There have been renewed warnings from cyber security experts that much more needs to be done to provide adequate protection from the potentially devastating effects of hacks involving IoT devices.
What Are IoT Devices?
IoT devices are those devices that are now present in most offices and homes that have a connection to the Internet and are, therefore, ‘smart’ and inter-connected. These devices could be anything from white goods and smart thermostats to CCTV cameras, medical implants and even industrial controllers.
What Are the Risks?
The fact that they have a connection to the Internet, are prevalent, and are often overlooked in security planning (and are therefore likely left unguarded) means that they are vulnerable to hacks and attacks.
What makes the risks physically greater, more immediate and more complicated is that the vast number of IoT devices now deployed worldwide tend to be connected to (or in control of) physical objects. These objects could be elevators, doors, heating or fire safety systems in office buildings … the list is long. This means that a hack / breach could mean that there is a real risk of human casualties or fatalities, as opposed to the lesser, traditional, lower impact but still serious risks associated with hacks such as data loss and fines.
IoT devices are also deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large scale attack on these systems could affect the economy.
Hackers have also shown that they can take over large numbers of IoT devices at once and use them as a botnet to attack other systems. An example of this happened in October 2016 when the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.
The devices included things like white goods, CCTV cameras and printers, and the major platforms that were put out of action by the attack included Twitter, Spotify, and Reddit.
No Risk Assessment & No Universal Standard
Technology commentators have noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.
It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.
What Does This Mean For Your Business?
For businesses, one first step may be to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.
Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.
Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.