While the Internet of Things poses a wealth of business opportunities, IoT data also ushers in new threats that IT pros are just beginning to understand.
SAN FRANCISCO -- While many see IoT-connected devices as the next wave of business opportunity, experts warn IT pros to balance caution with the hype.
Internet of Things-connected devices bring immense promise for businesses. They can gather data about how consumers use products and the environment in which these products operate. IoT-generated data can help companies know how to up- and cross-sell products or provide service before a part wears out. IoT is already having widespread impact in myriad industries, from retail to oil and gas to auto manufacturing and healthcare.
But if IoT data provides companies with new revenue opportunities, it also opens new points of vulnerability for attackers to steal valuable data or take control of devices remotely. As devices—such as like heart monitors, cars and fridges—become connected to the Internet, and as these devices transmit data to the cloud, this data can be easily compromised. These kinds of breaches also create greater impact and scale.
If the devices are more vulnerable, so is the data. While the industry has focused on the security of IoT devices, there needs to be equal focus on IoT-generated data, industry watchers counsel. IoT devices may not yet be subject to the same quality control and standardized procedures of other products, creating a host of new data breach possibilities.
There are perils along this journey [as IoT data is created] that we need to be aware of and manage effectively,” warned Gregg Hoffer, vice president of engineering at Globalscape, a provider of data exchange security technologies, in a session at the 2017 RSA Conference.
“As more devices are connected to the Internet, the attack surface is larger, with more points of peril,” Hoffer noted. “It’s a richer field for people to plunder,” Hoffer noted.
Hoffer laid out just one example scenario in which IoT data could be intercepted.
“What if someone injects malicious payload into the car’s sensor system,” Hoffer hypothesized, so that the car thinks it’s about to have a collision and can avoid it only by turning to the left?” Imagine that turn to the left, instead, sends a car into oncoming traffic.
“Suddenly the data becomes just as critical as the protection of the endpoint,” Hoffer said.
If there’s any doubt about the possibility of a nefarious IoT device takeover, the Mirai botnet attack in October 2016 indicates how precarious the safety of IoT data is. With the Mirai disruption, cyberattackers gained access to various connected “things” -- including consumer devices such as surveillance cameras, routers and DVRs-- and initiated distributed denial of service” (DDoS) attacks on the domain name server provider Dyn. These assaults in turn affected countless web sites, including Twitter, Netflix and Spotify. This DDoS attacks flooded these sites with traffic, slowing them to a crawl.
But enterprises aren’t necessarily ready to protect themselves against possible attacks. The 2017 State of Mobile & Internet of Things (IoT) Application Security Study,” indicated that 70% of respondents are concerned about the use of insecure IoT applications in the workplace but don’t necessarily have a strategy to secure those apps.
While IT professionals are concerned, they may also be stuck in old ways operationally. As Ryan Lester, director of IT strategy at LogMeIn noted on IoT Agenda, IoT ushers in a “whole new set of security challenges that can’t be solved by retrofitting current security solutions and following the same old rules” But security pros may go to their standard-issues ways of operating.
The rate of change is also introducing another challenge with IoT device security: quality control. According to Hoffer, the breakneck speed with which IoT markets are developing can undermine the quality control of the supply chain, from the integrity of the device to the quality of the software code in that device.
“Have corners been cut along the way?” Hoffer asked. “Does the hardware have enough memory and compute power to do SSL[secure shell] encryption the right way?” Hoffer urged IT professionals to participate in developing standards that can help standardize and govern IoT devices and their data.
Cisco has been on the front lines of developing a standards-based approach to IoT cybersecurity with its Manufacturer Usage Description (MUD). The objective of MUD is to provide guidance for manufacturers on appropriate IoT device usage and to reduce complexity for network and security administrators as they secure IoT environments.
Write policies and procedures. These procedures should be analogous to policies written for bring-your-own-device policies, Hoffer said. Policies should cover various issues:
Manage IoT footprint. Don’t let the impact of IoT devices and data proliferate unchecked, particularly given the widespread potential impact of an IoT breach. Don’t let sprawl get out of control with the false hope you’ll deal with it later.
Immediately establish an IoT procurement process. Map the path of IoT data as it wends through the system. Where does the data go and which entities touch it? Which hardware and software does it interact with and who are the human beings interacting with it? Reference the policies and procedures of service providers involved in the procurement process.
Learn from hacking examples. Recent demonstrations of the ability to hack Wi-Fi connected HVAC (heating, ventilation and cooling) systems as well as pacemakers give pause about IoT data in the enterprise. IT professionals need to think about these points of vulnerability as they relate do their own environments.
Enhance training. Ensure that staff understand the risks of the data they handle and rigorously documents the data journey.
Become involved in standards bodies. Participate in the evolving standards bodies to help shape the future regulatory environment and safety of IoT data.
Cisco’s overview on the Internet of Things
Research IoT security at Cisco
Mitigating risk and building trust with Cisco IoT technologies
Cisco on cybersecurity standards for IoT
Read how IoT is poised to change everything
Managing Editor, Cisco.com