Tag Archives: Internet of Things

Prioritizing security in the age of Internet of Things

It is almost impossible to underestimate the importance of IoT security. However, businesses appear to be somewhat myopic when it comes to securing their IoT deployments and Proof-of-Concept projects. Enterprise networks across the globe have millions of unmanaged IoT devices connecting to their networks every single day.  IoT security breaches are costly operationally and financially bleeding enterprises to the tune of $2.5 million per attack. Despite the high cost associated, security is yet to emerge as the focal point of attention and action for IoT engineers, business heads, and developers.

Early days

Like other new and innovative technologies that came before it, IoT is right now going through its initial adoption phase. The immediate questions that are asked include: can we hive out a manual process? How do we improve data transmission speeds? Is it possible to make our machines learn? When the answer is yes, the solution in most instances is IoT technology. However, the rush to adopt and deploy these new possibilities has left many CISOs encountering a growing challenge in the form of security.

Over the last few decades, Supervisory Control and Data Acquisition (SCADA) systems have played a major role in industrial operations. Industries like oil and gas, energy/smart grid, agriculture, manufacturing, and utilities have implemented SCADA systems and networks to collect data and automate processes, and are looking to automation systems for more effective ways to operate. Attacks on such critical infrastructure could cause billions in damage and some businesses will find it difficult to get back on their feet.

In the last five years alone, mass rapid transit and power and water systems across the globe have been attacked and shut by hackers. Many of these attacks were designed to manipulate the behavior of the masses and in some instances to inflict unacceptable damage to the economies of the countries involved. Attacks on massive IoT systems like the command and control setup of a smart city could cause disruption of the scale that we have never seen before.

Inherent vulnerabilities

in 2017, over 2 million IoT devices were found to be compromised in a single instance of a powerful malware infection. The attack malware dubbed Reaper or IoTroop was found to be quietly harvesting data across these devices for purposes yet to be fully understood.  Reaper was found to exploit 9 vulnerabilities and according to some researchers, the malware in a mutated form might still be lurking around exploiting vulnerabilities.

Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors—all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers, and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging.

Compounding the challenge is an unwavering focus on establishing data streams and ensuring PoC success at all costs. In their drive to make IoT deployments successful, decisionmakers and other stakeholders often overlook vulnerabilities and long-term security requirements across processes, devices, data flow, storage, and analytics. Security is not even an afterthought in many instances.

How to prioritize security?

Security should be an integral part of the drawing board for every project. Beyond that, the entire length and breadth of the value chain and IoT implementation should be fortified to secure data, devices and storage mechanisms. Here are a few other steps that are recommended:

  • Security should be part of every IoT discussion within or outside your organization to the extent possible
  • Run internal hackathons and stress test scenarios to identify and fix vulnerabilities
  • Always keep your firmware and software updated and patched
  • Use systems to detect unusual traffic flow or other anomalies
  • Secure legacy systems first
  • Go for layered security with multi-point data encryption
  • Run isolation and remediation drills for devices
  • Identification and authentication of devices is a must

Remember that you are always in the crosshairs of a prospective hacker and the best security strategy is to increase the distance between your critical systems and data and them.

Are smart transportation systems sitting ducks for hackers?

The answer is yes. While investments in public and private transportation systems have grown reasonably well in the last decade, the investments in cybersecurity measures have not increased proportionately. With cybersecurity being grouped with the lowest of investment and resource allocation priorities, hackers and groups with questionable intent have found an avenue to exploit. The result- global and frequent attacks on smart transportation infrastructure.

Vehicles (cars, trucks, buses, etc.) are fundamental units of transportation. They are also the targets for multi-pronged cyber-attacks by hackers. What makes these diverse modes of transit so attractive for hackers? Wide spread disruption, scope for ransom payment by authorities or affected people or simply the ease of attack. It is a well known fact that in the developed world, some of the most critical infrastructure runs on outdated and degraded operating systems with plenty of unpatched vulnerabilities. Hackers and hacktivist groups have known this for a while now.

