4 Sectors More Vulnerable Because of IoT

Wondering which sectors are most vulnerable because of the explosion of the internet of things (IoT)? The short answer is, “all of them,” but let’s take a look at four sectors that are growing increasingly more vulnerable to attack as they continue to connect to more devices.

Trucking

While many cybersecurity practitioners may not list truck drivers high on their threat vulnerability radars, the transportation industry is slowly becoming a hotbed of vulnerabilities. 

According to Omnitracs, the increased use of fleet telematics, IoT devices and electronic logging devices, in addition to the growing popularity of autonomous and electric trucks, creates endless opportunities for hackers. “As technology becomes more integrated within trucking fleets, they need to put a cybersecurity program in place,” said Sharon Reynolds, CISO of Omnitracs.
 
A hacker could install malware to the truck’s operation system, potentially locking all driver functions and endangering live. It’s another unintended consequence of technological advancements: When everything is connected to the internet, everything is vulnerable to attack.

Consumer-Related Devices

When it comes to product development, security historically has been an add-on item, tacked on at the last minute before a product is pushed to market. Consumer-related products, whether a baby monitor or a connected toaster, are no different.

“The rapid adoption of connected devices has sent manufacturers rushing to slap connectivity on to many household devices with security as an afterthought (paradoxically, including systems that provide physical security),” said Moshe Elias, director of product marketing at Allot Communications. “Considering the statistic that 60 percent of the IoT installed are consumer-related devices, the products in our homes translate into a virtual candy store of opportunities for hackers.”

One vulnerable IoT device opens the door to the home network and all the devices and computers connected to the home network for an attacker, and Elias said that once hackers have control over one device, it becomes easier for them to hack all other devices since they seem to originate from within the home network—the “trusted network.”

Utilities and Critical Infrastructure

Advanced persistent threat (APT) groups, such as Black Energy and its presumed successor GreyEnergy have been targeting the energy sector for several years, often leveraging a vulnerability in an IoT device to gain access into the network.

Earlier this month, a critical water utility in North Carolina was hit with a ransomware attack, leaving the victim with the onerous task of having to rebuild several databases. Whether it’s through a phishing attack or a vulnerable IoT device, attackers look for and find the easiest point of entry. With more connected devices being used across critical infrastructures, the industry is fast becoming a prime target.

A  report released earlier this year by Indegy found that nearly 60 percent of executives at critical infrastructure operators reported a lack of appropriate controls when it comes protect their environments from security threats. Businesses that use IoT devices have a lot to worry about, Elias said. With each device that is added, the attack surface expands, opening more and more potential entry points, whether through an employee’s email address, a web service or a connected fingerprint scanner.

Health Care

Earlier this month, NIST warned that the vulnerabilities in healthcare IoT create enormous risks. As a result, NIST drafted a framework, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”

Because IoT devices, “interact with the physical world in ways conventional IT devices usually do not,” NIST said, “the potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.”

Many organizations within the healthcare sector, including healthcare providers, have adopted IoT devices. In some cases, providers have moved to in-home devices to reduce the cost of operations and increase the quality of service. But, Elias said, even though they are for medical purposes, unsecured IoT devices that connect to the home network can be compromised and used as a beachhead to access the network of the healthcare organization.

Mitigating the Risks of IoT Devices

The lack of regulation and enforcement of security controls in IoT continues to be a factor in why the devices are vulnerable. Security controls that were designed for IT often don’t translate over to IoT devices, which are largely unable to support a client-based security software model. To mitigate risks of IoT devices, Elias said, “Both consumers and organizations should purchase connectivity from ISPs and mobile operators who also offer IoT security services and issue network-based IoT security technologies for on-premises deployments.

“While regulators and industry associations are making steps in this direction, such as the creation of the CTIA Cybersecurity Certification Program for Cellular-Connected IoT Devices, broader adoption and enforcement will still take time. In the meantime, we still have 10 billion devices out there to deal with,” he added.

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 60 posts and counting.See all posts by kacy-zurkus