The Internet of things (IOT) has given rise to the fourth industrial revolution, which is bringing significant benefits to millions of organisations. By connecting people, processes and data via a network of things/devices embedded with sensors, software and connectivity that enable them to collect and exchange data, the IOT has created opportunities for the direct integration of the physical world into computer-based systems.
Through the elimination of human-to-human and human-to-computer interaction, vast gains in operating efficiency are being realised, directly leading to considerable economic advantages for rapidly growing numbers of organisations on a global scale.
Since the “birth” of the IOT (as we currently know it) in 2008, its scope and reach have broadened immeasurably due to advances in technology − particularly in the fields of embedded systems, wireless sensors, control systems and automation.
The number of IOT devices in operation around the world is ballooning by more than 30% year-on-year, with more than 20 billion devices expected to be operational by year-end, according to research.
Analysts maintain the explosion of IOT devices in the workplace represents a transformation bigger than the PC and mobile revolutions combined. Instead of innovations in laptop computers and smartphones, today’s market is presented with a continuous stream of advances in smart TVs, sophisticated digital assistants, complex building management systems, CCTV cameras, medical devices, smart manufacturing solutions and more.
New-generation IOT devices, many of which combine data gathering, tracking and analysis, are becoming central to the much-sought-after productivity gains currently demanded by manufacturing, supply chain management, logistics, retail, banking and finance, telecommunications, infrastructure management, food production, surveillance, healthcare, transport, pharmaceutical and many other companies and organisations.
However, these devices also create great risks. This is the result of security not being high on IOT device manufacturers’ priority lists. The majority of devices on the market (more than 90%) are unsecured, have no integrated security and are hard, if not impossible, to update.
Analysts maintain the explosion of IOT devices in the workplace represents a transformation bigger than the PC and mobile revolutions combined.
Because IOT devices are designed to automatically connect to the Internet or to other devices (unlike previous devices in the workplace) they are viable targets for malicious exploitation.
Research reveals that 98% of all IOT data traffic is unencrypted and there are few industry standards for IOT devices which regularly make use of custom-designed operating systems and proprietary communication protocols.
Consequently, businesses often have no way to visualise these devices on their networks or effectively manage them. Traditional firewalls, network security systems, and endpoint detection and response solutions are not up to the task.
Last year, cyber attacks on IOT devices surged by 300%. According to Zak Doffman, a UK-based, regularly-published expert in defence, national security and counter-terrorism, 2.9 billion attacks were registered in 2019 alone.
Cyber attacks and malware will continue to mushroom along with the number of installed IOT devices. They will provide an ever-expanding attack surface ready for exploitation by malicious hackers.
By commandeering compromised IOT devices − which network managers cannot see and thus can’t protect − skilled attackers are able to breach seemingly secure networks and retrieve critical data in seconds.
It is unfortunate that many organisations rely on traditional security solutions and are primarily focused on cloud security. Their biggest risk is a lack of security awareness when it comes to the deployment of IOT devices.
In these instances, conventional endpoint protection is useless, as most IOT devices cannot host an agent and firewalls typically only see traffic at the perimeter of the network. IOT devices are almost always located deeper, or even located on guest networks.
Traditional network security systems cannot see any of the device-to-device wireless traffic – such as Bluetooth − commonly used by IOT devices. And conventional network access control systems are not designed to monitor the behaviour of IOT devices and therefore can’t detect malicious intent or activity.
Is there a solution?
To mitigate risk, organisations first need to undertake a detailed assessment in order to examine vulnerabilities in devices and network systems as well as in user and customer backend systems. In so doing, it is important to be able to distinguish between trustworthy and untrustworthy IOT devices. It’s not a simple task. Unlike mobile phones which are typically designed and manufactured by one company, IOT devices often employ underlying modules manufactured by third-party suppliers.
Other keys to risk mitigation include the maintenance of an accurate inventory of hardware and software. Every managed, unmanaged and IOT device − including servers, laptops, smartphones, VOIP phones, smart TVs, IP cameras, printers, air-conditioning controls, medical devices, industrial controls and more − needs to be discovered and classified. The same applies to off-network devices using WiFi, Bluetooth and other IOT protocols.
This comprehensive device inventory should include critical information like manufacturer, model, serial number, location, username, operating system, installed applications and details of connections made highlighting dates/times.
In addition to discovering and classifying a device, its risk score needs to be ascertained based on considerations, including known vulnerabilities, recognised attack patterns and any observed behaviour patterns.
An impossible task?
Fortunately, technology is coming to the rescue. Innovative projects, such as a cloud-based, crowd-sourced, device behaviour knowledgebase tracking 230 million IOT devices, are on the horizon and set to play important roles in IOT security going forward.
New tools are appearing that go beyond device and risk identification to take responsibility for continuously monitoring every device on a corporate network − and in the “airspace” above it − for anomalous behaviour patterns.
Many of these tools are already in the hands of a new breed of security consultants whose knowledge is gleaned from covert intelligence feeds, from identifying numerous attack techniques and from responding to the most serious of threats.
Equipped with this know-how, these specialists are able to build security platforms and IOT ecosystems purpose-designed to help end-user organisations recognise device behaviour-linked threats, identify attacks and take appropriate action to restrict access to, or quarantine compromised devices.
So empowered, these organisations are able to confidently navigate the increasingly treacherous – and often toxic − waters of IOT security.
Share