Gaping holes in IoT challenging security teams
By Allan Tan
Business Insider Intelligence forecasts there will be more than 41 billion IoT devices by 2027, up from 8 billion last year. Gartner says the IoT security market is driven by annual average growth of 20%, but spend patterns vary significantly across sectors. While manufacturing, automotive and transportation drive spending, other sectors lag behind.
When you consider that some devices like smart TVs, fridges, and air conditioners are now connected to the internet, IoT security cannot continue to be an afterthought.
The risks are real
In 2019, incidents, threats and vulnerability disclosures outside of traditional enterprise IT systems increased and pushed leading organizations to rethink security across the cyber and physical worlds. Emerging threats such as ransomware attacks on business processes, potential siegeware attacks on building management systems, GPS spoofing and continuing OT/IOT system vulnerabilities straddle the cyber-physical world. Organizations primarily focused on information-security-centric efforts are not equipped to deal with the effect of security failures on physical safety.
To what extend should organisations worry about IoT security (or insecurity) and can one continue to ignore what is right in front of them?
Sean Duca, vice president and regional chief security officer, Japan & Asia Pacific with Palo Alto Networks, commented: “After all, it’s a device connected to the internet, runs software and more than likely was not able to be securely updated, had rudimentary authentication (default username and password) which in this day and age, makes for a perfect target for cybercriminals.”
The risk of continued ignorance is that we have a plethora of devices which are connected to the internet which can easily be compromised for nefarious activities. As we become more dependent on these devices and the networks they sit on, they can be used to prevent us from using our own systems and access what is needed.
Asked whether IoT insecurity is driven by ignorance or avoidance, Duca sees it more of the latter.
“The least path to resistance has been an approach used by many before. IoT security is important as we have just crossed the point of 8 billion connected devices in 2019 and it is expected we will have 41 billion connected devices in 2027, now is the time we need to make change occur as the problem will be a lot harder with an exponential increase in the number of devices,” stressed Duca.
The key starting point is to have visibility.
“If an enterprise cannot see what is connected to their network, they will not be able to do something about it. It starts with visibility as it will allow you to then be informed to segment what is critical from devices and systems which may comprise an organisation’s risk posture,” concluded Duca.
Earlier, FutureIoT cover the issues in an earlier post. Below is a recap of the issues as published on “Cybersecurity risks loom over medical wearables and kitchen appliances” Tanner Johnson, senior cybersecurity analyst at Omdia, said traditional networks are ill-equipped to handle the surge in adoption of IoT devices. “Device behaviour baselines need to be established to allow for new recommended policies to help stop malicious activity. For instance, it would raise a flag if a connected thermostat started transmitting gigabytes of data to an unfamiliar site,” said Johnson.
In a new report commissioned by Palo Alto Networks revealed that heart monitors, kettles and exercise bikes and other connected devices are found to be regularly connecting to corporate networks in Hong Kong. Overwhelmingly, 91% of Hong Kong respondents report a rise in the number of IoT devices connecting to their networks over the last year. One red flag emerged: 31% of respondents said they need to make a lot of improvements to the way they approach IoT security, and 37% said that a complete overhaul is needed, amounting to more than two-thirds of those polled. “Devices that employees innocently bring onto an organization’s network are often not built with security in mind, and can be easy gateways to a company’s most important information and systems,” said Wickie Fung, managing director, Hong Kong and Macau at Palo Alto Networks. “To address that threat, security teams need to be able to spot new devices, assess their risk, determine their normal behaviours and quickly apply security policies.” One in five of those surveyed reported that they have not segmented IoT devices onto separate networks – a fundamental practice for building safe, smart networks. Only 21% reported following best practices of using micro-segmentation to contain IoT devices in their own tightly controlled security zones.