The nature of Internet of Things (IoT) devices and the scale of their use is what makes securing them so hard. IoT devices emerged for industrial controls two decades ago and then expanded rapidly into business and consumer technologies.
The first IoT devices had important but limited capabilities. As embedded computing and networking technologies advanced, many tech trends – such as low power, miniaturization, massive increases in computer and memory chip density, digitalization, virtualization, and network capacity growth – turned small simple devices into intelligent high-powered networked computers.
Thus, today’s intelligent industrial IoT devices are high-value hacker targets. Cybersecurity was not built into most of these devices, and many that did have security controls were still found to be vulnerable to certain kinds of cyberattacks. Many IoT devices were originally analog devices that were converted for Ethernet network use before the Internet or in its early days. There were no cybersecurity concerns at that time about industrial devices. Over time, IoT devices were enhanced as computing technology and networking advanced, before today’s cybersecurity threat evolved to their current levels.
In recent years both industry and customer thinking about these devices has not kept pace with their technology advances and increasing vulnerabilities. That thinking must change significantly for these devices to be used safely without a high potential for catastrophic consequences to owners of the IoT devices.
Internet of Things Technology
The use of IoT technologies have undergone explosive growth in recent years. Estimates now place the number of connected IoT devices at more than 23 billion, three times the number of people on Earth. Thus, it should be no surprise that the past two years have seen an unprecedented increase in the number, scale and type of cyberattacks against these devices. Not only is there a rise in the number of cyberattacks – the sophistication of the attacks is also increasing.
Many intelligent industrial IoT devices can be weaponized by malware and used to attack other targets. Because IoT devices operate on their own without continual user interface, they can be hijacked without their owners knowing about it. Any network-connected device is a potential target for outsider or insider threats and must have appropriate cybersecurity measures put into place. In 2016, camera and recorder cybersecurity vulnerabilities allowed 1.5 million connected cameras and recorders (DVRs, NVRs and recording servers) to be hijacked to create the world’s largest Mirai botnet. The malware took full control of IoT devices’ underlying Linux operating systems.
Taking the Threats Seriously
The state of device security and the state of security practice are now prompting government action. End users as well as product and service providers have not taken the threats seriously enough. The poor password practice situation has been so serious for both consumer and industrial IoT devices that California has passed a law that bans default passwords for all IoT devices. Beginning Jan. 1, 2020, Senate Bill No. 327 requires manufacturers of a connected device to equip it with a “reasonable security feature or features.” The bill mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product. Many physical security and life safety systems are now connected to the Internet directly or via a corporate network connection, such as video surveillance and fire systems. This makes them vulnerable to cyberattacks.
Tracie Grella, Global Head of Cyber for the AIG insurance company, said, “These types of devices could be attacked and could cause disruption at energy plants, manufacturers, and power companies” (American International Group 2017). See Figure 1 below, courtesy of AIG, which lists the types of devices that are commonly vulnerable.
“Most IoT devices come with default passwords…and consumers don’t reset those default passwords, so IoT devices are very easy to break into and take over,” Grella explains. “Hackers can use those devices as a means of launching attacks against other networks.”
The U.S. Federal Cybersecurity and Infrastructure Security Agency (CISA) recommends that cybersecurity insurance firms encourage the implementation of best practices by basing premiums on an insured’s level of self-protection.
What liabilities might your organization have if your device protection was less than recommended practice, and your devices were weaponized for a devastating attack on another organization’s systems? What would your liability be? Would it be covered by your cyber insurance?
Securing the Industrial IoT
Securing Industrial IoT devices and systems is hard, but necessary. That’s why I wrote a white paper about establishing sustainable security for Industrial IoT devices and systems. It presents the case for cybersecurity, which may be helpful if you need to provide a strong rationale for organizational stakeholders for why your IoT devices and systems needed to be secured now. Using network security cameras as an example, it takes a close look at addressing the two most serious vulnerabilities of IoT devices. Download it free from this link.
Additionally, most intelligent IoT devices fall into the category of what is called cyber-physical systems – systems that interact with people, physical equipment and physical systems (such as building controls, traffic management, autonomous vehicles, etc.). See my Real Words or Buzzwords? article on Internet+, which provide even more context and business rationale for security our IoT devices and systems.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.