Even if your organization doesn’t use connected industrial controllers or manage its fleet through smart technology, your staff is using an increasing number of devices that can put your business in danger.
It would be hard to name a business today that isn’t touched by the Internet of Things (IoT). Even if your organization isn’t involved in transportation or manufacturing or utilities, you almost certainly have customers and employees who access your network with mobile devices. Every business needs to consider smart devices as part of its risk management strategy. According to the Wall Street Journal, a new report from the Industrial Systems Audit and Control Association (ISACA) shows that 73 percent of IT professionals already consider it likely that their company will be hacked through a connected device.
The IoT is expected to grow to 25 billion connected devices in the next five years, according to Computer Science Zone. That’s right, 25 billion, as opposed to the mere 5 billion connected devices in use today. So-called “smart” devices are transforming healthcare, transportation, our homes, our energy infrastructure and more.
However, the capability of these devices and our ingenuity in harnessing them are growing faster than our ability to secure them from information theft. Each new device adds to the potential attack surface for cyber attackers, and we’re already challenged in protecting the information systems that we have, as evidenced by the number of successful cyber attacks in the headlines almost every week.
Tech industry leaders, government agencies and security experts recognize the dangers ahead and are beginning concerted efforts to solve the security and privacy challenges, but with 5 billion smart devices already in use and more being deployed daily, the security gap won’t be narrowing any time soon. Businesses need to incorporate the IoT into their own privacy and security planning now. Even if your organization doesn’t use connected industrial controllers or manage its fleet through smart technology, your staff is using an increasing number of devices that can put your business in danger. In this article, I’ll take a quick tour of the world of smart devices and the sometimes unexpected security issues they create.
The IoT: its promise and peril
A quick search of microfunding site Kickstarter yields 1,500 smart device projects in development, including a smart snoring solution, a smart beer mug (it lights up when your favorite team scores), a smart indoor garden and a universal remote for all your smart devices. While you may be asking yourself, “What will they think of next?” (and, in some cases, “Why would I care?”), smart devices fall into four broad categories.
Personal things: According to the Pew Research Center, two-thirds of Americans (around 215 million) now own a smart phone, and almost 20 percent of Americans use their smart phones to access online services and information. But ComputerScienceZone predicts that 2015 will be an inflection point for growth in all kinds of personal smart devices: tablets, “phablets” (phone/tablet hybrids), wellness devices such as the FitBit, smart watches and smart keychains are all becoming increasingly popular. Among its list of “smart devices you didn’t know you needed,” Inc. magazine features a smart garbage can that tells you when to take out the trash, a smart jump rope that tracks your workout, and a smart cooking pan that tracks the weight of ingredients, temperature and humidity to give cooking advice. Some of these are just fun gimmicks, sure to show up on some late-night “as seen on TV” infomercial, but a number of personal devices present serious security and privacy risks when used to access or transmit sensitive information.
Moving things: The advent of self-driving cars has been raising a lot of safety questions in recent months. According to ArsTechnica, a University of Michigan study found that self-driven cars do have slightly more accidents than human-driven ones, but that may be because human drivers are good at hitting them. However, cars and other vehicles now play host to a number of smart devices that can pose risks to information safety. Boats, trains and automobiles all now use digital control systems, and in May 2015, CNN reported that a cybersecurity consultant claimed to have hacked a plane’s on-board controls via an in-flight entertainment system. In addition to vehicle control systems, GPS devices, communication systems, diagnostic systems and other on-board devices can be hacked to endanger vehicles or the privacy of the passengers.
Industrial things: Smart devices are used to help keep our industrial society running at peak efficiency, from manufacturing lines to inventory tracking and power plant operation. Some of these devices are new, and others have been in operation for decades. Both have security issues. In fact, ComputerWeekly reported that security firm Kasperky Labs considers targeted attacks on computer industrial control systems (ICS) to be the biggest threat to critical national infrastructure. Cyber-attacks on some of these devices could cause havoc to a business, a massive attack could damage our economy, and an attack on a dam or nuclear plant could result in hundreds of thousands of deaths.
Monitoring things: Anyone who watches television crime dramas knows that we are surrounded today by a maze of cameras and other sensors (although it’s unlikely that every police department really employs an attractive cyber geek who can instantly tap into any camera or computer on the planet). That said, connected devices are being used to monitor everything from available parking spaces or noise levels in a city to optimal operation of a refrigeration unit, water pressure, energy consumption, ocean temperatures and soil moisture levels. All of these can help to make our lives more convenient and sustainable, but they can also pose big privacy concerns and lead to big security headaches. You'll remember, for example, security reporter Brian Krebs revealed in 2014 that the personal financial information of up to 110 million Target customers was compromised when hackers broke into Target’s networks using credentials of an HVAC subcontractor that provides temperature and energy consumption monitoring services.
Little devices can pose big risks
Many smart devices, in themselves, pose low privacy and security risks. Disaster could certainly strike if a hacker took control of an airplane or a car or a nuclear power plant, but why would a cyberattacker care about an open parking space or the temperature of a grocery chain’s refrigeration units? In most cases, the issue is not so much the devices themselves as the information that they transmit—a thief might be very happy to learn from your GPS unit that you are far from home—or the fact that the devices often have little or no security and connect to large networks full of sensitive and valuable information.
The Internet of Things is hard to secure for many reasons. Some of the devices, such as industrial controllers, have been in use for decades and run on outdated software with known security holes. For many of the device manufacturers, security is an afterthought, if it is thought of at all. Alex Drozhzhin, writing on the Kaspersky Labs blog, observed that developers of connected devices “face realities of a brand new world they know nothing about,” and many don’t even recognize the need for security. “For an average user, a connected microwave is still just a microwave. A user would never imagine it is a fully equipped, connected computer which has means of influencing the physical world.”
Even if manufacturers do build in security, as IoT expert John Dixon pointed out recently in TechCrunch, “Hackers can easily purchase any IoT device, which will often contain the same security features of other, identical devices already deployed in hundreds or even thousands of homes. Unlike servers or networking equipment, which are usually hacked through remote access points and reside in protected and monitored environments, IoT devices are more accessible to malicious threat actors.” As with any other operating system, security flaws in IoT device software are being discovered and exploited faster than they can be patched. The sheer number of devices means that IT departments can’t keep track of or manage patches on the ones in use for business, and they have to rely on users to install timely patches on the personal devices they use to access business networks.
The Internet of Things is transforming lives and offering businesses new efficiencies and new opportunities, but every advance in information technology has brought new privacy and security risks, and the IoT is no exception. As the Wall Street Journal article says, “The business risk of not embracing the Internet of Things—and falling behind competitors—is not an option.” Smart devices are just one more area for privacy and information security professionals to be aware of and to include in security programs and incident response plans.