When it comes to the Internet of Things (IoT), what you don’t know can hurt you.
Organizations of all sizes are rapidly escalating their use of IoT devices for a wide range of business benefits: to reduce costs, improve operations, leverage big data analytics, accelerate digital transformation or, in most cases, to achieve all of the above.
Research tells us that last year alone there were 7.6 billion IoT devices; this number is expected to grow to 41.6 billion by 2025. As an executive, you can’t afford to ignore IoT. You should embrace it as a powerful force for innovation and disruption. But you must also keep your eyes wide open to the risks. IoT can be a potential nightmare if you don’t take the proper steps to build the right cybersecurity foundation and framework.
We have seen how dangerous the unmitigated expansion of IoT can be without proper cybersecurity safeguards. Palo Alto Networks’ Unit 42 threat intelligence team analyzed security issues on 1.2 million IoT devices across enterprise IT and healthcare organizations in the United States throughout 2018 and 2019. Unit 42’s 2020 IoT threat report shows that an alarming number of IoT devices are exposed and exploitable. Moreover, 98% of all IoT device traffic is unencrypted, while 57% of IoT devices are vulnerable to medium- or high-severity attacks.
So, it’s important to understand what steps your CISOs and security teams must take to ensure you can expand IoT use while mitigating cybersecurity risk.
But complicating this challenge is that in many organizations business units are using IoT devices outside of the aegis of either the CIO or CISO. Any business unit in an organization can buy IoT devices whether the CISO or CIO knows about it or not, and this cannot be stopped. If CISOs can develop a holistic IoT security strategy, they can help lead business units in buying IoT devices, and thus get visibility into those devices and start securing them from the onset.
Avoid the Land Mines
The first step to IoT security sounds simple but is hardly. You need to know what types of devices you have and where they are all located. I liken it to the situation with land mines. There are more than 110 million land mines in the ground right now, according to estimates. In Egypt alone, there are 23 million landmines left over from World War II—and they can’t be removed because nobody knows where they are.
We don’t want IoT devices to be the land mines of the future, so we must leverage technologies that can identify and account for them, wherever they are located, whenever we need access. IoT security is about more than identifying and finding these billions of devices. It’s also about managing them throughout their life cycles. For example:
- How can we make sure we can update devices with current security patches, operating systems and other protections as technologies evolve—and as cybercriminals discover new methods of breaking through existing security barriers?
- How can we change passwords on devices in which the passwords may be coded into the hardware?
- How can we track device usage in real time to monitor security risks and ensure that our organization is staying compliant with changing regulatory requirements around the world?
- How can we make sure we can turn off and retire devices when they have been replaced or exceeded their period of usefulness?
These are not idle questions but are real issues that security teams have to address now. As the world goes from 14 billion to 20 billion to 25 billion to more than a trillion devices, it will become that much more complicated to identify, manage and protect IoT devices throughout their lifecycles.
Fortunately, help to mitigate IoT cybersecurity risk is available. The National Institute of Standards and Technology is in the process of drafting guidelines for IoT device manufacturers to make their products safer and more secure, and has already issued a set of voluntary recommended cybersecurity features to include in network-capable devices. New technology platforms can help to identify IoT devices and manage them throughout their lifecycles.
What’s more, the Open Web Application Security Project (OWASP), has taken a leadership role in helping cybersecurity leaders identify the most common vulnerabilities of IoT devices. Their list provides a guide for cybersecurity professionals to follow, and also gives business leaders a firm basis to pose the right questions to their cybersecurity teams.
The most recent OWASP “Top 10” list of IoT vulnerabilities is:
- Weak, guessable, or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanisms
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
No industry is immune to IoT challenges, whether you’re in retail, finance, or technology, etc. Where does your organization stack up? If you don’t know, it’s time to start asking your cybersecurity leaders. If they don’t know, it’s time for you to insist that they get smart about IoT security and support them to secure IoT devices. The future waits for no one.
Sean Duca is Vice President, Chief Security Officer, Asia Pacific and Japan, for Palo Alto Networks.