The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable and/or controllable via the internet. This includes everything from edge computing devices to home appliances, from wearable technology to cars. IoT represents the melding of the physical world and the digital worked, as sensors are not costly and wireless access is now ubiquitous.
These days, if a device can be turned on, it can most likely be connected to the internet. Because of this, data can be shared quickly across a multitude of objects and devices, thereby increasing the rate of communications.
According to a recent EY (Ernst & Young) study, Cybersecurity and the Internet of Things, it is estimated that the number of connected devices globally will exceed 50 billion by 2020. Fulfillment of this forecast will give any business, no matter the industry, access to endless amounts of vital, real-time data about their company and customers.
Inside and outside the workplace, IoT has the capacity to greatly change the way we work and live. In terms of economic impact, the McKinsey Global Institute estimates that the Internet of Things has the potential to impact economies up to $6.2 trillion annually by the year 2025.
Unfortunately, there are some pressing cybersecurity challenges associated with IoT. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, nearly half of U.S. firms using the Internet of Things have experienced cybersecurity breaches. The study surmised that the cost of the breaches represented 13.4% of the total revenues for companies with revenues under $5 million annually and tens of millions of dollars for the largest firms. Nearly half of firms with annual revenues above $2 billion estimated the potential cost of one IoT breach at more than $20 million.
The potential of IoT for both the public and private sectors is undeniable. But given the costs of a data breach and frequency of IoT-related security incidents, companies, agencies and consumers also need to understand the cybersecurity risks associated with an increasingly inter-connected global society. The billions of connected devices and trillions of sensors enabling IoT are creating an immense attack surface of insecure endpoints and web interfaces with pervasive vulnerabilities for hackers to exploit.
There are estimates that nearly half of all companies in the United States that use an Internet of Things (IoT) network have been affected by a security breach. A recent Federal Trade Commission report called attention to the fact that just 10,000 households can generate 150 million data points daily, which provides a significant number of entry points for hackers.
The prevailing perspective from a security operations perspective is that anything can be hacked in the Internet of Things. Most alarming, because of the connectivity of IoT, viruses can spread further and more rapidly. Also, there are unique challenges to IoT devices. Unlike laptops and smartphones, most IoT devices possess fewer processing and storage capabilities. This makes it difficult to employ anti-virus, firewalls and other security applications that could help protect them. At the same time, edge computing intelligently aggregates local data, making it a concentrated target for sophisticated threat actors.
The security challenge comes down to understanding what is connected in the IoT landscape, knowing how to best protect the most important assets and effectively mitigating and remediating a security incidents and breaches. A first step is building this security capability is to create an IoT risk management framework.
A risk management approach is fundamental to anything involving security, whether it is physical or digital. IoT combines both those elements. Cybersecurity must address technology, interoperabilit, business, and consumer risk. There are no failsafe solutions, and the task of securing IoT is monumentally difficult, especially as connectivity grows.
A viable risk management strategy requires stepping up assessing situational awareness, policies & training, technology integration, information sharing, mitigation capabilities and cyber resilience. An IoT security framework has unique security characteristics and must consider the requirements of changing default passwords on manufactured delivered devices. It should also analyze the impact of segmentation and/or isolation of IoT devices on reducing risk and attack surfaces. The end goal is to optimize solutions and services and determine what level of security is required for implementation.
More specifically, the framework should be defined by the most basic elements and best practices in managed risk: layered vigilance (intelligence, surveillance); readiness (operational capabilities, visual command center, interdiction technologies); and resilience (coordinated response, mitigation and recovery).
The complexity, diversity and lack of regulations of the IoT ecosystem pose a significant challenge to creating an operational IoT risk management framework. This is especially a concern in the amalgamation of legacy and new technologies in networks.
For some time, the creation of standards to protect IoT devices has been a topic of discussion among governments, industry and organizations. It is a difficult quest because manufactures do not share many design elements and metrics, so standards are not easy to establish. Professional associations are attempting to set standards for functional IoT compatibility in the meantime.
For example, the IEEE Standards Association is working on creating a cross-domain architectural frame work called the P2413 Standard for an Architectural Framework for the Internet of Things. Another IoT standard is being proposed by the Industrial Internet Consortium (IIC) for critical infrastructure.
Yet another IoT standard effort involves the one M2M alliance. The group is developing technical specifications that address the need for a common M2M (machine-to-machine) Service Layer. While standards may or may not be adopted, lessons learned from the discussion can add to creating a more efficient security posture.
Recently, the United States Government Accountability Office issued an assessment of the status and security issues surrounding the Internet of Things. The GAO identified the following type of attacks as primary threats to IoT:
- Denial of Service
- Passive Wiretapping
- Structured query language injection (SQLi controls a web application’s database server)
- Wardriving (search for Wi-Fi networks by a person in a moving vehicle)
- Zero-day exploits
Ransomware (in conjunction with malware) would be a good add to the GAO list. A variant of ransomware called “WannaCry” spread swiftly in 2017 and 2018, reaching over 100 countries and infecting over 200,000 computers. WannaCry disrupted government entities and many organizational and company networks that have connectivity to IoT.
The Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) also have released new security guidelines for the Internet of Things. This was done after a massive distributed denial-of-service attack targeted devices and shutdown many popular websites like Twitter and Etsy in 2016.
The adoption of a common set of standards for manufactures and providers, combined with the promotion of security best practices, will help bring a higher level of security for IoT devices. Unfortunately, the longer the wait, the more difficult it will be to implement a compliance framework that allows for patching and auditing as well as tracking threats.
IoT attacks will likely never be fully prevented, but there is an assortment of policies and technology tools that can help. These measures include machine learning and artificial intelligence and threat automation using real-time and predictive analytics. Also, IoT security is should include elements of access control, credential verifications, encryption and hardening of systems, applications and endpoints.
As a society on the verge of unparalleled exponential connectivity, we are entering unchartered digital territory. New risks and unforeseen issues will no doubt confront us as the Internet of Things continues to evolve and expand. To address the potential perils of IoT, we need to develop working standards, build IoT security risk frameworks and develop emerging technologies to mitigate and remediate cyber-attacks. Security of IoT must be more than a priority; it needs to be an imperative.
About the Author: Chuck Brooks is the Principal Market Growth Strategist of General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty in the graduate Applied Intelligence Program at Georgetown University and teaches courses in risk management, homeland security and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 600 million members. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. He is also a featured contributor to FORBES, a Cybersecurity Expert for “The Network” at the Washington Post and Visiting Editor at Homeland Security Today. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University and a Certificate in International Law from The Hague Academy of International Law.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.