The Internet of Things (IoT) isn’t just a futuristic vision from science fiction movies. It’s already woven into the fabric of our daily lives, silently sending and collecting data to and from everyday objects all around us. While executives might readily associate IoT cybersecurity risks with networked printers, manufacturing equipment, and perhaps cloud services; another important but little-noticed impact lies in the hidden world of data-collection point devices that most of us might not even think about as exposure risks.
TechTarget reports that IoT endpoints have become prime targets for hackers1. And, noted Internet consulting firm, Forrester Research tells us that IoT devices were the most reported targets for external attacks, even more than mobile devices and computers.2
“Hackers scan networks for devices and known vulnerabilities and increasingly use nonstandard ports to get network access. Once they have device access, it’s easier to avoid detection through fileless malware or software memory on the device,” TechTarget continues.
Most organizations don’t have visibility into all their IoT endpoint deployments; in fact, a Ponemon Institute report3 showed that an average of 48% of devices—or nearly 65,000 per organization—are at risk because they’re either “no longer detected by the organization’s IT department or the endpoints’ operating systems have become outdated.” The report further found that 63% of respondents believe that their “lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.”
The Usual Suspects Require Unusual Security
Consider the digital printer you use every day. You may have a standalone server if you have more than one. Or there might be one built into the device. Here’s an example from one leading manufacturer of digital print servers, providing detailed recommendations to its users, because they’re painfully aware that many cyberattacks have started in connected devices that users have not considered in their security plans:
- Configure the server to limit or control external communications by using designated IP addresses and by disabling network ports and protocols.
- Always deploy servers in a protected network environment with accessibility properly configured and managed by a qualified and authorized network administrator.
- Use IP filtering to identify suspicious data packets and control what IP traffic is allowed into and out of your network.
- Use SNMP encryption to ensure confidentiality, message integrity, and authentication
- Deploy secure erasure of deleted print jobs to meet US Department of Defense standards.
- And at least a dozen pages more.
Impressive, and this is only for the office copier/printer. From this one example, we get a good idea about the complexity and seriousness of securing the many IoT devices in use today.
Beyond the Obvious: A Glimpse into the Unexpected
The actual scope of IoT extends far beyond these familiar examples. Recognizing this, Stanford University, which has been the incubator for so many Silicon Valley technology companies, has a webpage devoted to IoT security4. They rank the vulnerability of various devices and set standards that apply to all the devices “that are connected to a Stanford network or used in support of Stanford services.”
For example, their definition of high-risk devices reads, “Systems that could have a significantly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.”
They give examples of what these systems might include:
- Systems related to safety and critical infrastructure
- Power generation or distribution systems
- Life safety
- Fire alarm/detection systems
- Gas alarm/detection systems
- Biosafety alarm/detection systems
- Physical security systems (electronic door locks)
- Medical devices
- Devices subject to regulatory obligations
- Point-of-sale devices
- Vending machines
Stanford University defines the internet of things this way: “An IoT device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates.”
In addition to the printers mentioned earlier, Stanford University adds smart speakers, smart lights, industrial controls, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, and conference room systems—plus a few of these often overlooked systems: security cameras and door locks, smart thermostats, digital signage, coffee machines, and digitized trash cans.
This is just a glimpse into the vast and ever-expanding universe of IoT. These seemingly mundane objects are quietly collecting and transmitting data, painting a detailed picture of our lives, businesses, and the world around us. And they are ripe for hacking and exploitation.
The Problem: Complexity at an Unprecedented Scale
While IoT advancements offer exciting possibilities, they also create unforeseen challenges for businesses. The sheer scale and diversity of connected devices bring complexity at an unprecedented scale:
- Privacy: Data collected from seemingly mundane objects can be aggregated to paint a detailed picture of individuals and businesses. Balancing the benefits of data-driven insights with transparent data practices is crucial.
- Management: Integrating and managing a multitude of devices with varying protocols and functionalities can be a complex IT headache. Imagine managing a network of coffee machines, trash cans, and building materials alongside traditional IT infrastructure.
- Interoperability: Devices from different manufacturers might not “talk” to each other, hindering data analysis and the full potential of the IoT ecosystem. Imagine production-line tools from different brands not sharing data, creating silos of information, and hindering efficiency gains.
- Security: Every connected device is a potential entry point for cyberattacks. Securing a smart speaker is one thing, but securing thousands of diverse devices with varying security protocols and vulnerabilities is a whole different ball game. This complexity leads to a variety of very real cybersecurity risks:
- An expanded and expanding attack surface—In its “State of IoT—Spring 2023″ report5, IoT Analytics put the number of active IoT endpoints in 2022 at 14.3 billion—an 18% increase over the prior year’s count. “Managing Risks and Costs at the Edge 3“by the Ponemon Institute found that the average organization manages approximately 135,000 endpoint devices. Additionally, IoT devices are generally on 24/7 with many continuously connected.
- Maintenance and update challenges—Device vendors might not issue updates, such as a security patch to address a vulnerability that hackers could exploit, particularly if the endpoint device is an older model.
- Shadow IoT—Many IoT endpoints are deployed without official support or permission from IT. They create risks for the enterprise because they might not meet an organization’s security standards, or be configured and deployed in ways that follow security best practices. IT administrators and security teams also might not be monitoring them or their traffic.
- Unencrypted data transmissions—A 2020 report from Palo Alto Networks6 found that 98% of all IoT device traffic was unencrypted, “exposing personal and confidential data on the network.”
- DNS threats—IoT device connections often rely on DNS, a decentralized naming system from the 1980s, which might not handle the scale of IoT deployments that can grow to thousands of devices.
The Solution: A Strategic Approach to Conquering IoT Challenges
Despite the challenges, the potential of IoT is undeniable. Businesses that embrace the hidden world of IoT and take a strategic approach can reap significant rewards. Here’s how:
- Start small and scale strategically: Begin with pilot projects to understand the technology and its impact on your specific needs and operations before large-scale deployment. This allows controlled experimentation and minimizes risks.
- Prioritize security from the outset: Conduct regular security assessments and implement robust security protocols across all connected devices, regardless of their perceived importance. Remember, every device is a potential entry point.
- Be transparent and build trust: Clearly communicate data collection and usage practices to build trust with customers and employees. Transparency fosters understanding and mitigates privacy concerns.
- Invest in expertise and build internal capabilities: Build or acquire the skills needed to manage and analyze data from diverse IoT devices. This may involve hiring data analysts, security specialists, and IT professionals with expertise in IoT integration.
- Advocate for and adopt open standards: Promote and adopt open standards to ensure interoperability between devices and simplify data integration. This allows seamless communication and data sharing across different brands and manufacturers.
By acknowledging the hidden and pervasive world of IoT and taking a strategic approach, businesses can navigate the complexities and unlock the immense potential of this transformative technology. The future is connected, and those who embrace the unseen potential of IoT will be well-positioned to thrive in the data-driven world of tomorrow, provided they can do it securely.
Sagacent Can Help
If you are considering integrating new IoT devices in your existing business or if you are concerned that you may have vulnerable devices already connected to your network, call to book a conversation with Sagacent. Our experts can assess your specific environment and make recommendations to identify your risks and outline security procedures that will protect your business now and in the future.