From the ‘Internet of Things’ to the ‘Internet of Risks’
The explosion of IoT and ‘smart’ devices is happening – like it or not – and this represents a clear and present cyber-risk for many organisations that are unaware of the latent cybersecurity vulnerabilities that they present. What to do about this expanding cyber risk profile is the question.
A disconcerting fact is that security researchers estimate that a large percentage of these ‘smart’ devices are insecure.
Fact is, those in the know are starting to raise red flags.
When the army of Smart Devices marches – beware
When a sea of insecure, compromised devices combine to make up a formidable, highly coordinated bot-net globalised army, substantial cyber attacks are becoming increasingly likely, with more to follow.
- In August 2017, nearly half a million pacemaker patients in the US were told to visit their doctor to patch a critical hack vulnerability – one that could result in fatalities
- In October 2016, hackers used vulnerabilities in millions of commonly used devices, such as web cameras and internet connected printers to mount a massive denial of service attack on a critical part of the Internet which resulted in major service interruptions to the websites of major companies including Twitter, Amazon, Netflix and others.
- The discovery of a critical, remotely exploitable vulnerability of millions of IoT and smart devices that utilise a widely uses open source software library.
A denial of service, or data breach is one thing. When there is loss of life and the destruction of critical infrastructure or theft of corporate assets, the risks are taken to another level.
The IoT cyberrisk will continue to escalate unless a ‘security first’, software patchable approach is taken for all embedded, ‘smart’ IoT devices – period.
‘Security by design’ – What security?
Problem is, the development and sale of many IoT devices fail to take a ‘security-by-design’ approach.
Many – if not most – IoT devices have been developed and sold with time-to-market, sales revenue and innovation beating any security considerations hands down. The long tail of embedded devices which are not patchable – that is, their ‘smarts’ are burned into the silicon chips – is a real concern going forward.
A number of bipartisan US senators have tabled the Cybersecurity Improvement Act of 2017, which will force all vendors supplying internet-connected devices to the US government to ensure that they are software patchable.
IoT security 101
Here are a few critical pointers to get you started in the journey of mitigating the cyber risks inherent to IoT, ICS or embedded ‘smart’ technologies:
- Identify what needs protecting – that is, any IoT, network enabled or embedded device, which if compromised, will jeopardise your business, or the business of other stakeholders such as suppliers, customers or regulatory. Don’t waste precious effort on trying to protect that which is not important.
- Identify if these devices can be protected. For those older (or even new) technologies that cannot be patched – consider replacement, or firewall these appropriately if replacement is not feasible.
- For core or critical devices, seek specific assurances (under NDA if needed) from your hardware supplier.. and their suppliers, for that matter… to assess what layers can and cannot be patched. Then develop, test and implement countermeasures.
- Establish ongoing protection regimes for all key IoT devices, backed by cyber security and organisational (i.e. staff behavioural) policies that are regularly assessed for effectiveness.
These 4 pointers are just the start.
Question: What IoT and ‘smart’ device sleeper cells exist in your organisation, and do they present a vulnerability which, when exploited, becomes your business risk?
Time to find out is now.