By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.
Like thought leaders predicted a decade ago, the burgeoning Internet of Things (IoT) is outgrowing mobile phones and dominating network connectivity in both the public and private sector. Unfortunately, the more Internet connections an organization has, the more vulnerable it is to attack; but IoT vendors don’t seem to care.
While today’s IoT is more secure than the devices of yesterday, security remains little more than an afterthought for too many product developers. According to scientist Sarah Zatko, IoT vendors continue to omit basic security features out of mere complacency. “They’re just not bothering,” said Zatko, adding that “the needle hasn’t moved much in 15 years”.
The Consequences of Insecure IoT
On one hand, the almost impossibly fast growth of IoT means that a security gap is inevitable. On the other hand, this gap has consequences which organizations cannot afford to ignore: according to research, 48% of companies have already been the victim of at least one IoT attack.
Some of these incidents are damaging enough to gain significant publicity. In 2016, the Mirai botnet propagated through open Telnet ports on 600,000 IoT devices and brought down Internet connectivity across the U.S. East Coast. Other major attacks include:
- EchoBot – with similar source code to Mirai, EchoBot targeted popular consumer and enterprise routers using over 26 unpatched vulnerabilities. It’s spread continued into 2019, and still threatens organizations today.
- TheMoon – in many ways TheMoon represents “peak malware,” allowing threat actors to rent out thousands of hijacked routers and modems around the world for various malicious purposes.
- Industroyer – in 2016, the Industroyer malware targeted Ukraine’s power grid and left thousands without electricity for a few hours. In 2017, researchers concluded that points of entry had been exploited within “Industrial IoT” deployed throughout the grid.
What happened in the Ukraine is instructive. As time wears on, critical infrastructure in the United States will depend on remote access technologies facilitated by IoT or will at least be in contact with IoT devices on the same network. Current security standards leave vulnerabilities that could have devastating consequences on businesses, their customers and the nation as a whole.
Regulatory Attempts
Efforts to regulate IoT like other technologies – including cloud and storage systems for classified information – have failed on more than one occasion. In 2017, the “Internet of Things Cybersecurity Improvement Act” was proposed to Congress, but never passed.
A new version of the same bill was introduced earlier this year, with a narrower focus. If passed, it would have put the National Institute of Standards and Technology (NIST) in charge of developing security standards for IoT devices by last month – a move that many in the industry approved of. However, the act is still in limbo and no further developments have occurred.
Unfortunately, it may take a serious incident before the government is prepared to hold IoT vendors to a higher standard. In the meantime, vendors simply don’t face enough pressure from the free market to take care of the problem themselves. For now, organizations must shoulder the responsibility of securing their own devices.
Six Ways to Improve IoT Security
Fortunately, there are many ways to significantly improve IoT security within a public or private enterprise environment. Here are six:
1. Minimize device footprint – the billions of IoT devices in use today, not all serve an important purpose. Minimize the number of devices in your organization, removing the frivolous and using non-networked solutions wherever possible. Remember that any opening to the Internet creates a potential route for attackers.
2. Segment IoT from critical assets – whenever possible, keep IoT disconnected from networks used to access classified information and sensitive data. Barriers between critical and non-critical assets in your organization make it difficult for attackers to move laterally even if they gain a foothold through one opening.
3. Replace default credentials – according to the Office of Management and Budget (OMB), lack of strong authentication is one of the most common security mistakes across federal agencies. IoT devices rarely require administrators to change their weak default credentials. Ensure that every networked device in your organization is tightly secured.
4. Use two-factor authentication – in the same vein, two-factor authentication (2FA) creates an extra barrier against brute-forcing and stolen login information. Most IoT devices are compatible with 2FA, but – again – they will not prompt users to install it. Take the initiative to keep devices as secure as possible.
5. Choose high-reputation vendors – not all IoT is created equal, and some vendors have a better reputation for security than others. Research IoT vendors as part of your risk management strategy and avoid those known for past attacks, lax standards or slow firmware updates.
6. Track and test devices – tracking IT assets is an important part of any security strategy, and IoT is no exception. Track all your IoT assets, and regularly test them for strong authentication. Firmware updates sometimes include patches for known vulnerabilities, so ensure that the latest version is always installed.
Adopting a Threat-Based Mentality
While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.
In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.