The Internet of Things (IoT) is now one of the biggest technology revolutions in decades. IoT has created a roughly $967 billion market with expected future exponential growth. IoT offers businesses innovation, but the innovation comes at a price of mitigating and managing IoT security challenges, risks, and new vulnerabilities. New threats and vulnerabilities associated with IoT devices will challenge your organization to prepare for a massive new growth industry and add potential competitive advantage.
Before we jump into a few tips for mitigating and managing IoT risks, let’s explore the astounding statistics and highlights surrounding the Internet of Things.
- There are 8.4 billion connected “Things” in use in 2017 with 28 billion “Things” predicted to be connected by 2021.
- 70% of IoT devices are susceptible to hacks due to major vulnerabilities
- Businesses are on pace to employ 3.1 billion connected things in 2017 according to a 2017 Gartner Report. One report predicts more than 50 billion devices will be in use by 2020.
- In 2017, IoT devices used in businesses will drive $964 billion in sales and another $725 billion in consumer applications. Gartner predicts that both segments will reach $3 trillion by 2020.
- The Ponemon Institute found that 80% of IoT devices are not tested for security flaws from a study of 593 IT and Security practitioners.
- AT&T states that 90% of organizations lack full confidence in their IoT security strategies
With 90% of organizations lacking the confidence in their IoT security strategies, what can companies do to bolster their strategies with this fast-paced and widely adopted technology advancement?
Develop Your IoT Readiness Plan
IoT introduces an entirely new playing field. Employees, visitors, partners, and outsiders are bringing Internet-connected devices to the corporate network via your wireless or wired connections. Not to mention, new devices like the whiteboard, coffeemakers, security cameras, and Bluetooth speakers equipped with “smart” features that could be potential backdoors for threat actors. These technologies present information security professionals with a significant challenge to overcome.
Nearly 90% of information security professionals are concerned about IoT vulnerabilities, and 44% said they are less concerned with traditional network security than they are with device security.
To get started, security professionals must conduct a comprehensive risk assessment and discovery of all IoT devices that might be in the portfolio. An IoT risk assessment should include an audit of your network, the applications, and security protocols to mitigate. The assessment should also categorize and list the number of devices within the network, their particular risk, and how sensitive the data is that each device produces.
Scan Your Network & Identify ALL IoT Devices
Next, leverage a pen testing team or vulnerability assessment tool to scan the network for IoT devices currently within your network to understand their vulnerabilities and the current risk involved for each device.
Finally, you will need to know what happens when an IoT device is compromised or attacked or even when a whole group of devices is used to attack your network. You can use pen testing to understand the impact of vulnerable IoT devices within your networl. You need to prepare for worst-case scenarios and plan the strategies behind mitigating that through a comprehensive defense-in-depth strategy or layered security approach. You may also decide to place certain IoT devices on separate networks from your core IT networks and applications to safeguard your data.
After you complete this IoT risk assessment, you will have a much better understanding of the security landscape and current challenges represented. When deploying new devices, you will also want to consider deploying with security in mind first which leads us to our next topic.
Incorporate ‘Security By Design’
IoT production has happened overnight, and there are now billions of devices connected to the Internet. Security is often disregarded when consumer demand for products dictates deployments. However, by not incorporating ‘security by design’, some potentially fatal flaws are created in the original designs of these latest and emerging technologies.
IoT needs to start with ‘security by design.’ As manufacturers build the latest IoT devices, they need to consider the challenges and possible vulnerabilities such as malware, DDoS, and even ransomware attacks. Otherwise, they put human safety at risk.
Holding IoT Manufacturers Accountable for Patch Updates
According to Dark Reading, IoT devices have on average 25 vulnerabilities, and that number continues to grow. Add on top of that the number of vulnerabilities for computers, servers, and mobile phones, and the number and scope is a bit mind-boggling and a full-time challenge.
Many IoT devices are using a modified version of Linux, bringing tens of thousands of lines of code into the device. The Linux kernel had 85 high severity vulnerabilities in 2016 alone. Many IoT device manufacturers hastily launched products without the responsibility of protecting organizations and individuals. As security professionals and organizations, the next step is to hold IoT manufactures accountable for incorporating security into their designs from the start.
U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” The bill proposes that IoT devices purchased by the U.S. government must meet the minimum-security requirements. Manufacturers who supply the U.S. government with IoT devices must ensure that the devices are patchable, do not include hard-coded passwords that can’t be changed, are free of known security vulnerabilities, and other essential security requirements.
Confidently Manage Security Incidents
You may not be able to control when security incidents happen, but as an organization, you can manage how well it responds. A security operations team can expand its detection or prevention technologies to help decrease the number of security incidents. A well-functioning security operations center (SOC) can enhance the organization’s abilities in response and dramatically reduce the Mean Time to Identify and Mean Time to Respond. Organizations that can regularly create security exercises and play out complex security incidents can help the organization prepare in managing security incidents.
Partnering with a security expert can make a big difference during your IoT deployments. An IoT security expert will have the knowledge and experience to help you complete the detailed IoT risk assessments, uncover IoT-specific vulnerabilities, conduct pen testing or ethical hacking on your new or existing IoT devices, and future-proof your IoT efforts.
Be sure to check out these resources on IoT security: