Reducing cyber attacks in the retail IOT realm
The digital transformation to using modern, connected retail devices should not come at the cost of incurring unacceptable levels of cyber risk. Deployments of devices like these require security that is purpose-built for today’s connected, unmanaged devices, and that includes continuous device monitoring that detects threats and responds automatically to mitigate risk.
Smart, connected devices, often referred to as the Internet of things (IOT), present an opportunity to develop a retail shopping environment that connects the physical and digital worlds, enabling real-time interaction with consumers.
These unmanaged and IOT devices are the new targets for hackers. New research shows cyber attacks on IOT devices surged 300%, targeting billions of devices across multiple industries, including retail. The lack of any security on these unmanaged and IOT devices makes them the new attack landscape for bad actors.
“Visionary retailers are thinking years ahead about how to leverage not only this technology, but also artificial intelligence, machine learning and autonomous robotics to improve marketing and operational efficiencies,” says Andre Kannemeyer, CTO at Duxbury Networking, distributor of Armis solutions in South Africa.
Retailers are also using these devices in innovative ways that improve the shopping experience:
- As shoppers enter a store, the store’s WiFi network can send notifications to shoppers’ smartphones and devices with targeted messages and coupons for products similar to what they have bought before.
- Sensors can track customers’ paths through a store, and retailers can use the tracking information to improve layout and merchandise placement.
- Interactive kiosks and smart displays can provide store layouts, directions and product information.
- Automated inventory systems that include devices like robots can continuously scan store floors for restocking needs and for general orderliness of shelves or displays.
- Self-service checkout can help customers complete the purchase process more quickly.
- Facial recognition can identify known shoplifters or can identify customers and inform salespeople about preferences like colours and sizes.
- Open WiFi keeps customers connected while organisations gain critical information about movement, location, shopping habits and conversions.
These innovations capitalise on customers’ preferences for personalised experiences and engagement. However, they also depend on devices that can be a big security risk. These devices expose an increasingly vulnerable attack surface because they cannot be updated easily and they are not monitored for potential compromises.
Real threats in the digital retail environment include:
- Smart displays and kiosks: Internet-connected devices can be attacked remotely to give attackers access to your network.
- Self-serve checkout and point-of-sale (POS) devices: Theft of shopper credit/debit card information costs time and expense to fix but also causes millions in regulatory fines and damage to a retailer’s brand.
- Bluetooth-enabled price scanners: Hackers can attack these devices through Bluetooth-related vulnerabilities to change the pricing of items or stage a broader attack for customer information.
- Printers connected to WiFi: A printer with an open hotspot can enable hackers to circumvent network access control and gain access to the retailer’s data.
- Production-line sensors: Sensors and automated controls in warehouses can be compromised, causing production or delivery delays.
“In the rush towards digital transformation, the primary focus has been to acquire and deploy digital retail devices at scale to quickly reap their rewards – like helping to grow revenue, reducing costs, gathering critical data and delivering new shopping experiences. Security has not been a front-and-centre concern. These devices are designed to connect, and some actively seek connections whether you want them to or not. Once these devices are on your network, their vulnerabilities become a risk you have to face,” says Kannemeyer.
The traditional security products most organisations have come to know and trust simply will not help manage the risks and consequences of the new connected retail frontier. These products were built for traditional computing devices. While some security vendors have re-engineered their products, or have offered new bolt-on modules that attempt to make them work for IOT and unmanaged devices, most fail for a variety of reasons:
- Security agents will not work.
- Network scanners cannot be used.
- Conventional network security products are insufficient.
- Wireless connectivity evades legacy security controls.
“Traditional security products can’t adequately see or monitor the ‘smart’ devices that are used in most digital transformation projects. Nor can they see or monitor devices that employees bring into the store without your knowledge. Inventory tools that claim to provide ‘visibility’ or ‘discovery’ were not designed to discover or assess these unmanaged assets or IOT devices. As a result, you’re left with an incomplete picture of the devices and risks in your environment,” says Kannemeyer.
This is a huge security problem. Bad actors target common IOT devices like VOIP phones, smart TVs, IP cameras and more to gain a foothold into the network, and then branch out deeper into more lucrative areas – like payment networks. This makes discovering and classifying every managed, unmanaged and IOT device in the retail environment vital.
Having critical information about devices, including manufacturer, model, serial number, location, username, operating system, installed applications and connections made over time can help determine exactly what device is exhibiting suspicious behaviour, and how it is interacting with one’s network. It also makes it easier to track the connection and activity history of every device in the environment with granularity.
Identifying risks is a critical part of any retailer’s security strategy. “You need to assess risk based on a variety of factors like vulnerabilities, known attack patterns, and the behaviours observed of each device on your network. This information is needed in order to understand your attack surface and to comply with regulatory frameworks that require identification and prioritisation of vulnerabilities. However, traditional vulnerability scanner products that run periodically (weekly or monthly) can miss transient devices, like those that employees and customers bring into the environment, and they can even knock some devices offline altogether,” says Kannemeyer.
Since traditional security tools are unable to monitor and secure unmanaged retail and IOT devices, security professionals must seek a new approach. This new way forward in security must be purpose-built for today’s unmanaged, connected environments. That includes the ability to discover all the devices in remote locations, proactively assess the risk of every device, and detect threats by monitoring and analysing device behaviour continuously. It must also be able to respond to incidents immediately and automatically to stop attacks from unravelling one’s business.
Several security products use proprietary software agents and even additional hardware to scan devices for information. For managed devices, agent-based tools can provide detailed information – but only when the agents are working properly. More importantly, the scope of agent-based products does not extend to unmanaged or IOT devices.
“The right device security product should discover every device on and off your network, and analyse their behaviour, including connections and activity history. Specifically, you need a security solution that can monitor both wired and wireless traffic on your network and in your airspace to identify every device and to understand their behaviours,” says Kannemeyer.
Investing in risk assessments can help retailers manage their organisation’s attack surface and enable them to pinpoint risky devices and activities, with ongoing device risk scoring based on multiple risk factors, including software vulnerabilities, known attack patterns and the behaviours observed on each device on a network. The risk score helps the retailer’s security team understand the attack surface and meet compliance with regulatory frameworks that require identification and prioritisation of vulnerabilities.
A database that compares real-time device state and behaviour to ‘known-good’ baselines to similar devices will provide threat detection and prevention technology, detecting changes in device states and anomalies that could indicate threats or attacks and automating threat response.
“But visibility and continuous monitoring are not enough. You need to take action and quarantine suspicious or malicious devices, automatically. This automation helps reduce security team workload by creating policies that mitigate and alert on critical events automatically,” says Kannemeyer.
Frictionless integration – without disruption in one’s environment – is the key to successful deployment. “You want security products that install in minutes and use the infrastructure you already have, with no impact on your organisation’s network performance,” Kannemeyer points out.
 Forbes, Cyberattacks On IOT Devices Surge 300% In 2019, ‘Measured In Billions’, Report Claims, September 2019