Select Page

Simply put, the IoT is the concept of connecting any device with an on and off switch to the Internet, and/or to each other.  This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of.  This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig.  If it has an on and off switch then chances are it can be made a part of the IoT.  Because this subject is so wide-ranging this Security Tidbits is chock full of

The Rosy Picture
IoT devices are enabled to sense and transmit information online, offering consumers greater information and influence over their environment. Previously unconnected objects can now be accessed digitally and controlled from anywhere on a variety of devices, including mobile, desktop and tablets.  Businesses are also seeing the benefits of IoT in manufacturing but also in office environments.  Cisco’s Digital Ceiling initiative was created for connecting and managing IoT devices such as building lights, door locks, HVAC (heating and cooling) and environmental sensors.  Management of IoT devices is already leading to cost savings in energy.  Here are some numbers:

  • 60% of UK businesses are increasing their investments in IoT projects, by an average of 42%
  • 68% of business leaders are expecting to reap actual benefits from their IoT investments in 2016
  • IoT connected devices in 2015 number 25 billion
  • IoT will consist of 50 billion devices by 2020
  • Endpoint spending will be dominated by connected cars, as well as other complex machines and vehicles, such as heavy trucks, commercial aircraft, farming and construction equipment
  • According to a new report from Tractica, by 2021 a cumulative total of 171.9 million wearables will be shipped for use in enterprise and industrial environments

The Money
Security spending for all PCs and mobile devices:

  • A new report forecasts $655 billion will be spent on securing PCs, IoT and mobile devices between now and 2020.
  • $386 billion will be spent on securing just PCs between now and 2020
  • $113 billion will be spent on securing all mobile devices between now and 2020

Security just for IoT:

  • Worldwide spending on IoT security will reach $348 million in 2016, a 23.7 percent increase from 2015 spending of $281.5 million
  • Spending on just IoT security is expected to reach $547 million in 2018
  • $172 billion will be spent on securing IoT devices between now and 2020

The Problems
The downside of IoT is that devices are being added to networks by companies that have little to no network security experience and little to no software security.  The result is that large numbers of IoT devices have security vulnerabilities, making them risky to put on company networks.  The 2014 security report by HP showed that 70% of IoT devices contain vulnerabilities.  Add to that, since many IoT devices are oriented towards consumers they are being purchased and added to company networks without the knowledge of the company IT department.  This “Shadow IT” is untracked by almost all firms.  Only 8% of organizations can track Shadow IT.

The biggest IoT risks to consider are as follows:

  1. Disruption and denial-of-service attacks
    2. Understanding the complexity of vulnerabilities
    3. IoT vulnerability management
    4. Identifying, implementing security controls
    5. Fulfilling the need for security analytics capabilities
    6. Modular hardware and software components
    7. Rapid demand in bandwidth requirement

Add to the vulnerabilities of IoT devices there is a shortage of security professionals.  The Cisco 2014 Annual Security Report estimated a shortage of 1 million information security professionals worldwide.  According to a Symantec 2014 report, cybersecurity is projected to rise to 6 million jobs by 2019 with a 1.5 million person shortfall in the US alone.  This is already worrying existing security professionals.  According to a quick survey done at the 2015 Black Hat Security Conference, security professionals were asked about their biggest concerns:

Question:            “Which do you believe will be of the greatest concern two years from now?”
Answer:               “Digital attacks on non-computer devices and systems – the Internet of Things”

Question:            “Does your organization have enough security staff to defend itself against current threats?”
Answers:             51% – “No, we could use a little help”

17% – “No, we are completely underwater”

05% – “What staff?”

Additional info:

  • Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.
  • “It is clear that IoT systems and software are not being developed with a hostile operating environment in mind. In Veracode and IDC’s 2016 research into the security of connected cars, the manufacturers that were interviewed told IDC that it will be one to three years before connected car systems are implemented with full consideration of security concerns,” John Smith, Principal Solution Architect at Veracode.
  • Cybercrime propels security spending. Juniper Research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.

The Cure – What This Means to End Users
All of this means that security providers will have their hands full responding to the security needs of existing clients as well as future clients.  Educating clients to the risks of IoT devices is the first big step in helping them to secure their networks.   Beyond that basic step here are additional steps that we can follow:

  • Connect Only What You Need – If it does not need to be connected to a network and does not bring business value then don’t connect it.
  • Separate Wi-Fi network for IoT devices – Separate IoT devices from secure company devices and also from guest devices by creating separate wired and wireless networks.  This will require a good firewall and switches.
  • Update When Possible – Update firmware and software as soon as updates become available.  This will mean that you have to know about these devices and then monitor manufacturer websites for news of updates.
  • Use Strong Passwords and Change Factory Default Options – Many vulnerabilities are due to using factory default usernames and passwords, or security options.  Factory defaults are often available on the Internet and could be used by anyone.  Going through all of the options when installing an IoT device can save the client from these easy-to-fix vulnerabilities.
  • Use Any Privacy Options – Set privacy options to be their most restrictive where possible.
  • Consider Replacement and Budget For It At Time of Installation – If the IoT device manufacturer is new to the networking world then consider that they might not update their firmware or software fast enough and that the only cure for some vulnerabilities is to replace the IoT device with one that is more secure.  You can help the client anticipate this possibility when considering IoT devices.  Adding this possible replacement cost into the initial cost evaluation may cause the client to wait until more secure IoT alternatives appear.

References

“The Internet of Things:Risks in the Connected Home” – http://download.bitdefender.com/resources/files/News/CaseStudies/study/87/Bitdefender-2016-IoT-A4-en-EN-web.pdf