How to guard low-hanging fruit: the IoT security nightmare
We live in a highly connected world. Constant access to the internet, a powerful computer in every home and back pocket - humans have never been more easily able to learn, understand and communicate with the world around them at any other point in history. Now, with the meteoric adoption of connected devices and smart sensors, our planet is poised to take yet another giant step. From thermometers and cameras to televisions and teddy bears, more and more consumer and commercial devices are being outfitted with chips and sensors to collect and transmit data. As IoT grows, the lines between the physical digital worlds are becoming ever more blurry.
The mass adoption of IoT is having a profound impact on the enterprise space. From industrial manufacturing to telemedicine, IoT has the potential to dramatically reduce costs and carbon footprints, while simultaneously improving quality of life, access to services, efficiency, automation and visibility across both the modern enterprise and daily life. According to the GSMA, the combined value added impact of IoT is expected to add US$4.5trn a year from 2020 onwards.
This progress comes at a price, however. In 2018, Samsung issued an urgent warning that failure to secure every IoT device by the end of 2020 could have dire consequences, noting that "there is a very clear danger that technology is running ahead of the game.” Two years later, a huge number of IoT devices remain unsecured. “More than one in two IoT devices (57%) are vulnerable to medium or high severity attacks,” says Greg Day, VP and CSO, EMEA at cybersecurity firm Palo Alto Networks. “IoT represents the low-hanging fruit for attackers at the moment.” As we enter 2021, and are on track to live in a world with more than 22 billion connected devices by 2025, the need to secure IoT devices is more urgent than ever to the defence of our networks.
Connected and Unsecured
Palo Alto Networks recently released a report on the threat posed by unsecured IoT devices to the connected enterprise. IoT, the report claims, is the “soft underbelly” of many businesses, and failure to successfully oversee and secure IoT devices can pose a major threat to an enterprise’s network. And the threat doesn’t only come from a company’s own connected devices. “As everything becomes more connected, consumer IoT could easily become a gateway into industrial networks,” explains Day.
One of the major issues, he continues, is that the price (and therefore complexity, quality and security) of IoT devices varies so dramatically “between a few pounds to millions.
"A £1 sensor can be connected to a billion-pound network. We can't expect the same investment in security controls when the IoT asset value varies so greatly, and these small, inexpensive sensors typically lack any type of security system” - Greg Day, VP and CSO, EMEA, Palo Alto Networks
If networks are to be secured against threats that take advantage of IoT endpoints in order to gain access, Day is quick to point out that device-level security isn’t enough. “Many IoT devices simply do not have enough capacity for built-in security, and the severe cybersecurity skill shortage makes it challenging for all IoT device manufacturers to have in-house expertise,” he says. “There also is the issue of the billions of IoT devices already deployed that cannot be retroactively designed for security.” Furthermore, Day explains, additional variables like device configuration, network environments, and the surrounding ecosystem of connected things all play a role in whether an IoT endpoint is vulnerable to attack. “Cyber threats are dynamic and constantly evolving. We need to emphasise not only on the device’s security when it comes off the manufacturing floor, but also on IoT risks and security in real-world deployments. Thus, the network also should be a priority detection and enforcement point for IoT security,” he adds.
The COVID-19 Spike
As we approach the one-year anniversary of the COVID-19 pandemic, the world is a very different place to the one we lived in 12 months ago. Mass lockdowns and social distancing measures have forced billions of people to work, socialise and attend school remotely. In particular, the mass migration to remote workforces has blurred the lines between personal and enterprise devices hugely. At the same time, trends like the spike in ecommerce led to a huge spike in cyber attacks that mirrored the spike in Coronavirus cases.
OpSpec Security’s Consumer Barometer report for 2020 found that 51% of consumers noticed an increase in phishing during the first wave of the pandemic. At the start of 2020, the average monthly infection rate in mobile networks was 0.23%. According to research from Nokia, that figure rose by 30% during the first wave in March and April, and the number of IoT device infections during the first half of the year rose by 100% compared to H1 of 2019, something Day attributes to the increased connection of enterprise networks to IoT devices, “in home environments, where basic security practices, such as changing default device passwords, are still overlooked.”
Visibility Equals Security
According to IoT security firm, ForeScout, “Without a cutting-edge IoT security solution—one that begins with agentless visibility—IoT devices are invisible (and potentially unwanted) guests on your network.”
Day agrees. “Visibility really is key to both realising the business opportunities and understanding the risks of IoT,” he says. He explains that this lack of visibility is largely due to most IoT devices using proprietary methods, which are typically encrypted. He asks:
“If you can’t tell what a thing is or what normal behaviour of that thing looks like, how can you define what it should be able to access and why?” - Greg Day, VP and CSO, EMEA, Palo Alto Networks
As the cybersecurity community starts to come to grips with this mammoth challenge, proper segmentation is increasingly being recognised as one of the most effective methods to secure a network from threats that take advantage of unsecured IoT. Segmenting IoT devices onto a separate network can isolate potential threats from the rest of the enterprise - if not just its most critical assets. In order to achieve that segmentation, however, security teams need visibility. Day concludes, “Once you have visibility, it then comes down to segmenting critical digital business assets and aligning IoT things only to the business processes required. In other words, micro-segmentation.”
