– why manufacturers must pause in their race to join the IoT gold rush and think about security standardisation.
By Ian Kilpatrick, EVP Cyber Security for Nuvias Group.
(This article first appeared on Information Age http://www.information-age.com/internet-things-security-crisis-123470475/)
While the infinite possibilities and potential applications surrounding the Internet of Things (IoT) have been well-hyped over the past few years, the technology is at a tipping point in terms of adoption as we head into 2018.
IoT, the ability of everyday devices to connect and transfer data to each other, is already carving out a place in the consumer market, with devices like smart home locks, thermostats, lighting and energy monitors.
The latest research also claims that 29 percent of organisations have already implemented IoT solutions, and this is expected to surge to 48 percent in 2018, as businesses are increasingly sold on the cost-savings and the productivity-enhancing benefits of IoT.
But with the IoT bandwagon rushing full steam ahead, few vendors or customers are pausing to consider the enormous security risks associated with the devices. The influx of additional entry points into an organisation’s network, plus a current lack of security standards for IoT devices, means there is a gaping hole in the perimeter of any home or business that has installed IoT devices.
Consider the operating systems for such appliances. How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?
Then, when you are hacked (and it is when, not if), where does that leave you? You now have a ‘dirty’ corner of your network and all it takes is for another hacker to connect to that ‘dirty’ corner to repeat the process. It’s a case of vulnerability after vulnerability.
By 2020, it is estimated that 25 percent of cyber-attacks will target IoT devices.
Worryingly however, a recent survey by price comparison website Money Supermarket indicates UK consumers are aware of the perils associated with IoT devices – but the apparent convenience, security and cost-saving benefits appear to outweigh the risks.
The research shows more than three-quarters of UK consumers are fearful of connected home technology, citing concerns about hacking and unapproved data collection. But the same survey forecasts that there will still be 25-30 billion devices worldwide by the early 2020s.
Another study reveals that 54 percent of IoT device owners do not use a third-party security tool to protect their devices from outside threats – and more than a third (35 percent) don’t change the default password on their devices, leaving them vulnerable to attacks. An astonishing and worrying failure!
Even 2016’s high-profile Mirai attack doesn’t seem to have caused either manufacturers or consumers to stop and consider the security implications. Mirai used IoT devices to mount wide scale distributed denial of service (DDoS) attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.
The current IoT landscape can be compared to the early days of the internet, when viruses, worms, and email spam plagued users. Many companies raced to join the internet ‘gold rush’ without necessarily considering the importance of internet security. It’s not overly-dramatic to say the same is true now. The priority for IoT device manufacturers is the time it takes to get to market and the potential revenue. But in 2018 and beyond, we’re talking about devices that could potentially wipe out organisations, cities and even pose a threat to human life, if they fall into the wrong hands.
It’s not difficult to imagine five years into the future, where organisations will be forced to change the make-up of their network security, with very steep rises in their security costs. Firms may need to double or treble their IT security budget, just to protect against the threat from wireless light bulbs and thermostats.
While these are clichéd examples, there will be essential applications that organisations will use IoT for, which include managing heating across locations; and financial transactions. IoT will also be used in manufacturing, where devices operating in a machine-to-machine (M2M) environment, without underlying security, have the potential to cause security breaches.
So, what can be done to address these obvious security flaws before too much damage is done?
First and foremost, technology vendors should band together to make the case for security standards that can be implemented around business-deployed IoT devices. Standards could include certification, so the user knows a device is trusted. If a device is deemed insecure, it can be recognised as such, its certificate withdrawn and the appliance isolated.
Currently, the only option for untrusted devices, that can’t be securely upgraded or defended in situ by additional security devices, is to find them and tear them out. And, as they become increasingly embedded in an organisation’s network and systems, the cost of ripping these devices out could be up to 100 times the cost of the device in the first place.
IoT manufacturers need a call to action, to consider the consequences of their actions today.
In 2017, the United States proposed a new bill that would introduce standards for IoT devices purchased by the US government. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require IoT vendors to ensure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that devices are free from known vulnerabilities when sold.
This is a huge step towards forcing developers to take IoT security seriously in the future. In Europe, the European Union Agency for Network and Information Security (ENISA) has called upon suppliers, developers, industry associations, regulators and academia to come together to exchange viewpoints and ideas on cyber security threats, challenges and solutions.
In a position paper the group declared there is currently “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”
There is some evidence that the UK Government, through the implementation of its five-year National Cyber Security Programme (NCSP), is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative. Earlier this year, a project team within the Department for Digital, Culture, Media and Sport (DCMS) was established to drive this project, with the aim of tackling the issue at the point of manufacture of the software and hardware.
In 2018, standardisation on IoT devices is a must. It is essential that devices are secure by design, rather than included as an afterthought. The failure of any business to co-operate on a joint plan now to protect themselves is incomprehensible. If they don’t, they are sleep-walking into a security crisis.
Ian Kilpatrick, EVP (Executive Vice-President) Cyber Security for Nuvias Group
A leading and influential figure in the IT channel, Ian now heads up the Nuvias Cyber Security Practice. He has overall responsibility for cyber security strategy, as well as being a Nuvias board member. Ian brings many years of channel experience, particularly in security, to Nuvias. He was a founder member of the award-winning Wick Hill Group in the 1970’s and thanks to his enthusiasm, motivational abilities and drive, led the company through its successful growth and development, to become a leading, international, value-added distributor, focused on security. Wick Hill was acquired by Nuvias in July 2015.
Ian is a thought leader, with a strong vision of the future in IT, focusing on business needs and benefits, rather than just technology. He is a much published author and a regular speaker at IT events.