How organizations can prepare for an IoT-based attack

Preparing for battle: Stopping IoT attacks

With Gartner predicting a world filled with more than 20 billion IoT devices by 2020, we’re becoming more connected by the minute. All of these devices and sensors will improve and enhance many aspects of life, but they also present risks when the devices are infiltrated by hackers.

Many IoT devices are built without even a minimum of security controls, so they’re exposed and vulnerable from the outset. There’s also a lack of standards throughout devices, which prevents enforcing uniformity in security settings and establishing universal security parameters. Poor patch management is another area of concern, as many IoT device manufacturers require end users to update devices and obtain the latest patches.

For an example of the risks, consider the infamous Mirai botnet, a distributed denial-of-service attack that knocked many internet services offline. Mirai targeted routers and other connected devices that used default user names and passwords, and quickly spread to infect millions of devices. Shutting down botnets such as Mirai is difficult because it’s next to impossible to “lock out” infected machines from internet access, and finding and prosecuting the botnet’s creators is very challenging. IT and individual users frequently are unaware their device is taken over as a botnet, so advanced monitoring and prevention tools are recommended to help proactively stop such intrusions before damage occurs.

For consumer devices, there’s a focus on features such as speed, image quality and value of the data, but consumers don’t typically ask for robust security features from their IoT devices. Companies that develop and deploy these devices should push for better security controls and begin to talk to consumers about the need for improved protections.

Understand the risks

The risks with IoT are fundamentally dynamic because IoT itself is adjusting and growing at such a rapid pace. This growth and sophistication brings with it parallel interest in attacking IoT for financial gain or to simply cause disruptions. Companies should carefully review the legal obligations that come with IoT devices, especially when sensors and other IoT components are used in settings that could potentially cause physical harm. Self-driving cars and connected factories are just two examples of such IoT-based environments where a hacking incident could result in death, not just inconvenience. However, this does not mean there should be complacency in the security protections afforded to wearables or other sensors that aren’t managing life-threatening situations. IoT devices of all kinds are producing data, and it’s the requirement of companies to manage and protect the produced data.

To combat the challenges with IoT, companies should perform risks assessments to fully understand where they might be exposed and how they can remedy those risks. They need a log of every connected device in their network along with a way to automate patching and updating.

Managing the devices and the data

Corporate IT must consider the security needs of provisioning and authenticating IoT devices throughout the company. This includes accounting for the role and location of all of these devices, along with details on updates and patches. The actual data sent between the devices and the network must also be protected. Many companies rely on IoT-derived data to make impactful decisions, so the integrity and security of the data is supremely important. Considerations should include how the data is protected at rest and in transit, and if tools such as encryption should be used to render stolen IoT data unusable. Complex IoT deployments warrant the use of device manager platforms that allow users to control devices remotely, update firmware and control authentication for every device.

IoT deployments are growing by orders of magnitude, and the number and complexity of attacks will follow suit. Companies should demand better products from device manufacturers, with requests for automated updating and patching and the closing of known security flaws before devices go to market. Firms that deploy IoT devices should also anticipate more stringent data management from various governments, and know they’ll need to improve how IoT data is collected, stored and transmitted. Improved visibility into IoT, enhanced devices and a security-focused mindset will all need to come together if companies want to use insights from IoT while also thwarting attacks.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.