Internet of Things (IoT) devices are exploding in popularity, but they present serious cyber security challenges for large enterprises.
Businesses and consumers alike are eagerly embracing IoT devices; it is estimated that 26 to 30 billion devices will be connected by 2020, up from 7 to 10 billion in 2013. However, despite the fact that wearables, smart thermostats, routers, printers, and all other devices that connect to the internet can be hacked, just like laptop and desktop computers, scant attention has been paid to IoT security.
The Mirai Botnet Attacks: The Canary in the Coal Mine
Last fall, a massive DDoS attack struck the U.S. East Coast without warning, knocking numerous big-name websites offline, including Amazon, Paypal, Netflix, Spotify, GitHub, and Reddit. The Mirai botnet attacks targeted not individual sites but the managed DNS services at Dyn, a New Hampshire-based company that offers, among other things, domain registration services.
The Mirai attacks took advantage of a common and simple security flaw in IoT devices: manufacturer default passwords, which users generally do not change or, in some cases, cannot change because the device manufacturers encode them into the firmware. The Mirai hackers simply scanned the internet for vulnerable devices, remotely took control of them using the default login credentials, and used them to flood Dyn’s DNS servers with so many junk requests, the system buckled. All of this was done without device owners even being aware that their machines had been turned into “zombies” – and later, authorities concluded that the attacks were likely not pulled off by criminal masterminds but “bored teenagers.”
The Mirai attacks were the canary in the coal mine that begged the question, if IoT security is so weak that a group of bored kids could do this much damage, what could a highly skilled, well-funded group of nation-state actors or rouge “hacktivists” accomplish?
IoT Challenges in Large Enterprises
As the Mirai attacks proved, all connected devices are vulnerable to attacks. In addition to enlisting an IoT device in a “zombie army” to launch a DDoS attack, hackers could:
- Compromise an Amazon Echo or similar device, listen to office conversations, and extract login information or company secrets;
- Use ransomware to disable a fleet of autonomous vehicles;
- Take control of a smart medical device, such as a pacemaker, begin draining the battery, and demand that the device’s owner pay a ransom to make the hacker stop;
- Breach a smart building’s network and take control of HVAC systems or even door locks, as happened during a ransomware attack on a hotel in Austria in January;
- Compromise emergency services and critical infrastructure, as in recent ransomware attacks on a closed-circuit camera system in Washington, D.C., and a county police force and 911 center in Ohio, and a breach of the emergency siren system in Dallas, Texas.
Large enterprises are especially lacking in IoT security because they do not manufacture their own equipment. They purchase connected devices from third-party manufacturers and assume that they are secure. The Berkeley Research Group found that 90% of organizations have no cyber security strategy for the Internet of Things, and 68% have no testing procedures for connected devices.
IoT device manufacturers operate in a Wild West environment with few regulations or oversight. Devices tend to be developed with a focus on convenience, ease of use, and cutting-edge features; data security is an afterthought, at best. While some devices used in highly regulated industries are subject to certain data privacy standards – connected medical devices, for example, must conform with HIPAA – compliance does not automatically equal data security, and there are no laws or industry standards specifically addressing IoT security.
What Organizations Must Do to Protect Their Clients and Themselves
The Mirai botnet attacks prompted cyber security experts to call for the government to legislate specific IoT security standards. The U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released a set of voluntary IoT security guidelines aimed at manufacturers. These include measures such as “baking” security into the software development lifecycle from the design phase; promoting security updates and vulnerability management; and prioritizing security measures according to their potential impact.
Large enterprises can and should take advantage of their bulk purchasing power to demand that manufacturers adopt these common-sense standards, and companies should refuse to do business with manufacturers that cannot provide adequate assurances as to the security of their products. Enterprises themselves can also take a number of proactive steps to secure their IoT devices, including:
- Having a strategy for outlining how the enterprise approaches asset review on devices that manage information;
- Fully understanding the risks, not only of company-owned devices but devices brought onto the premises by employees and third-party vendors, as well as devices used by third-party business associates who do work for the company offsite (such as payroll or medical billing providers);
- Establishing regular risk assessments as part of security operations to ensure that the company is identifying risks and patching them where appropriate;
- Taking proactive measures such as always changing default login credentials before connecting a device to the network, prohibiting employees or visitors from connecting unsecured devices to the network, and continuously monitoring the network for unauthorized devices or suspicious behavior.
Most of the time, even when enterprises are aware of security issues, they tend to ignore them until a breach occurs. In today’s threat environment, reactive cyber security doesn’t work and ends up costing even more than preventing breaches in the first place. In addition to direct data breach cleanup costs and fines for violating standards such as HIPAA and PCI DSS, firms are increasingly facing enormous lawsuits on the part of other parties impacted by breaches, such as banks and credit unions.
There are public relations issues to consider as well. Two-thirds of consumers report being “concerned” or “very concerned” about IoT device security. If consumers do not feel that smart devices are safe, they will refuse to purchase them, and they will also balk at doing business with companies that use them, especially if another major IoT breach happens, and especially in cases where hacked devices could put lives at risk, such as with pacemakers or insulin pumps.
Unfortunately, most enterprise IoT security policies contain many gaps and do little to address real-world security issues. This is because cyber security is a dynamic, fast-moving field where new threats emerge daily. Most organizations, even large enterprises, simply do not possess the in-house expertise or manpower to manage their cyber security needs on their own. That’s why it’s a good idea for enterprises to outsource their cyber security functions to a provider such as CyLumena. Our highly experienced, professional security experts emphasize client collaboration and use a lean methodology to mitigate threats and provide your organization with measurable outcomes.