It is almost impossible to underestimate the importance of IoT security. However, businesses appear to be somewhat myopic when it comes to securing their IoT deployments and Proof-of-Concept projects. Enterprise networks across the globe have millions of unmanaged IoT devices connecting to their networks every single day. IoT security breaches are costly operationally and financially bleeding enterprises to the tune of $2.5 million per attack. Despite the high cost associated, security is yet to emerge as the focal point of attention and action for IoT engineers, business heads, and developers.
Like other new and innovative technologies that came before it, IoT is right now going through its initial adoption phase. The immediate questions that are asked include: can we hive out a manual process? How do we improve data transmission speeds? Is it possible to make our machines learn? When the answer is yes, the solution in most instances is IoT technology. However, the rush to adopt and deploy these new possibilities has left many CISOs encountering a growing challenge in the form of security.
Over the last few decades, Supervisory Control and Data Acquisition (SCADA) systems have played a major role in industrial operations. Industries like oil and gas, energy/smart grid, agriculture, manufacturing, and utilities have implemented SCADA systems and networks to collect data and automate processes, and are looking to automation systems for more effective ways to operate. Attacks on such critical infrastructure could cause billions in damage and some businesses will find it difficult to get back on their feet.
In the last five years alone, mass rapid transit and power and water systems across the globe have been attacked and shut by hackers. Many of these attacks were designed to manipulate the behavior of the masses and in some instances to inflict unacceptable damage to the economies of the countries involved. Attacks on massive IoT systems like the command and control setup of a smart city could cause disruption of the scale that we have never seen before.
in 2017, over 2 million IoT devices were found to be compromised in a single instance of a powerful malware infection. The attack malware dubbed Reaper or IoTroop was found to be quietly harvesting data across these devices for purposes yet to be fully understood. Reaper was found to exploit 9 vulnerabilities and according to some researchers, the malware in a mutated form might still be lurking around exploiting vulnerabilities.
Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors—all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers, and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging.
Compounding the challenge is an unwavering focus on establishing data streams and ensuring PoC success at all costs. In their drive to make IoT deployments successful, decisionmakers and other stakeholders often overlook vulnerabilities and long-term security requirements across processes, devices, data flow, storage, and analytics. Security is not even an afterthought in many instances.
How to prioritize security?
Security should be an integral part of the drawing board for every project. Beyond that, the entire length and breadth of the value chain and IoT implementation should be fortified to secure data, devices and storage mechanisms. Here are a few other steps that are recommended:
- Security should be part of every IoT discussion within or outside your organization to the extent possible
- Run internal hackathons and stress test scenarios to identify and fix vulnerabilities
- Always keep your firmware and software updated and patched
- Use systems to detect unusual traffic flow or other anomalies
- Secure legacy systems first
- Go for layered security with multi-point data encryption
- Run isolation and remediation drills for devices
- Identification and authentication of devices is a must
Remember that you are always in the crosshairs of a prospective hacker and the best security strategy is to increase the distance between your critical systems and data and them.