Wondering which sectors are most vulnerable because of the explosion of the internet of things (IoT)? The short answer is, “all of them,” but let’s take a look at four sectors that are growing increasingly more vulnerable to attack as they continue to connect to more devices.
While many cybersecurity practitioners may not list truck drivers high on their threat vulnerability radars, the transportation industry is slowly becoming a hotbed of vulnerabilities.
When it comes to product development, security historically has been an add-on item, tacked on at the last minute before a product is pushed to market. Consumer-related products, whether a baby monitor or a connected toaster, are no different.
“The rapid adoption of connected devices has sent manufacturers rushing to slap connectivity on to many household devices with security as an afterthought (paradoxically, including systems that provide physical security),” said Moshe Elias, director of product marketing at Allot Communications. “Considering the statistic that 60 percent of the IoT installed are consumer-related devices, the products in our homes translate into a virtual candy store of opportunities for hackers.”
One vulnerable IoT device opens the door to the home network and all the devices and computers connected to the home network for an attacker, and Elias said that once hackers have control over one device, it becomes easier for them to hack all other devices since they seem to originate from within the home network—the “trusted network.”
Utilities and Critical Infrastructure
Advanced persistent threat (APT) groups, such as Black Energy and its presumed successor GreyEnergy have been targeting the energy sector for several years, often leveraging a vulnerability in an IoT device to gain access into the network.
Earlier this month, a critical water utility in North Carolina was hit with a ransomware attack, leaving the victim with the onerous task of having to rebuild several databases. Whether it’s through a phishing attack or a vulnerable IoT device, attackers look for and find the easiest point of entry. With more connected devices being used across critical infrastructures, the industry is fast becoming a prime target.
A report released earlier this year by Indegy found that nearly 60 percent of executives at critical infrastructure operators reported a lack of appropriate controls when it comes protect their environments from security threats. Businesses that use IoT devices have a lot to worry about, Elias said. With each device that is added, the attack surface expands, opening more and more potential entry points, whether through an employee’s email address, a web service or a connected fingerprint scanner.
Earlier this month, NIST warned that the vulnerabilities in healthcare IoT create enormous risks. As a result, NIST drafted a framework, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”
Because IoT devices, “interact with the physical world in ways conventional IT devices usually do not,” NIST said, “the potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.”
Many organizations within the healthcare sector, including healthcare providers, have adopted IoT devices. In some cases, providers have moved to in-home devices to reduce the cost of operations and increase the quality of service. But, Elias said, even though they are for medical purposes, unsecured IoT devices that connect to the home network can be compromised and used as a beachhead to access the network of the healthcare organization.
Mitigating the Risks of IoT Devices
The lack of regulation and enforcement of security controls in IoT continues to be a factor in why the devices are vulnerable. Security controls that were designed for IT often don’t translate over to IoT devices, which are largely unable to support a client-based security software model. To mitigate risks of IoT devices, Elias said, “Both consumers and organizations should purchase connectivity from ISPs and mobile operators who also offer IoT security services and issue network-based IoT security technologies for on-premises deployments.
“While regulators and industry associations are making steps in this direction, such as the creation of the CTIA Cybersecurity Certification Program for Cellular-Connected IoT Devices, broader adoption and enforcement will still take time. In the meantime, we still have 10 billion devices out there to deal with,” he added.