Cybersecurity for IoT devices: Myth or Truth - Part 2


Posted on by Bohdan Savchuk

Notable IoT Attacks 

The increasing number and severity of attacks on IoT devices have brought several notable incidents to light.

Here are some examples: 

1. Mirai botnet (Dyn attack): In 2016, the Mirai botnet launched a massive DDoS attack, causing widespread internet outages. The botnet targeted a DNS service provider, Dyn, using compromised IoT devices. This attack highlighted the importance of strong passwords and regular firmware updates to prevent device vulnerabilities. 

2. Stuxnet: In 2010, attackers targeted Iran's nuclear program by disabling centrifuges used to produce nuclear material. 

3. Brickerbot: In 2017, this attack went beyond network disruptions and actually rendered infected devices unusable, or "bricked" them. 

4. Abbot/St. Jude Hackable Pediatric Pacemakers: In 2017, researchers demonstrated the ability to manipulate the firmware of pacemakers, potentially draining the battery or changing critical settings. This highlighted the need for robust security measures in medical IoT devices. 

5. The Owlet Wi-Fi Baby Heart Monitor: This device, though seemingly harmless, lacked security measures, making it vulnerable to hacking. Attackers could exploit this vulnerability to target other devices on the same network. 

6. The TRENDnet Webcam Hack: TRENDnet's SecurView cameras were marketed as secure, but they were found to be easily accessible, allowing unauthorized individuals to view and capture audio from the cameras. 

7. The Jeep Hack: In 2015, researchers demonstrated the ability to remotely control a Jeep SUV by exploiting a vulnerability in its firmware update mechanism. This highlighted the need for robust security measures in connected vehicles.

These incidents serve as a reminder of the potential risks associated with IoT devices and the importance of implementing strong security measures to protect against cyberattacks.

How Can IoT Cybersecurity be Improved?

In formulating a cybersecurity strategy for IoT, it is essential to consider the incorporation of blockchain technology as a fundamental approach. This is because blockchain provides a decentralized storage space where information is stored in a digital format and can be accessed in a transparent manner. Blockchain has multiple entry points instead of a single point of contact. Each node in the network, which can be any electronic device maintaining a copy of the blockchain, acts as a safeguard against attacks. If one or more nodes are compromised, it does not affect the integrity of the other nodes. 

To enhance IoT cybersecurity, there are four key steps that can be taken:

1. Prioritize cybersecurity from the start: When evaluating, selecting, and installing IoT devices, cybersecurity should be a top priority from the beginning. Device security should not be an afterthought and should be integrated into the design and implementation process. 

2. Regular software and firmware updates: Invest in IoT devices that can run cybersecurity software and accept regular updates. Patches and updates help mitigate cyberrisks by addressing vulnerabilities and strengthening device security.

3. Proactive security measures: Take a proactive approach to IoT device security. Free and unsupported software solutions are not recommended. It is crucial to secure IoT devices and networks in advance to prevent potential attacks, as the cost of recovering from a cyberattack far outweighs the investment in proactive security measures. 

4. Seek professional assistance: Cybersecurity is a constantly evolving field, and hackers are always finding new ways to exploit vulnerabilities. It is important to seek professional assistance from cybersecurity experts who have the knowledge and expertise to stay ahead of emerging threats. 

Implementing smart cybersecurity practices may be challenging, but it requires a continuous commitment to be fully effective.

The Future of IoT Cybersecurity

There are various strategies that IT professionals can employ to enhance the security of IoT devices. 

Here are a few alternative ways to improve security posture:

1. Strengthen device monitoring: Implementing intrusion detection systems (IDS) and security information and event management (SIEM) systems can enhance device monitoring. Sharing information about cybersecurity threats and utilizing cybersecurity threat intelligence (CTI) can help profile attackers and strategically position security controls for IoT and ICS devices. 

2. Incorporate robust security features: Enhancing security features such as encryption of stored and transmitted data can provide an additional layer of protection. Implementing advanced authentication schemes can help control device connections. Educating employees on partitioning and segmenting IoT traffic enables better control and management, leading to improved response to security breaches. 

3. Adhere to IoT and ICS standards: Following established standards is crucial for ensuring the security of IoT devices. The National Institute of Standards and Technology (NIST) has published cybersecurity standards, including recommendations for IoT device manufacturers. Their Cybersecurity for IoT Program provides valuable guidance for implementing effective security measures. 

Cybersecurity professionals need to prioritize the security of IoT and ICS/OT devices to ensure they continue to enhance our lives and businesses, rather than becoming a source of problems. By implementing these strategies, organizations can mitigate risks and protect their networks and data from potential threats.


Contributors
Bohdan Savchuk

CTO, Co-Founder, Anbosoft

Mobile & IoT Security

Internet of Things hackers & threats incident response mobile security blockchain & distributed ledger security awareness security education standards & frameworks

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs