In December 2015, hackers attacked Ukraine’s power grid. As is so often the case with cyberattacks, the attackers exploited the human factor through a combination of phishing and social engineering tactics. In addition, operational systems were controlled by PCs that were vulnerable to mainstream malware.
In recent weeks, online assaults against Ukraine’s systems re-started due to the Russian invasion. Cybersecurity experts have already warned that these attacks might spread to other countries, but this is just a part of the story.
From connected coffee makers and refrigerators, wearable health monitors to smart factory equipment, IoT is all around us. Despite the many technological advancements, IoT is not without risks.
New threats to the fore
According to Kaspersky, the number of attacks targeting IoT devices doubled from the second half of 2020 through the first six months of 2021. Much of this increase is due to the surge in work from home due to the COVID-19 pandemic. Considering that 84% of organizations have deployed IoT devices on their corporate networks, and more than 50% don’t maintain the necessary security measures, these figures could easily soar in 2022.
“There are estimates of over 20 billion IoT devices worldwide. Each one is a point of vulnerability for the user. As deployment continues to grow, the problem only gets worse,” says International Society of Automation’s President Steve Mustard.
This is a perennial cry, for the long-standing problem. In 2009, the Shodan search engine already gave anyone a comprehensive view of exposed connected devices with unsecure username and passwords combinations such as admin and 12345678.
The Gordian knot of the affair, as Steve Mustard remarks, is that “IoT has been developed with low cost, simplicity, convenience and ease of integration in mind. These factors are a major attraction to users looking to solve business challenges in a cost-effective and efficient manner. Yet security adds cost, increases complexity, and reduces convenience, and ease of integration.”
Moreover, when it comes to security standards, IoT is a bit of a free-for-all, even if there are good initiatives and guidance available. The IoT Security Foundation regularly publishes a list of vulnerabilities, best practices, and regulations. The common theme throughout their publications is that “considering security at the design phase can save time and effort later, as well as potential embarrassment and financial loss in the future.”
The European Union Agency for Cybersecurity (ENISA) has developed an interactive, web-based online tool to help IoT operators and industries of IoT and Smart Infrastructure conduct risk assessments. The UK Government has proposed the Product Security and Telecommunications Infrastructure (PSTI) bill to strengthen the security of IoT hardware. There is also a code of practice for consumer IoT security.
These standards are a great start, but IoT security won’t improve without customer demand. As the former ISA president said, “If users keep purchasing poorly secured solutions there is little incentive for vendors to invest the time and effort needed to create secure alternatives.” In this regard, IoT vendors should realize that standards-based security solutions are a necessary and valuable product differentiator.
What to do
Even if a company purchases a secure product, it still needs to execute maintenance. Proper IoT security requires constant vigilance and updating. Thus, Mustard recommends users look for vendors who follow common standards and guidance when choosing an IoT solution.
That means knowing if it’s possible to change the default login credentials; if the device communicates using secure protocols; if the vendor has a published vulnerability disclosure policy that ensures prompt notification of security issues; and if the device validates input data and ensures the integrity of operational code.
Once an IoT solution is deployed, cyber hygiene policies must be put in place. These policies cover such essential activities as regularly updating software and firmware; monitoring for unusual activity – user access and communications traffic; maintaining physical and electronic access to IoT solutions; and sustaining and assessing an effective cybersecurity incident response plan.
These actions are crucial in the face of increased cybersecurity incidents. “Users may slow down, or even halt their adoption of IoT to minimize their exposure, waiting until IoT vendors address their product’s inherent vulnerabilities,” stresses Mustard.
“We make decisions based on the data provided by IoT platforms. If data is compromised, our decisions may not be the correct ones, or may even be catastrophic. Elements such as the quality of water, air, or soil, which are crucial for the sustainability of the planet, are at stake. So, we must ensure that data is accurate at its origin and guarantee its integrity throughout the decision-making journey,” says Alicia Asín, Co-founder and CEO of Libelium.
“In this sense, companies will be prepared when their workers are well-trained since they are the ones charged with the design, implementation and compliance of security measures. Thus, an investment at all levels is required. Life-long training and useful tools are essential for adequate cybersecurity,” she concludes.
By ANNA SOLANA.