In the IoT world, everything seems bigger. For sure not the devices themselves- they merely hold some chips which are usually out of sight and out of mind. But the absolute amount of data in these devices in the IOT is a headache for any cybersecurity professional. “ It is reported that the growth of IoT products/ devices will increase 31 times to 1.9 billion units by 2020. Another prediction says that more than 65% of enterprises will adopt IoT products by 2020. With such enhanced IOT landscape, new vulnerabilities in these devices will become increasingly common”, says SCS Consultant.
With the increasing scale of data, increases the risk, how cybersecurity professionals can stay ahead of these risks and challenges.
Q. How has IoT changed the security landscape?
IoT based products or ecosystems are being adopted by various industries like telematics, usage-based Insurance, Retail/ vending, Smart cities, Health care and industrial areas like Smart Grids. It is reported that the growth of IoT products/ devices will increase 31 times to 1.9 billion units by 2020. Another prediction says that more than 65% of enterprises will adopt IoT products by 2020.
With such enhanced IOT landscape, new vulnerabilities in these devices will become increasingly common. These new vulnerabilities when exploited will open up new areas of threats which will completely transform the security landscape.
Some of this is clearly evident from some real life exploits of medical pacemakers/ insulins pumps, remote control of Cars, attack of Mirai Botnet, hacking of smart home devices etc. With these exploits will emerge newer threats, and a newer approach to security would be required to mitigate these threats. It is estimated that $1.9B will be spent on securing the IoT in 2019 and out of that $1.2B will be spend on IoT security professional services.
Q. How can companies prepare themselves to become cyber strong? What would be your major checkpoints for that?
Companies today face competing challenges to align themselves to meet Business Requirements, Legal requirements, Customer Privacy / Security requirements, and all of them being the utmost priority at the same time. Security leaders today would require to be strong headed and take a risk based approach keeping in view business benefits / impact.
Few checkpoints which leaders can drive –
- Drive ‘security by design’ culture in IoT product development life cycle. Incorporate cyber security right at the start.
- Cyber Security leaders should understand the business process and the supply chain of key IoT products and its ecosystem.
- Understanding of regulatory requirements around IoT and its implications, customers’ requirements, and inherent risks within the business landscape related to IoT environment.
- Regular Security Awareness on the IoT products/services to be implemented at Enterprise level for supply chain vendors.
- Apart from focusing on operational security, include strategic business and security risks in the planning cycle.
Most of the time, security leaders are investing time and resources by reacting security challenges rather than proactively solving them before the release of the products and services.
Q. What could be the best practice to overcome IoT security as a challenge?
IoT security faces same challenges as the traditional security in applications and infrastructure. Ideally, the best practice to overcome IoT is to implement ‘Security by design’ at the start of product lifecycle and not something as an afterthought. Additionally, re-assessing the IoT products and services for security vulnerabilities at periodic intervals or at least every version/firmware upgrade time can help mitigate risks on an ongoing basis.
Security by design would help mitigate some of the challenges in IOT landscape such as default credentials, insufficient authentication, insecure protocols and interfaces, insufficient encryption, lack of secure tamperproof storage for encryption keys and physical tamper-proofing. Secure Coding practices along with regular security assessments and penetration testing would ensure baseline industry standards are implemented and easy exploits are not available not only in IoT devices but also in underlying IoT ecosystem.
Q. Does the skill gap in security industry has somewhere lead to such enormous attacks? If so, how do you think that skill gap can be mitigated?
As new technologies like IoT are being adopted by various industries, there is constant need to fill skill gap in areas of Security as well. Developers and product owners are neglecting or overlooking security at the design stage to speed up product lifecycle and take it to market for business growth. This leads to a lot of vulnerabilities in the existing IoT products and hence becoming easy targets for attackers. This skill gap can only be bridged by upskilling existing security professionals to newer domains/ technologies/interfaces/protocols and implementing security by design at beginning of IoT product lifecycle. Also, Integrating business process and security into mainstream work culture will help enhance the overall security culture of the organisation
Q. What are the cybersecurity pitfalls in IoT world to watch out for?
The most common pitfalls currently affecting IoT products and services are:
- Insecure web interface – this could lead from Account listing, weak default credentials, session management etc.
- Insufficient Authentication/ Authorization – this could lead to weak password policies, password in plain text, lack of role based access etc.
- Lack of Encryption – this could lead to unencrypted services via Internet or Local network
- Insecure Firmware – firmware leaking sensitive information or no encryption present in firmware.
- Privacy concerns due to the nature of the data being tracked or sensitive personal data being collected
Weak Physical Security of IoT Devices/Sensors – like access to USB ports or removal of sensitive data via storage media.