Billions of internet-connected devices are installed in homes and businesses worldwide, collectively constituting the “internet of things” or “IoT.” Whether adopted for their everyday convenience (e.g., a refrigerator or thermostat) or purpose-built to support critical functions (e.g., a heart monitor or a region’s power grid), these devices are more widespread than ever before, thanks in part to lower and lower price points.
Some of these devices have been designed with security in mind. Sadly, most of them are not. Their hardware or software may have security weaknesses, or vulnerabilities, with no way to “patch” the problem to remove the risk. Devices may receive updates, but many are barely protected by standard, fixed passwords that are not secret and cannot be changed, leaving the door open to all sorts of intrusions. Others at least have a changeable password, but the manufacturer is not diligent about creating and publishing security updates and forcing user password updates.
Aside from a lack of basic cybersecurity measures, another problem that we believe is under-recognized is cyber obsolescence. Devices may become incapable of being updated because the manufacturer has moved on to newer devices or software. Take the US$10,000 (and up) Apple watch that was sold only three years ago. It will become obsolete because it won’t be able to run the newest version of Apple’s watch operating system and updates to the watch’s software won’t be forthcoming. In some cases, the manufacturer of a device has gone out of business, leaving the devices they created as security “orphans”.
What’s the Risk to My Organization?
The IoT vulnerabilities that have received the most publicity have tended to be in the medical device arena. For example, specific models of infusion pumps (which regulate the volume of intravenous fluids delivered to a patient) have been found susceptible. At the 2018 Defcon Convention, researchers from an anti-malware company demonstrated how hackers could direct a hospital device to report a patient had “flatlined” – that their heart had stopped. The alert could cause a nurse to call a “code blue,” starting an extremely intensive and totally unneeded attempt to save the patient’s life.
But the risks are just as real and pervasive in every industry. The energy industry is implementing more IoT in the field to increase communication and data-sharing efficiencies. Organizations across the finance, insurance and banking, manufacturing and retail industries – in fact, virtually all industries – are seeking to improve operations and the bottom line through IoT.
Remember, the risk is not limited to the individual IoT device. The problem is far worse. An IoT device with vulnerabilities can be used to compromise an entire network, possibly leading to the introduction of malware, including ransomware. For example, IoT devices used by the energy industry in the field could be riddled with vulnerabilities as they send measurement data, via APIs (application programming interfaces), back to a unified corporate network and systems. Does your organization have enough protections and detections in place to prevent the introduction of malware though IoT devices?
According to last year’s FBI Internet Crime Report, business email compromise (BEC) scams in 2018 resulted in losses of over $1.2 billion, nearly twice more than the previous year. BEC can spread an attacker’s access from email to sensitive corporate systems and other endpoints or IoT devices. If your organization allows email to be accessed via smartphone, are appropriate protections in place to limit access to internal systems?
IoT devices represent at least a potential – and more likely a very real threat to corporate systems and data. At the core, IoT devices represent the new network perimeter and need to be protected thoughtfully. Unfortunately, many organizations we see don’t know and can’t keep up with IoT devices that are being attached to their networks.
The IoT 2020 Pledge
Not knowing what is or is not attached to a corporate network – including the security status of each device – is an irresponsible position for any organization to take. That is why we are urging organizations globally to take what we call the IoT 2020 pledge. By the end of 2020, organizations will pledge to:
- Write and implement rules restricting IoT devices that can be attached to any organizational network to those that are approved by our information security specialists. This includes devices procured by the company as well as those supplied by employees, contractors, vendors or others.
- Inquire into the security status of each device for which a connection request is received. Only those devices with reasonable security will be approved for connection to company networks.
- However, other devices may be approved for connection to a guest network that is totally separate from and not connected to company networks.
- Implement controls to enable the real-time inventory, monitoring and control of devices connected to company networks so we may know when a new device is connected. This will give us the option to reject connections of devices that have not been preapproved by the information security unit.
- Provide information to our employees on these safeguards and require compliance.
- Inquire into the IoT policies of any business partner, supply chain partner, vendor or other external organization that is authorized to connect to our network to determine if their devices represent a risk to our networks and will take appropriate steps to protect our network security.
- Work with our internal auditors, corporate/agency compliance specialists and external security review personnel to assure that IoT is included in reviews, audits and compliance work to help ensure that our policies are implemented as intended.
- Update our IoT-related policies regularly to keep up with changes in technology.
- Include the status of our IoT-related security plans and operations in our reports to senior management and the board of directors.
- Revoke access to IoT devices and software with known (or discovered) vulnerabilities and poor security design without greatly impeding business efficiencies.
We've made a print-ready version of the pledge available for download on this page.
While each element of the IoT 2020 pledge is important, the real key is for an organization to recognize the issue and take active steps to address it. At a minimum, this should be a priority for the chief information officer jointly with the chief information security officer. We also believe this risk must be brought to the attention of the board of directors to seek oversight of the organization’s response to the challenge.
Of course, an organization can choose not to think about the IoT problem, or to think about it and decide to ignore it, but neither of those represents a guarantee that the IoT risk will ignore you. Don’t become a needless victim when the actions we’ve outlined can materially reduce the risk of becoming the victim of an IoT ambush.