IoT Security in the banking and financial services space

IoT presents boundless opportunities for the banking industry. Frictionless onboarding, contextual services, multichannel payments, smart asset tracking and back end optimization are some of the key reasons that is driving IoT adoption among banks in India. However, IoT also exposes the banks adopting it to cyber security breaches that could threaten the trust and reputation that banks base their existence on.

India ranks fourth among the top 10 most targeted countries by cyber criminals. In the period between April 2017 and January 2018, over 22,000 websites including those belonging to the government were hacked. A major public sector bank and a private bank in Pune lost nearly INR 100 crores to hackers who exploited weaknesses in the system to channel money to accounts abroad.

The introduction of the Internet of Things to the banking IT infrastructure adds another dimension to the problem.  IoT, an enabler of many business outcomes  open up new and hitherto unknown vulnerabilities in the system that could be exploited by criminals. IoT malware for perpetrating various types of attacks on the banking infrastructure is openly available on the dark web and criminals are constantly modifying their attack strategies and tactics to slip under the security radar to siphon money and data from banks.

Cyber criminals are today deploying Machine Learning (ML) and Artificial Intelligence(AI)-based technologies to launch more sophisticated attacks. ML and AI offer a high level of automation and in a situation where a bank is not aware of its complete inventory of connected assets, a cybercriminal could exploit vulnerabilities in the data chain before the bank could mobilize resources to plug it.

Through a daring attack in 2016, hackers shutdown internet across the east coast of the US using IoT devices. The bot used in this attack was also used to launch attacks on banks in the past. This episode clearly highlighted the dual or multiple use nature of the vectors connected with IoT attacks. Vectors could be reused multiple times to launch attacks on a range of industries that are using IoT to varying degrees.

In June this year, a malware was tracked attempting to modify the DNS server settings in the routers of Brazil residents to redirect their DNS requests to a spurious DNS server. This malicious server was high jacking data traffic bound for the host name of a prominent Brazilian bank and redirecting it to a fake website of the same bank hosted on the same malicious server.

Banks employ traditional IT security strategies to secure IoT ecosystems, while this provides a false sense of security they do very little if not nothing to mitigate the threats. The inherent nature of IoT such as low compute, long deployment lifetimes and lack of standards make them very difficult to secure with traditional IT security systems. IoT security can only be ensured by using paradigms and systems that are designed for IoT ecosystems. Some of these paradigms include strong but light weight encryption, agentless monitoring and ecosystem specific threat mitigation.

Cyber security should be a key consideration in all IoT deployments and should be included as early as possible in the project lifecycle. The first step would be to analyze the whole ecosystem for threats, while individual components (device, connectivity or platform) may be individually secure, the cyber security vulnerabilities open at the seams where these typically diverse components probably supplied by multiple vendors integrate. Next banks must consider all possible protection strategies to lower the attack surface of the IoT ecosystem this may include segregation from the main network, closed connectivity through MPLS, etc.  The third consideration is to put in continuous monitoring system in place, a system specifically designed for IoT and that leverages IoT specific threat intelligence and advanced machine learning to detect threats that are rampant in IoT.

All cybersecurity strategies should work with one tenet that despite all systems and processes that is put in place, breaches are inevitable. Cyber resiliency is the ability to respond and recover from breaches. Banks should have response plans that satisfy regulatory requirements and public messaging in place to regain the trust of patrons. IoT ecosystems once integrated become critical to the operations of the bank and hence business continuity should also be a key consideration in the event of a cyber-attack.

Secure IoT promises to improve customer interaction, create competitive advantage and lower costs for banks. Security is the only differentiator that can ensure that IoT becomes a key differentiator for the bank, lack of which just makes IoT the Achilles heel in a bank’s operations and another failed project.

Get Started with Subex

Schedule a Demo
close slider

    I consent to receive communications from Subex Limited. Confirm Opt-In