Recently, we commented that the Internet-of-Things (IoT) was finally gaining traction in the industrial world and was on track to become 5G’s killer app as it provides industrial companies with the opportunity to attach a wide range of digital services and features (monitoring, analytics…) to their installed base of cars, factory machines or robots. The IoT can then be considered as a new growth driver for all these companies and as a source of highly recurring and profitable revenue as most of these new services will come under the form of cloud-based subscriptions.
If the IoT represents a massive business opportunity for industrial companies, it also has major implications in terms of security and will materially expand the attack surface: as IoT devices proliferate, the number of vulnerabilities will grow exponentially. IoT devices present indeed two major security challenges to corporate organizations.
First, the size and power consumption requirements of these devices translate into capped processing power and storage capacities. This has an impact on the implementation of security features and/or the software upgrade abilities.
Second, the variety of hardware and software solutions across the multitude of devices and manufacturers prevents companies from protecting all of them using the same solutions and procedures, obstructing the emergence of a standardized approach. For instance, a smart lighting system, a smart refrigerator and surveillance cameras are likely to have different security features even if they are all connected to the same Wi-Fi network. This lack of standard is the main reasons why IoT is such an easy target for hackers.
Each IoT device is therefore a potential entry point to a company’s network. And it appears that hacking a simple IoT device is quite easy: if we take the example of a webcam brand, it’s possible to get the entire list of the public IP addresses of those cameras on specific websites. Most of the time, these cameras feature no username or password or use a default one such as “admin / admin” or one that you can simply search on Google…
With the IP address and the admin credentials, hackers can infiltrate the network and then move laterally to gain access to sub-systems, potentially reaching high-value files like client information, industry secrets or contracts.
Those intrusions can lead to a variety of potential consequences that have often made the headlines in recent months: accessing sensitive data or taking control of microphones, sensors, and cameras, which can reveal insightful information to whom has illegitimately gained access to it, are the most common. The recent exposure of the ThroughTek platform affecting tens of millions of IoT devices making it possible for hackers to listen or see-through baby monitors or connected surveillance cameras is a good example.
IoT devices can also be used for Distributed Denial of Service (DDOS) attacks, in which attackers constitute a network of corrupted IoT devices (namely a Botnet), which will be making high volume of simultaneous requests to a target website to overwhelm the site’s servers and take it down.
On top of reputational risks and revenue loss, another unpleasant outcome of an intrusion which is gaining in popularity, is ransomware, that consists in encrypting an organization’s files and asking for a ransom in exchange of a key to decrypt them.
Adding to worries, the IoT is gradually being adopted by water or energy utilities, then putting critical infrastructures such as atomic plants at risk.
In light of the all the above comments and challenges, some cybersecurity firms appear well placed to handle the IoT risks as securing billions of heterogeneous devices will require cloud and machine learning/artificial intelligence capabilities.
Threat detection notably is a major IoT security offering, in charge of identifying an attack when it is happening based on continuous data feed and following patterns that are likely to be generated by malicious activity. Cloud-based machine learning algorithms make it possible to update the threat database with the most recent vulnerabilities and attack patterns making it more efficient as time goes by.
Device monitoring and authentication & privilege management are also likely to grow in tandem with the IoT. They allow to know which devices are connected, for which reason, with which rights & credentials and two-factor authentication and Zero Trust protocols can be put in place to ensure that it is the desired device that is connected to the network and that its rights are limited to prevent lateral movement in case of infection.
Finally, remediation includes all tasks related to response after a threat is detected. Containment of malicious activity is the last resort of IoT security but is still capable to greatly mitigate associate risks.
Overall, the advent of smart cities/factories/homes/cars and the ensuing IoT “mess” over coming years are expected to be a major growth driver for cybersecurity software and hardware firms. Those with a large endpoint/IoT exposure such as CrowdStrike, Digi International or Cisco Systems are actively working on solutions to supply a safe IoT environment from the individual up to the corporate state level.