Ian Kilpatrick discusses the unstoppable growth of the Internet of Things and the necessity for businesses to protect their computer networks.
Flickering lightbulbs, scary Barbie dolls, infected computer networks and cities out of action. Could this be the brave new world of Internet of Things (IoT) if we neglect security?
For several years, the IT industry has enthusiastically extolled the virtues of the IoT, eager to enlighten us to the difference that living in a connected world will make to all our lives.
Now the IoT is here – in our homes and in the workplace.
Its uses range widely, from domestic time-savers like switching on the heating, to surveillance systems, to ‘intelligent’ light bulbs, to the smart office dream.
This proliferation of devices and objects collect and share huge amounts of data. However, proliferation also has the potential to create greater opportunities for vulnerabilities. As these devices are connected to each other, if one is compromised, a hacker can potentially connect to other devices.
The weakest link
Indeed, there have been a number of high-profile cases where everyday items have been used to force websites offline. Hackers have harnessed the weak security of internet-connected devices, like DVRs and cameras, using implanted botnets to take down sites such as Amazon, Netflix, Twitter, Spotify, Airbnb and PayPal.
More recently, security vulnerabilities in the Wi-Fi enabled Barbie doll were discovered, turning it into a surveillance device by joining the connected home network!
Elsewhere, researchers said they had developed a worm that could potentially travel through ‘smart’ connected lightbulbs city-wide, causing the web-connected bulbs to flick on and off.
These are just a few examples of the security failures in devices for the IoT. Unfortunately, they are not the exception. Manufacturers are rushing to make their devices internet-connected but, in many cases, with no thought (or indeed knowledge) around security.
Smart isn’t always safe
The next step on the journey is connected or smart cities, where the consequences of an attack are enormous. It’s not just one lightbulb – a hacker can potentially plunge an entire city into darkness, or disable surveillance systems, causing chaos.
With IoT devices now moving into the workplace, organisations are increasingly vulnerable to attack. A survey by analyst group 451 Research predicts that enterprises will increase their IoT investment 33% over the next 12 months. However, security remains a concern with half of respondents citing it as the top impediment to IoT deployments.
There’s no turning back the tide of any of these IoT applications – and in fact we shouldn’t try to halt progress. However, checking the security capabilities before deployment isn’t a bad strategy. Especially as it is important to ensure that the advance of IoT isn’t providing hackers and criminals with another entry point for attack.
The IoT challenge is backfilling security onto connected devices. Because these devices are not running on standard operating systems, they are often invisible to a large part of an organisation’s defences. If a device is compromised, and you end up with malware within your organisation, you must firstly spot the breach, and then find out where it’s coming from – not an easy task.
Cleaning the device won’t necessarily fix the problem. A compromised IoT device within your security perimeter will just continue to re-infect other devices.
There are many different types of solutions available. Kaspersky Labs, for example, has Kaspersky OS, a secure environment for the IoT. Other suppliers, including Tenable Networks and Check Point, also provide solutions that are relevant here.
A key action for organisations is to pay close attention to the network settings for IoT devices and, where possible, separate them from access to the internet and other devices.
Also, IoT devices should be identified and managed alongside regular IT asset inventories. Basic security measures like changing default credentials and rotating strong Wi-Fi network passwords should be used.
As much as IoT manufacturers need to embed adequate levels of security, the ultimate responsibility is with the user. This is particularly true as Chief Information Security Officers (CISOs) are under more pressure than ever to maintain the integrity of their organisations in the face of increasing legislation, such as the General Data Protection Regulation (GDPR), which carries potentially crippling fines for data breaches.
Protect your own
Ultimately, IoT is here, and it isn’t secure. It won’t be until IoT device manufacturers make it secure, which will be many years in the future. In the meantime, it’s down to organisations to make sure they are protected. User education should be a key element in defence around IoT deployment, partly because of the increased risks of shadow deployment in the workplace with IoT devices.
Business leaders need to ask their IT department for a strategic plan to deal with IoT vulnerabilities, rather than burying their head in the sand. As the saying goes, fail to plan and plan to fail.
Ian Kilpatrick, is Executive Vice-President of Cyber Security for Nuvias Group.
Ian is a thought leader, with a strong vision of the future in IT. He focusses on business needs and benefits, rather than just technology. He is a much published author and a regular speaker at IT events.