I was recently asked about Internet of Things (IoT) devices and cybersecurity. By now, we’re well aware of the proliferating presence of IoT. We’ve seen the reports predicting that there will be 55.7 billion connected devices worldwide by 2025.1 We know that IoT is everywhere. When we enter buildings, it’s controlling the heating and air conditioning systems so we’re comfortable in filtered air, and it’s powering locks and security cameras to help keep us safe. When we go home, connected appliances make our coffee, chill what’s in our refrigerators, and serve as our personal assistants taking care of playlists, errand reminders, and schedule juggling.
We’ve reached a place in which IoT touches virtually everything in our entire existence — not only our home and work lives but our utilities (smart grids), hospitals (smart health monitors), military (smart weapons), and municipalities (smart cities) — to the point that we take this ubiquitous connectivity for granted.
But we shouldn’t.
Why? Because we drop the term “connected devices” routinely without ever really thinking about what this connectivity means. By their very nature, IoT devices connect to third-party service providers, the cloud, and/or mobile services. Thus, every time we welcome a new IoT product into our houses, we’re bringing these external parties into our homes. Every time we acquire an IoT system for our employers or customers, we make these external parties a de facto part of a protected environment.
And that’s when things can go very wrong. As a textbook example, look no further than the recent compromise of connected camera device and service provider Verkada in which hackers successfully targeted more than 150,000 of the cloud-based company’s cameras, including those installed in Tesla factories and warehouses, gyms, hospitals, jails, schools, and police stations.2
The uncomfortable truth here is that much of the IoT universe was not designed with security in mind. IoT devices now account for one-third of all infections — double the number from 2019.3 Subsequently, cyber adversaries increasingly view these devices as low-hanging fruit with weak passwords, unprotected network services, and an overall lack of hardening.
So, as an IT executive, how do you respond? Like any major initiative, you start with a strategy. We recommend you build this strategy by answering the following questions:
How much of this is actually supporting our systems? You can’t protect what you don’t know. A comprehensive inventory of where IoT exists in every place where your people are getting the job done — even remotely — will map out a complete view of your IoT footprint.
Who owns it? It’s quite possible that an organization’s facilities department may have ordered an IoT-enabled elevator or heating, ventilating, and air conditioning system upgrade without notifying the cybersecurity team. Obviously, the facilities people are not primarily interested in security. They are graded on their roles’ own cost-effectiveness, performance, and return on investment metrics, which might be met faster with more connected and modern equipment. To ensure such installations do not introduce unmanageable risks, you should develop a formal set of procedures that requires cross-departmental coordination.
How will we track it all? You monitor your network, applications, and devices. Your nontraditional IoT devices should prove no exception. You should not set it and forget it because many IoT endpoints do not keep logs or restrict network communications. Conduct continuous log and network monitoring of IoT devices, just as you do for servers, laptops, and workstations, to track their activity and the data they’re sending and receiving, while readily detecting deviations from standard endpoint profiling.
How extensive is our third-party risk? As indicated, the risk level of your third-party IoT services now represents your risk level. Get together with these providers to inquire about their security policies and practices and assess whether they are sufficiently proactive and vigilant. Pay close attention to things like the handling of credentials and whether you can configure service providers’ platforms to adequately encrypt your data. Understand that there are going to be trade-offs such as third parties and embedded cloud services that offer powerful uptime and deployment advantages. It is much easier to subscribe to a cloud-backed camera platform and install the devices versus comparing and buying disparate camera, recording, and storage components and figuring out how to manage and maintain them by yourself. However, these providers are fundamentally economies-of-scale businesses that may not suit every unique requirement. Cyber risk management is about identifying what the trade-offs are and whether they are acceptable or deal-breakers.
Are we implementing CIA steps? In this case, CIA stands for…
- Confidentiality: Only users with permission can read the data to keep untrusted parties from gaining access.
- Integrity: Only users with permission can modify the data, so untrusted parties can’t do so as they attempt to exploit it.
- Availability: Users with permission can always access the data to make it relevant and valuable in the first place.
Do we need to bring in a partner? Ultimately, you may realize that you can’t do all of this on your own. Fortunately, you can partner with a managed detection and response provider to monitor your network around-the-clock and take action in real-time after identifying suspicious or malicious activity. Beyond intercepting attacks in real-time, this type of monitoring can help proactively identify blind spots and policy compliance gaps that IoT transformations introduce into your networks and operations, helping you make sure new connectivity through mergers and acquisitions, facility modernizations, or remote workforces is not stretching your organization beyond its defenses.
As with most technological breakthroughs, there is no going back from the IoT. It’s not going away and will only grow more universal as a presence in our lives and within the enterprise. By addressing these questions, you can take essential steps to ensure you reap IoT rewards while taking risks in stride.
- IoT Growth Demands Rethink of Long-Term Storage Strategies, says IDC, IDC, Jul 2020.
- Security startup Verkada hack exposes 150,000 security cameras in Tesla factories, jails, and more, The Verge, Mar 2021.
- Nokia Threat Intelligence Report, Nokia, 2021.
Co-founder and Chief Technology Officer | Pondurance
Landon has over 20 years of experience helping organizations manage reputational, financial, and regulatory risk. He provides strategic technical leadership and expertise to a team that focuses on using technology to identify and respond to today’s cyber threats. Landon has a strong information security background that spans multiple industries and also includes experience in SCADA and (industrial/distributed) control system environments. His international experience has included projects across North America, Asia and Europe. Landon’s background in security architecture, implementation and design combined with the experience of a penetration tester provides a unique skill set to the security industry.