As the “internet of things,” commonly known as IoT, matures and grows every year, it has increasingly become a part of the critical infrastructure that organizations – and our society at large – rely upon. Gartner see utilities, government and building automation as among the largest growth sectors for IoT devices, and this IDC report projects that IoT devices will total over 41 billion by 2025, with over 79.4 zettabytes (ZB) of data generated – making the IoT a particularly inviting target for data thieves.
As such, the IoT is fast becoming a cybersecurity concern that needs to be protected and accounted for. To get a perspective on all of this, we interviewed Dr. Chen Hui Ong, Senior Director, Emerging Security Technologies at Trustwave.
Q: In 2020, how much of a security risk does the IoT pose for corporations?
Dr. Ong: IoT refers to many different things. Some are present in multiple industries, such as closed-circuit television (CCTV), goods tracking sensors and building management systems. Some IoT devices service specific industries, such as infusion pumps and X-ray machines, also called Internet of Medical Things (IoMT), for healthcare industries. Cars today are also increasingly connected and are increasingly referred to as a moving platform of IoT.
The IoT enables corporations in many ways. For example, goods tracking sensors allow us to track the precise location of goods and is an integral part of the overall customer experience. When these IoT devices are compromised or fail, operations are disrupted, personal data and information can be leaked.
IoT devices are also used as a launchpad into the rest of the organization. Being relatively unprotected, they represent a part of a corporation’s attack surface that can be compromised as a beach head.
Compromises to IoT devices can also have life-threatening implications. For example, when IoMT devices are compromised, they can also cause safety risks. In 2016, ethical hackers found vulnerabilities in pacemakers, eventually leading to device recalls. In 2017, ICS-CERT identified a series of vulnerabilities in infusion pumps.
Q: How big of a security risk is it for the average consumer?
Dr. Ong: For the average consumer, the risk posed by IoT is about much more than getting your smartwatch compromised. Televisions have been shown to be recording conversations while listening for commands. And data privacy laws have not caught up to protect consumers whose voice data, camera data, and location data may be stored in these devices. The average consumer is also exposed to the risks posed by corporations that provide services to them.
Q: What are the most common attacks you’ve seen take place through IoT vulnerabilities?
Dr. Ong: The most common attacks that I’ve seen so far are on authentication and authorization. The use of hard-coded or default username and passwords on IoT devices means that worms, cryptominers and other malware can easily spread from machine to machine. When the devices are taken over, they can be harvested for personal data or as a launchpad into the rest of the organization.
Q: How do you recommend organizations approach securing their IoT?
Dr. Ong: We can protect only what we can see. It is important to gain visibility of the IoT devices that are present in the organization.
Hygiene factors needs to be in place too. Ensuring that default passwords are changed for example. It can also help to adopt a defense-in-depth architecture to place the IoT devices in separate segments. Unfortunately, not all IoT devices are designed to support encryption for the data in transit and at rest due to battery limitations and other requirements. Many IoT devices will also not be able to support endpoint detection agents on them. Hence segmentation is one of the first things that can be done to protect IoT.
Q: What future trends do you see regarding IOT and cybersecurity?
Dr. Ong: I see many more conversations with security teams on the need to secure their IoT devices. The awareness of the need to secure IoT is definitely increasing. Because IoT devices can be deeply entrenched in operations, an organization’s concern when securing devices may no longer be on data breach but be extended to service uptime and safety. This will change the way security teams are organized and their expectations of their security partners.
Cyber Resiliency in the Multi-Cloud Era
Reaching a state of cyber resiliency in the multi-cloud era is one the biggest challenges a security leader faces, which is why we’ve decided to tackle this topic and provide actionable insights from Trustwave experts. This three-part e-book will illustrate the biggest challenges you face today operating in multi-cloud environments, but most importantly, offer tactful advice on how to overcome them