The Internet of Things (IoT) is everywhere. But its security isn’t, which is a problem—a growing problem.
It was four years ago when Bruce Schneier, self-described public interest technologist, author, and Chief of Security Architecture at Inrupt, declared in his book Click Here to Kill Everybody that “everything is a computer.”
Not literally true, of course—estimates are all over the map—but according to Statista, there are about 13.1 billion IoT devices in use this year. That number is projected to jump to 29 billion by 2030. Still, even then, everything won’t be a computer.
The point is that just about everything could be a computer. Indeed, the IoT is now so vast that it’s divided into segments: the Internet of Industrial Things, the Internet of Consumer Things, the Internet of Enterprise Things, the Internet of Medical Things. And on and on. That also means more software for all those different purposes, all of which makes the IoT the largest and potentially most dangerous attack surface in the world.
It’s also a unique attack surface. Yes, like everything in the digital world, IoT devices are powered by software and connect to the Internet. But unlike desktops, laptops, tablets, servers, smartphones, and the like, most IoT weren’t meant to be computers at the start. Not only “smart” home devices but also things like the sensors in industrial control systems that operate our critical infrastructure.
As Security Boulevard noted in February, many organizations are converging IT and OT with IoT sensors and actuators that “increasingly create ‘smart’ operational systems.”
The goal is to have those IoT devices collect data that will yield “insights that improve efficiency, increase automation, or reduce costs.”
Those are worthy and attractive goals. But as the magazine noted, “if IT and OT aren’t converged with security as the top priority, cyberattacks can proliferate from IT systems through IoT devices and into the OT environment.” That means the IoT can be exploited to cause physical damage—the click-here-to-kill-everybody syndrome.
Yet far too often, cybersecurity for those things isn’t even an afterthought. It’s no thought at all. And Boris Cipot, Senior Security Engineer at Synopsys, said the lack of maturity of IoT devices leads to users “underestimating the threats” posed by that lack of security. For example, an average user might think a hacker couldn’t do much harm by breaking into a smart light switch, but Cipot warns that the light switch is just the entry point.
“You’d be surprised,” he said. “From mining for cryptocurrency or pivoting from the device to others on the same network, executing DDoS attacks and distributing malware, connected devices pose a great deal of risk if they’re not managed responsibly.”
So, the obvious goal for organizations should be to manage their IoT devices responsibly. Fortunately, there are ways to do that:
Keep IoT devices on their own network. That way, if one or more of them are breached, it won’t affect the operational network directly.
Catalog and track all IoT devices in use. As the saying goes about software components, you can’t protect what you don’t know you have. A smart switch could reveal unusual network communications that could turn out to be nefarious. If you’re not tracking it, you won’t know.
Monitor your supporting software. Create and maintain a Software Bill of Materials (SBOM) so that if a vulnerability is identified and if a patch or update is available, you’ll know to act on it immediately.
Limit the use of untrusted equipment. Choose brands that take security seriously. This makes it easier to create a governance model for a device’s use. Personal devices that employees bring from home, such as smart watches, should be deemed untrusted and allowed only to connect to a separate network.
Educate your employees. Even non-techie employees need to know what IoT devices are, that they need to take care of them with updates or patches and that they cannot use them fully in the company ecosystem. Technical staff operating the IoT corporate devices need to know about appropriate maintenance and how to spot suspicious activities. Network staff should have tooling to monitor those devices and limit their access to the network.
Limit Internet connectivity of devices. Try to apply needed updates manually or define a limited window for the device to access the Internet and apply the updates.
Maintain supply chain governance and data privacy compliance. Also, check whether the supplier and manufacturer match your policies, whether the software is trustworthy, and if the data complies with your own policies and other regulations such as GDPR.
While there is increasing government interest in IoT security, Cipot said so far, there isn’t enough to require IoT manufacturers to “build security in” to their products. “So, consider the risk landscape, build a threat model to examine potential weaknesses, and account for them with a well-thought-out governance strategy,” he said.