Last month, the UK government published new measures to help manufacturers boost the security of Internet-connected devices. Peter Batchelor, Director at Skybox Security, argues that that while it’s good to see consumers being taught cyberhygiene, warnings about IoT security risks and best practices should be extended to the business environment.
In October, the Department for Digital, Culture, Media and Sport launched the Code of Practice for Consumer IoT Security. This is all well and good for consumers but what about the use of IoT by the enterprise or government agencies themselves? IoT devices are notoriously un-regulated or under-regulated, leaving organisations without guidance on how to benchmark their security.
As organisations embrace new workplace technologies, countless Internet-connected devices are potentially being introduced to IT and operational technology (OT) networks, giving hackers even more opportunities for infiltration. While it’s good to see consumers being taught cyberhygiene, warnings about IoT security risks and best practices should be extended to the business environment to make sure they aren’t compromised.
It is important to remember that IoT as concept is still relatively new and therefore doesn’t operate on the principle of secure by design. There is evidence that many of the IoT devices being used by businesses have in fact been designed with default usernames and passwords that are hard-coded to the firmware, meaning they cannot be altered.
Furthermore, IoT devices commonly use proprietary protocols with weak security measures, or simply don’t have any at all. When these security weaknesses are exploited, the victims may not be the device owner or vendor, meaning the cyber-risk IoT devices pose is very broad.
As we saw with the Mirai botnet, the attacker took advantage of insecure IoT devices and turned their power against the Internet itself using distributed denial of service (DDoS) attacks. It didn’t just affect select consumers, a single business or even a single sector – it disrupted the online world. The Mirai DDoS attacks showed how IoT botnets can be incredibly disruptive and while IoT security should be a consumer concern, it should also be addressed at the organisational and even governmental level.
As much as organisations should be aware of the risks of their latest whizz-bang IoT device, they also need to understand risks around legacy OT and how these devices interact with the on-prem and cloud IT environments. That all starts with visibility – modelling the network infrastructure of these environments, their assets, security controls and vulnerabilities. Without visibility, there’s no foundation upon which to build the security processes needed to control an organisation’s attack surface, whether it includes IoT, OT, clouds, traditional IT or a mixture of all of these.
In Skybox’s 2018 Vulnerability and Threat Trends Report, it was found that during 2017, almost 200 new OT-specific vulnerabilities were published. That’s a 120% increase over 2016 figures. Worryingly, a lot of the technologies affected by these vulnerabilities are from the class of ‘Internet of Things’ before the Internet even existed. Even some of the most standard security measures of modern technology either aren’t in place or don’t apply to OT and the IT systems that oversee the OT environment can be surprisingly outdated as well.
Organisations need to be able to model these environments and their connections to the rest of the infrastructure. They must also identify where security weaknesses need to be shored up, which vulnerabilities have to be mitigated or remediated and create systematic, ongoing processes that continually reduce risk – no matter where it originates.
When today’s cyberattacks can have real-world consequences, it’s imperative that security teams know if the office’s lifts or locks are part of their attack surface. Once that has been established, they will need to monitor it in the same way they monitor their workstations or servers. Enterprises should consider how to unify the security management of IT and OT networks – and IoT devices – into a holistic program. While a Code of Practice for Enterprise IoT Security is hopefully in the wings, businesses must take IoT security into their own hands if they’re to guarantee the security of their organisation and their customers.