“Who would want to hack into our IoT systems? There’s no data in them that anyone can monetize, so why would they be targets?”
These are questions that Paul Roberts, the founder and editor-in-chief of the Security Ledger, hears all the time, as companies attempt to explain why they don’t take Internet of Things (IoT) security seriously. The Security Ledger is an independent security news and analysis publication that explores the intersection of cyber security with the IoT.
With billions and billions of connected devices out there in the world, the IoT presents new kinds of threats that many companies are ignoring today. The reasons vary, but it often is because organizations either don’t think they are vulnerable, or they believe a fix may be too costly. However, IoT attacks can result in hackers compromising entire enterprise networks, shutting down machinery, or even worse, causing life-threatening harm. The threats are real and they are everywhere.
The hack of the Telsa Model S, a car which costs around $100,000, is now a case study in what to do and not to do in IoT security – as is the hack of a moving Jeep Cherokee. While these were proactive efforts, the hack of the production networks of a steel planet in Germany was not. In reporting this attack, Hacked.com says that “Luckily, no lives were lost, but what if it were something more sinister, like an intentional flaw inserted into the production of consumer cars or airplane parts?”
It is the “what if” that companies need to be concerned about, says Roberts. “The logic for putting a sensor on a complex piece of machinery like an automobile, a jet airline, or a piece of farm equipment is huge. Real-time information about performance, product use, part malfunctions, and servicing needs can be of great value to companies. And it’s easy to connect all kinds of things to the Internet through inexpensive sensors, cloud-based computing, and infrastructures.”
However, notes Roberts, the problem is that IoT capabilities are moving ahead of the security conversation. “What companies forget about is that by connecting an IoT device, they are potentially inviting others to access it, including people they don’t want,” Roberts says. “Even trivial vulnerabilities can give an attacker control over a system,” he adds. “It’s time companies wake up to the fact there are real threats out there – and it’s time to start addressing them in a comprehensive way.”
Just where should you start? Here are three critical steps that Roberts shared for companies that want to secure their IoT devices.
1. Recognize that your company has adversaries. Roberts says that the first thing to do is to assume your company is going to be attacked. “Acknowledge that a hacker has the know-how and skills to attack your system,” says Roberts. “And then, when you think like a hacker, you can find and address the risks or the vulnerabilities from the software design and information security perspective.” For example, Roberts suggests searching for and examining exploitable flaws in software-based firmware that runs a piece of equipment.
2. Protect your customers. “Even if you think security features are built into your products, they may be inadequate once in the hands of your customers,” says Roberts. He recommends sharing how a product might be exploited and providing advice so customers can protect themselves. A simple example would be to require a password change after an initial configuration, an exercise that could potentially eliminate about 90% of a threat risk.
3. Don’t forget about your supply chain. For your IoT devices to be secure, it’s critical to start exploring who makes your products and all their components, so you can validate the source and ensure its integrity. “Companies that work with the military have developed mature processes for assessing the integrity of each component that they use,” Robert says. “Develop a strategy so you know what lives inside your networking equipment or machinery.” Roberts adds that supply chain decisions have been primarily cost-based up to now, but the supply chain needs to be the next big focus, as it’s a significant area of concern.
Roberts also shares that people aren’t used to hackers getting into sectors like manufacturing, energy, and healthcare. But that too is changing as hackers become more sophisticated. For instance, the German Federal Office for Information Security says the steel plant attackers had know-how in not only conventional IT security, but also in applied industrial control and production processes.
“The IoT comes with a trade-off,” concludes Roberts, “and companies can’t just have magical thinking that it’s going to reap all the benefits without any cost in tending to it. While the IoT and connecting devices are all good, there is a down side and the sooner companies recognize this, the better.”