March 8, 2021
The rise of the Internet of Things (IoT) presents new security challenges and risks. Ahead of his appearance at PrivSec Global, Arun DeSouza answers questions on how to ensure your IoT strategies are up to date and effective.
I read the crime novel “The Steel Kiss” by Jeffery Deaver a few years ago. The bad actor here hacks a variety of devices like elevators, microwaves, cars etc. via the Internet with severe ramifications. This book was an eye opener for me as it brought home the danger of unsecured IoT devices.
At present, in the manufacturing industry, we have entered the era of Industry 4.0. Companies are leveraging IoT devices at scale to increase manufacturing efficiency, reduce cycle time and enact cost savings.
The Internet of Things (IoT) can be a game changer. However, the explosive growth of the IoT brings a variety of risks as IoT devices manifest many flaws.
Global privacy regulations such as the General Data Protection Regulation (GDPR) necessitate that enterprises develop a holistic, coordinated IoT security strategy.
The GDPR comes with potential fines up to 4% of revenue for data breaches or privacy violations. In addition to bottom line impact, company brand and reputation and reputation are also at stake if the security and privacy risk nexus of the IoT is not managed.
There have been multiple cyber-attacks against IoT devices with resultant compromises across both the enterprise and personal IoT arenas.
A few examples are as follows:
In addition, there have been various other IoT security incidents involving cardiac devices, baby heart monitors and computer webcams. The ramifications range from data loss, downtime up to bodily harm.
A wide variety of smart IoT devices including but not limited to the following are susceptible to risks:
Cyber criminals can exploit IoT devices for a variety for purposes such as:
This depends on each device and the state of the security. The complexity can vary.
e.g., A $60 device was used to hack cars
It is not to say that all devices can be hacked easily all the time
Security issues could be linked to the devices, mobile apps controlling them as well as the networks such as WiFI used to connect the devices.
Vulnerabilities manifest in IOT devices include but are not limited to:
Supply chain security is mission critical. There have been a number of major supply chain-initiated attacks such with Target and Marriott, Recently, the Solar Wind attack targeted the customers of compromised organizations. The risks of a data breach from a supply chain attack include but are not limited to:
Users can protect their IoT devices by using some or all of the following steps as feasible:
IoT security vendors must commit to taking the appropriate steps to protect their devices including but not limited to:
This is due to a lack of awareness and the dichotomy between enterprise and personal IoT. Further, at the enterprise level, in many cases IoT devices are deployed by the Operational Technology (OT) engineers. There is very often a lack of alignment between OT & IT. At a personal level, it is very easy to buy IoT devices. Yet the average consumer is now aware of the security and privacy risk nexus of the IoT due to incidents such as the Amazon Echo above or smart TV’s “spying” on private activities.
The following are some of the steps which can be taken to evolve IoT Security.
Leverage a layered security architecture for enacting proactive control strategies for IoT devices. Key dimensions needed to enact this strategy across the OT & IoT arena are:
The following “Magnificent 7” IoT Security Guiding Principles may be used as a framework to develop an IoT strategy.
A. Characterize: Identify and classify assets and stratify them by business value and risk
B. Demarcate: Implement network zones with a clear demarcation between IT and OT networks
C. Understand: Visualize and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
D. Unify: Control access by users and devices across both secure wireless and wired access
E. Adapt: Leverage Zero Trust principles to enact adaptive control schemes in real time
F. Converge: Develop explicit third-party access and risk management protocols including Privileged Remote Access, which are particularly relevant to OT networks to strengthen the security architecture
G. Beware: The following root causes have led to IoT device security issues in the past. Keep a proactive eye out (Static credentials, Unpatched and unencrypted devices, API security gaps)
Arun DeSouza is Chief Information Security & Privacy Officer at Nexteer Automative
Arun DeSouza will be on a panel discussing ‘The Internet of Insecure Things’ at 1.15pm on March 24 at PrivSec Global,