The Internet of Things (IoT) can deliver tremendous benefits to organizations, but very few either recognize or attempt to manage the potentially calamitous security vulnerabilities often associated with IoT devices.
IT analyst Gartner forecasts that there will be 8.4 billion connected devices in use worldwide this year — up 31 percent from 2016 —and that the figure will reach 20.4 billion by 2020. But experts warn that such exponential adoption of IoT devices has increased information security challenges, as has the lack of attention in designing them to be secure. The predominant use of cloud computing to provide connectivity to devices also increases the risks of hacking and cyberattacks.
The potential impact has not been lost on the U.S. Government Accountability Office (GAO). In its "technology assessment" issued in May, called Internet of Things: Status and Implications of an Increasingly Connected World, the GAO said that gaps exist in how IoT security is being addressed in federal and private networks and that there are no clear security standards. There is also no one specific agency in charge of IoT security.
IoT devices are meant to be easy to use, and as such, they tend to rely on fairly simple technology — but also simple security safeguards. And as they are used widely in national critical infrastructure, medical equipment, and so on, any breach can potentially be life threatening. The U.S. Department of Homeland Security recently disclosed a 2012 breach in which cybercriminals managed to penetrate the thermostats of a state government facility and a manufacturing plant in New Jersey. The Verizon 2017 Data Breach Report, meanwhile, described how a U.S. university's IT servers were nearly shut down when they were attacked by its own vending machines and around 5,000 other IoT devices.
More worryingly, security flaws have also been uncovered in insulin pumps, defibrillators, and pacemakers, as well as sport utility vehicles where hackers could potentially take over the steering and braking mechanisms.
To reduce the danger of being hacked, organizations need to be aware of how many IoT devices are connected to the company's IT networks, who is in charge of the devices, and how they are being used. Experts also warn that they need to create corporate policies that spell out how IoT devices should be used.
The scale of the task may appear daunting — at least at first. Stuart Reed, senior director of market strategy at IT security specialists NTT Security, says that "for most organizations, integrating 1,000 additional endpoints into their security processes — including identity and access management, device management, data loss prevention, and incident response — will be a huge challenge."
But he adds that "they can learn from the experiences of creating 'bring your own device' policies, which demonstrates how devices can act as a pivot point to access corporate networks."
Deral Heiland, IoT research lead at IT security firm Rapid7, says that employees bringing their own personal IoT devices into work is one of the key problems, so their use needs to be managed and regulated. He adds that organizations should monitor their networks — both wired and wireless — and identify all new devices that are attempting to connect to these networks. Furthermore, all IoT technologies (including cameras, printers, lighting, TVs, and heating, ventilation, and air-conditioning systems) should be separated into restricted/managed network segments and should not be allowed to communicate directly with the core business network. This will prevent access to the core business environment if the IoT device is breached or compromised in any way, he says.
Heiland also advises that before purchasing any IoT technology, organizations should ask the product vendors two general questions: How is the product patched and updated (and is there a regular patching cycle); and has the product and its associated technologies had an independent security assessment? "If either of these questions cannot be answered by the vendor, then the business should avoid purchasing the products," he says.
IT governance association ISACA recently conducted a global risk/reward survey of IT and business professionals. It found that 44 percent think there is a likelihood of an organization being breached through an IoT device, and that 84 percent are concerned that there are security vulnerabilities inherent in IoT devices. Some 80 percent of respondents are worried about data leakage from IoT devices, while 75 percent are concerned about the adequacy of access controls to IoT devices.
Michael Hughes, an IT consultant and ISACA director, believes that while IoT is a new phenomenon, traditional governance and management control practices should still apply. The key point is to understand the information and business risks around IoT devices, assess whether existing controls and policies provide adequate protection, and minimize the collection of personal and sensitive corporate information that might be accessed if they were ever hacked, he says.
Hughes adds that organizations must have appropriate controls in place to check which people are using/are allowed to use IoT devices (and for what purpose), and record the kind of devices being used. Furthermore, internal audit needs to regularly review and test these controls as part of an ongoing risk assessment process.
Hughes says that user training is probably one of the most overlooked areas of IoT security management. "Users need to know what to do, how to use systems, but more importantly, they need to be told why they need to do something in a certain way. They are then more likely to do what they need to do and not find shortcuts, and that is where internal audit comes in."