While you are always hearing security experts warning about the risk of cyber-attacks, you don’t hear them mentioning the risks associated with the Internet of Things (IoT). It should definitely be more of a common topic since there are already plenty of examples of successful IoT security breaches (i.e., Stuxnet, Mirai botnet, connected with Cardiac devices).
IoT in all its flavors (e.g., physical security systems, lights, appliances, heating and air conditioning systems, as well as artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats.
In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a recent security breach. So, how can we shield against these emerging trends?
The number of IoT devices is growing at a rapid pace, from 2 billion in 2006 to an estimated 200 billion by 2020 (see Intel report). IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in the homes, but in manufacturing plants, retail businesses and the healthcare industry.
If an employee’s smartwatch can be compromised to steal corporate Wi-Fi passwords, the device suddenly falls into the scope of an organization’s attack surface. To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought.
In the past, proprietary technology and competing interests made a truly open and secure network difficult to develop. New initiatives like the Trusted IoT Alliance offer a glimpse of promise, but its inherent focus on promoting an open source blockchain protocol might also be its inhibitor to success. The most practical approach for addressing the lack of security in the use of trusted networks and operating systems.
The Cyber Shield Act of 2017 has been endorsed by the Institute for Critical Infrastructure Technology and is a good first step towards creating a standardized approach to cyber security for IoT. The bill is designed to establish a voluntary program to identify, verify and label compliant IoT devices with strong cyber security standards. More specifically, the proposed legislation would require IoT vendors to follow “security-by-design” best practices and receive a certification that would rate their product, allowing buyers to assess the associated risks and drive their technology decision process.
The Cyber Shield Act as it stands now falls short, since it is a voluntary program that does not incentivize vendors to implement the NIST security standards. It will likely require further refinements before it can garner the needed support of the Senate, House and President.
Since those initiatives are likely years from fruition, organizations concerned with IoT threats should apply the following minimum safeguards:
- Deploy IoT devices based on standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks.
- Apply mature identity and access management measures to secure not just applications, workstations and services, but also IoT devices.
- Expand the penetration testing scope to include IoT devices.
Ultimately, organizations must leverage emerging technologies that increase business efficiency and contribute and expand their view of the attack surface to include IoT. This includes shifting from a perimeter-based to an identity-centric approach to security that assures only verified users and devices can gain access to sensitive resources.
Phillip Long - CISSP, CEO of BIS Technology Group, along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.
About BIS Technology Group
BIS Technology Group is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about BIS Technology Group, visit bistechnologygroup.com.
You may reach out to us at: