Greg Day, Vice President and Chief Security Officer, EMEA, Palo Alto Networks, shares insights on the importance of IoT security and why organisations need to pay attention to it.
As the world grows ever more connected, all our devices are becoming linked together. The activity tracker on my wrist wirelessly uploads data to my smartphone, which in turn controls entertainment hubs in the connected cars out on the drive. That same mobile device is the hub of most of my business connections – contacts, email, video conferencing – you name it. Doorbells, thermostats and even fridges are joining the connected world, exchanging data and instructions with smartphones and other devices.
This network – the Internet of Things – is set to grow massively as microchips are embedded into billions of previously “dumb” objects. From rubbish bins to robots, washing machines to production lines, a wide variety of objects and devices will share data through an internet connection.
The arrival of 5G is spurring better connectivity than traditional fixed networks while at the same time empowering huge volumes of connected devices, allowing wireless connectivity on a massive scale. But having so many devices and objects wirelessly networked creates huge security risks, since any network is only as secure as its weakest link.
In the connected world, a US$1 sensor can be connected to a billion-dollar network. Cheap microchips are placed on objects to act as sensors measuring data such as heat and wear and tear. The sensors are small, light and inexpensive. But they typically lack any type of security system.
In one famous hack, attackers entered a casino’s digital network by gaining access to the personal data of high rolling clients via a thermal sensor in the fish tank in the lobby. The attack was uncovered by cybersecurity experts but only after data had been exfiltrated. This shows that unguarded Internet of Things sensors create a world of dangers, opening up ever more entry points through which attackers can break into networks.
Bang your fists
While chief executives, finance directors and operations departments rightly focus on the mouth-watering commercial opportunities offered by the connected world, they must also stay alert to the increased threat of security breaches.
Chief information officers and chief information and security officers should be banging their fists on the boardroom table, insisting on risk assessments, visibility and segmentation.
As ubiquitous connectivity expands, large companies will find the number of devices connecting to their networks will grow from thousands to millions. The risks will spiral, and companies will need high-level artificial intelligence and machine learning tools to keep track of all these devices. They will need equally sophisticated technology to scan connected devices for security threats.
Get over the terminology
CIOs and CISOs have the task of educating their boards of directors about the risks of connectivity and delineating the solutions and budgets necessary for security.
The first place to start is with terminology. To my mind, the term ‘Internet of Things’ gives a false sense of security. It’s a promotional term. Businesspeople tend to associate IoT with consumer items such as FitBits and fridges. They imagine IoT is distinct from the Industrial Internet of Things (IIOT) which controls robots and production lines and other industrial networks such as as Operational Technology (OT) and Industrial Control Systems (ICS). These industrial networks include, for instance, those used in nuclear power stations, which were the target of the famous Stuxnet attack. Today, these systems are completely segmented. But part of the power of making things smart is being able to connect them to other things – to enable even smarter systems.
As everything becomes more connected, consumer IoT could easily become a gateway into industrial networks.
A company might install a smart vending machine in its office block and wirelessly connect it via the internet to a supplier to restock the contents. The vending machine would likely be on the same computer network as the building management system that controls the air conditioning and other functions. But this makes them vulnerable to human error, such as temporary connections that are done to save time, which are then never removed. Or the business might see value in the industrial and the business networks becoming connected – again creating a risk.
In such cases, something as simple as an illicit software update uploaded to the autonomous vending machine could potentially send code to the manufacturing plant and shut it down, causing millions of dollars of damage. That may sound like a doomsday scenario, but it is absolutely feasible. Such attacks have already been mounted on cash point networks, where attackers have injected code into the network to redirect funds.
You need visibility
A further challenge lies in the plethora of protocols and languages connected devices use to send and receive data. Artificial intelligence and machine learning software can read and translate these languages. But with new devices and services launching every day, this is a moving target and software must be regularly reviewed to deliver the most effective monitoring.
An important step in securing a network is identifying the company’s most essential activities and putting protections around them. For manufacturing companies, the production line is the key process. Essential machinery must be segmented from other parts of the company’s internet network such as marketing, sales and accounting. For most companies, just five to 10% of operations are critical. Segmenting these assets is vital for protecting strategic operations from attacks.
One of the greatest risks of the connected world is that something quite trivial, such as a cheap IoT sensor embedded in a doorbell or a fish tank, could end up having a huge impact on a business if it gets into the wrong communication flow and becomes an entry point for a cyberattack.
To address these risks, segmentation should be at the heart of every company’s connected strategy. That means defining the purpose of every device and object linked to a network and setting boundaries, so it only connects to parts of the network that help it serve that purpose. With 5G, a system known as network slicing helps create segmentation. Network slicing separates mobile data into different streams. Each stream is isolated from the next, so watching video could occur on a separate stream to a voice connection. This breaks the system down into manageable sections which also enhances security by keeping different operations separate and segmented.
In order to achieve general segmentation in their business, companies need to constantly analyse all of their connections, devices and connected items and have a clear idea of the purpose of each.
It’s about ubiquitous connectivity
To my mind, the term IoT trivialises connectivity without hammering home the dangers. Business executives tend to have differing notions of what constitutes IoT. For some, it includes a home printer connected to a computer; for others it extends to building management systems and smart energy meters; others understand its connections to industrial networks. Such confusion undermines the task of securing and segmenting every item connected to the network.
That’s why I prefer to speak about ubiquitous connectivity, as this emphasises the interrelated nature of our devices. IoT is promoted as a profit-boosting business opportunity without mentioning the risks. Ubiquitous connectivity helps executives understand that there are also security risks associated with connectivity, so they can grasp the importance of building visibility, monitoring and segmentation into their strategies.Click below to share this article