Whether at home or in business, the world of IoT (the Internet of Things) devices and machines has become an integrated part of our daily lives and is expected to not only increase in presence but to rapidly increase penetration into municipal, government and military uses in the future.
Think about it – your smartphone, your tablet, smart TVs, refrigerators, HVAC systems, security cameras, coffee makers, printers, and wearables such as FitBit and iWatches are increasing in presence, while at the same time becoming a major security concern for CISOs in business, government and the military.
Any physical machine or device that has connectivity and software will ultimately have implications to security and so, solutions are required that will allow flexibility to safely onboard allowable devices of all types.
According to IDC projections, there will be over 80 billion ‘smart’ IoT devices within the next seven years. Unfortunately, the networks and the software running these connected devices are extremely vulnerable to attacks. The numerous distributed denial-of-service botnet attacks of late are the best examples of how hackers can manipulate a feeble IoT security policy to gain access to organizations’ data or even shut down operations entirely. Examples include the 2016 Dyn cyberattacks, the 2015 Jeep hack, the St. Jude Cardiac Devices hacks that started from 2014, and more.
One of the reasons that it’s difficult to see IoT devices on the network is because they are either grouped in with all of the other connected devices on the network, or worse – sometimes they are not assigned a specific group policy due to their ubiquitous purposes and this leaves these devices free to roam around the network.
If there isn’t a team member or department that is specifically assigned to manage the devices or an automated management system programmed to manage and monitor, the responsibility for ensuring the devices’ security status and authorized areas of access is left up in the air. The result is typically that IoT devices become “free agents” of sorts that can easily be used by hackers and other malicious actors.
IoT Risk Mitigation
In some cases, the solution is a matter of making sure to register the device in the IT inventory records or catalogues. Whether in business, hospitals, educational facilities or government, there should be a standard operating procedure that enforces adding any new IoT devices.
Unmonitored devices are opening the organization to unwarranted access. When these IoT devices gain network access, they have a foot in the organization’s mainframe and breaches can happen.
Additionally, IoT devices typically come with default passwords. Many users, even after the 2016 Dyn cyberattacks, stay with the default settings and do not bother to set a unique username and password. Hackers can find lists of vulnerable devices and try out default passwords. If those have never been changed – they are in. Even if the passwords have been changed, hackers can use SSH and telnet services that unfortunately allow hackers to force their way into devices. Changing a device’s web application password typically does not guarantee that the password coded into the device has been updated.
These risks and others can be eliminated to some degree by maintaining a current and detailed inventory of all IoT devices located at the factory locations, offices, government plants, etc. The inventory can be updated via a mobile device management system or network access control technologies and then verified on a bimonthly basis. The more that is known about the devices on the network, the better the organization will be able to effectively respond to IoT security breaches.
The Need for IoT Security Standards
Federal agencies have been steadily adopting and deploying sensors, but still the security of IoT devices remains a constant concern for government IT security professionals, and there seems to be some momentum to make sure federal IoT environments are secured.
In February 2018, the National Institute of Standards and Technology released their draft of “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)”. It was concluded in this report that it is necessary to have a standardized set of cybersecurity requirements to prevent malicious actors from exploiting security gaps to launch cyberattacks.
Additionally, there are legislative efforts underway in the United States designed to regulate certain standards of IT security for IoT systems in the government. The report came out along with several international initiatives to set IoT standards, such as in China and Europe, that placed USA agencies and industry in a race of sorts to set international baseline security standards for all connected devices.
The NIST report noted that cybersecurity for IoT is indeed a unique venture that requires tailoring of existing standards as well as the adoption of new ones to address pop-up network connections, shared system components, the ability to change physical aspects of the environment and related security connections.
The report concluded that without these standards, IoT systems would have gaps in too many areas, including: cryptographic techniques, incident management, network security, information security management systems, software assurance and more.
Written by Amber Jones, Freelance Writer