In the final piece of our ‘Cyber Serious’ series, we look at the implications of the Internet of Things, or IoT as it’s commonly known. Be sure to read the previous pieces in our ‘Cyber Serious’ series for more need to know information on cybersecurity.
Before we talk about the IoT, it’s worth discussing the meaning of ‘risk’ and why cybersecurity is an issue for everyone, and will continue to grow as an issue over the coming decades and centuries.
Risk is something all companies try and mitigate, and it is the number one reason for cybersecurity in the first place. But ‘risk’ is nothing without ‘need’. If an organisation doesn’t need something, then it would not be necessary and is therefore not a risk if it’s destroyed, stolen, hijacked or compromised.
If we didn’t need devices that were connected to the internet at all times, there would be no risk of those devices being attacked. It is organisations’ demand to have connected devices that ultimately drives risk and the more they require, the more risk they will have. The tide of digital transformation is unstoppable as we move forward in technological advancement, risk will inherently increase with this.
The Internet of Things, as it comes into being, provides a huge opportunity for interconnectivity and cross-pollination of data and will revolutionise how we function as a human race, but with that comes a giant leap in risk that must be discussed, assessed and mitigated.
So why might criminals take advantage of the internet of things? The short answer is: because it will provide more opportunities to access to even more ‘things’ than they had before.
The following is a true story. In London, 2018, cybercriminals hatched a plan and stole a casino’s high-roller database through a thermostat in the lobby’s aquarium. The criminals used the connected thermostat to gain a foothold onto the network, they then found the high-roller database through it; they then pulled the data back across the network, out the thermostat on the fish tank and up into their cloud storage. Luckily no fish were harmed during the hack.
Also in 2018, in an unnamed corporate organisation in the USA, hackers managed to take control of office security cameras and used them to peer over the shoulders of workers while they were inputting sensitive information into their computers. This info was then used to bypass the organisation’s security system a few days later.
There are many more stories just like these.
Organisations that install sensors, monitors, cameras, doors, refrigerators, carparks or anything else that is connected to the IoT do so because it provides real value, and makes the lives of employees or customers easier, increases, profit, and more. IoT will bring huge benefits to all aspects of our lives both in and out of work.
However, with this gain and dependence comes risk, and it’s important that organisations are aware of this so they can plan ahead and mitigate it as much as they can.
Where is the main weakness with IoT?
Many of the manufacturers of IoT devices such as webcams, pressure sensors, thermometers, microphones, speakers, and stuffed talking animals are small in scale and relatively unsophisticated. Their business goal is to quickly capitalise on high demand for IoT, by producing products en masse. As manufacturers, they are not considering cybersecurity as much as the organisations that buy them, and each device could be a gateway to a massive network worth tens of millions of dollars, just like the casino example.
Vulnerabilities of small IoT devices include weak passwords, unencrypted communications and insecure web interfaces. With thousands of such devices soon to be scattered throughout Australian organisations, it could be a cybercriminal’s playground.
If the manufacturer of only one of the hundreds of IoT devices in an organisation sets an administrative password that was not changed, a hacker can run a program searching for such device and then test each one to see if it still had the admin password. If you’re the unlucky organisation, malware will enter your system and the device will be under the control of botnets and the organisation will be none-the-wiser.
So, what can organisations do to be security-ready for the IoT?
The main thing is to understand the risk and ensure that an IoT network of devices is carefully built with consideration. If an organisation has an operations team that is installing a smart lighting system, ensure that your cybersecurity team is across it and is looking at the system through an IoT cybersecurity lens. Ensure that all devices are tested for security and pass a standard set by your cybersecurity team before they are installed. If a device is deemed vulnerable, then it is not installed.
Ensuring ownership over devices that are installed is also important. Whichever department has ownership is responsible for ensuring that that device meets the required security standards and is responsible for liaising with the cybersecurity team.
The design of the network is hugely important too. If an organisation has a spaghetti network with devices added to it with no consideration for the network as a whole, then you’re asking for trouble. Large multinational organisations, governments and the military ensure some areas of a network is isolated from others, through zoning and gateways, among other structures. If something does go wrong with a device, it’s impact will be limited.
Organisations must continuously check the vulnerability of their expanding network through penetration testing. Encrypt everything – make sure the data from the devices in encrypted both at rest and in transit, and make sure end-to-end encryption a product requirement for all devices. Lastly, ensure that your organisation has a scalable security framework and architecture that can cater to the growing number of devices it will be required to cover.
The future is coming! It’s going to be amazing, but we must get there carefully.
We hope you enjoyed the ‘Cyber Serious’ series. Stay tuned for more insights from KJR and follow us on LinkedIn to see it first.
If you want to know more about how KJR can assist your organisation with cybersecurity, click here.