Part 1: Understanding the IoT Risk
The Internet of Things (IoT) – the internet-connected and networked physical devices like vehicles, household appliances, security cameras, and other smart devices we use every day – has made our lives immeasurably more efficient. But these devices have also created new opportunities for hacking, resulting in growing concerns about IoT security risks.
These devices are all too often designed to be developed and manufactured quickly and may lack data security protections. However, because of the broad range of IoT devices, and the low prices of some of these smart items, it’s entirely possible that not only may corporations and government agencies have purchased and installed these devices, but also that individual employees (or even an unauthorized person with access to your premises) may have added them to your network. Depending on how networks are configured, simply plugging a device in may start up the process of connecting it to one of your company networks.
The trouble is that a hacker can compromise these devices – and many are designed to be accessible from anywhere in the world – and install malware that can support anything from ransomware to the theft of company secrets. An attacker may also steal the kinds of personal and health information that constitute data breaches that have to be reported to regulators and can negatively affect your reputation.
There are five major IoT risks that you need to manage starting right now:
- Experiencing a DDOS attack launched from IoT devices.
A range of criminal groups, hacktivists, and terrorist organizations have more tools than ever to carry out these attacks. For instance, codes able to launch an attack against a journalist via hijacked IoT cameras and digital video recorders have been released publicly.
Action: Working with your internet service provider, develop a plan for dealing with DDoS attacks. The plan should also cover customer service issues in the event of a successful DDoS incident.
- IoT devices on your network attacking a target outside your organization.
If you have vulnerable IoT devices on your network, they could be infiltrated by a criminal to become part of their “botnets” which could attack a target organization. Aside from using a huge amount of bandwidth, there’s also the danger of having your own connection attacked or your internet address being taken down in an attempt to stop the attack, or in retaliation in a “hack-back” scenario. The evolving legal status of hack-back activities by private sector organizations could increase the danger of being targeted. In these cases, the reality is that it won’t matter that your devices are being controlled by outsiders and that your organization has no knowledge of the unauthorized activity.
Action: There are indicators of compromise that your IT department can look for – make sure your team is aware of the issue and takes steps to monitor for it.
- IoT devices acquired by it which have unmanaged risks.
We have found that IT departments acquiring IoT technology often focus exclusively on functionality. They may not realize that there are issues like insecure passwords, antennas that could be used to bypass network security, or a lack of security updates that may leave your enterprise open to attack.
Action: Develop and issue guidelines for your IT department on the selection of IoT devices and their deployment within your network.
- IoT devices acquired by other company units which have unmanaged risks.
What’s worse is that many IoT devices may not be purchased by or in consultation with IT. The corporate security department may be buying smart locks. The indoor environmental engineer may be buying smart thermostats or sensors. Maintenance may be buying smart light bulbs.
Action: Require that the purchase of any device that can connect to a company network – either through Wi-Fi or Bluetooth – must be approved by IT per your established guidelines.
- IoT devices owned by employees, visitors, contractors, or vendors that can be attached to your network.
To make a risky situation worse, employees, contractors, visitors, vendors, or others may introduce IoT devices into your environment. Many low-cost IoT devices have been shown to have little or no security. The situation can be even more complicated for organizations that contract with others for services or hardware. Your data could be compromised while stored on a cloud platform if the company storing the data lacks appropriate security. Their risk of compromise through IoT devices attached to their networks can result in data breaches that can be costly to you in terms of remediation, notification costs, and reputational damage.
Action: The bottom line is that when a device is allowed to be connected to your network (or your ultimate information storage location), you inherit the risk associated with the device. Determine under what circumstances, as well as the criteria you will use, to permit an external party to connect an IoT device to your network. Likewise, familiarize yourself with your cloud provider’s policies and procedures specific to IoT devices, and if necessary, negotiate additional protections into your provider agreement.
In part 2 of this series, we’ll look at the elements of an IoT action plan that you can implement to manage and mitigate risks, and to be prepared to respond if a threat materializes.