shield against these emerging threats?
The number of IoT devices is growing at a breathtaking pace, from 2 billion in 2006 to an estimated 200 billion by 2020 (see Intel report). Therefore, IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems, and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in homes, but in manufacturing plants, retail businesses, and the healthcare industry.
The strong adoption rates in these verticals is tied to the benefits IoT devices provide in terms of tracking inventory, managing machines, increasing efficiency, improving customer interaction and service, reducing maintenance costs, and even saving lives. According to Intel, by 2025, the total global worth of IoT technology could be as much as 6.2 trillion US Dollars. While these numbers prove the business value of IoT, it also introduces major security threats that need to be addressed sooner than later.
If an employee’s smartwatch can be compromised to steal corporate Wi-Fi passwords, the device suddenly falls into the scope of an organization’s attack surface. To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought.
In the past, proprietary technology and competing interests made a truly open and secure network difficult to develop. New initiatives like the Trusted IoT Alliance offer a glimpse of promise, but its inherent focus on promoting an open source blockchain protocol might also be its inhibitor to success. The most practical approach for addressing the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems.
In this context, the Cyber Shield Act of 2017, which was introduced by Senator Edward J. Markey, and has been endorsed by the Institute for Critical Infrastructure Technology, is a good first step towards creating a standardized approach to cyber security for IoT. The bill is designed to establish a voluntary program to identify, verify, and label compliant IoT devices with strong cyber security standards. More specifically, the proposed legislation would require IoT vendors to follow “security-by-design” best practices in accordance with National Institute for Standards and Technology (NIST) Special Publication 800-160 and receive a certification that would rate their product, allowing buyers to assess the associated risks and drive their technology decision process.
Unfortunately, the Cyber Shield Act as it stands falls short, since it is a voluntary program that does not incentivize vendors to implement the NIST security standards. It will likely require further refinements before it can garner the needed support of the Senate, House, and President. More consensus across bipartisan lines may exist in creating a National Cyber Security Safety Board, which would focus on fact-finding and development of industry-wide best practices in collaboration with the vendor community.
Since these initiatives are likely years from fruition, organizations concerned with IoT threats should apply the following minimum safeguards:
● Deploy IoT devices based on standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks.
● Apply mature identity and access management measures to secure not just applications, workstations, and servers, but also IoT devices.
● Expand the penetration testing scope to include IoT devices.
Ultimately, organizations must leverage emerging technologies that increase business efficiency and contribute to the organization’s overall success. However, security practitioners must expand their view of the attack surface to include IoT. This includes shifting from a perimeter-based to an identity-centric approach to security that assures only verified users and devices can gain access to sensitive resources.
