Security in IoT – Why It Matters

 In Industrial

IoT has quick­ly changed how we think of the Internet. Those who grew up with the Internet might still think of browsers on client sys­tems like lap­tops and desk­tops pulling down web­sites hosted on servers. But today, Internet usage has evolved con­sid­er­ably from that point. We’re watch­ing movies on the stream­ing app built into our tele­vi­sions. Voice-enabled home assis­tants play music and pull up stock quotes on demand. Vast arrays of solar panels are installed at indus­tri­al-scale with all kinds of instru­men­ta­tion built-in to allow for oper­a­tions and main­te­nance with min­i­mal human inter­ven­tion. The ben­e­fits of this rev­o­lu­tion are seen across the econ­o­my, fueled by new, inno­v­a­tive use cases with emerg­ing and cheap dis­trib­uted man­u­fac­tur­ing dri­ving costs down.

Desktop com­put­ing fol­lowed a sim­i­lar path some decades ago, with suc­ces­sive gen­er­a­tions of proces­sors and cheap­er memory enabling gains across broad swathes of soci­ety. But rel­a­tive to IoT, it fol­lowed a mea­sured pace. Even as the people pro­duc­ing the hard­ware and the appli­ca­tions were making steady progress, there was anoth­er set who rec­og­nized that this pro­vid­ed a par­al­lel oppor­tu­ni­ty – for them to use this tech­nol­o­gy to inflict harm on others while enrich­ing them­selves. This has led to the many years of net­work infil­tra­tions, data breach­es, and destruc­tive attacks that we’re now hear­ing about non-stop. For the most part, this has hap­pened in envi­ron­ments based on tra­di­tion­al com­put­ing devices like servers and lap­tops.

As we enter the IoT era, we have to con­tem­plate how the wide­spread pres­ence of new kinds of devices that include some form of com­put­ing and net­work con­nec­tiv­i­ty might impact the threat land­scape.

Consider the fol­low­ing find­ings from the NETSCOUT Threat Intelligence Report for H2’2019:

  • Mirai, a pop­u­lar mal­ware family respon­si­ble for numer­ous high-pro­file DDoS attacks since 2016, has been ported to at least 17 sep­a­rate IoT archi­tec­tures. This means that once an adver­sary has access to an IoT device, odds are there’s already mal­ware ready to be installed.
  • And then gain­ing such access keeps get­ting easier. Many IoT devices run with known vul­ner­a­bil­i­ties, making them easy to com­pro­mise as long as they are reach­able on the Internet. The report cites the ECHOBOT family that car­ries 71 sep­a­rate exploits for a wide array of devices.
  • Even if these devices ship with­out known vul­ner­a­bil­i­ties in the first place, not many have a soft­ware update mech­a­nism of any sort, so they’re almost des­tined to be vul­ner­a­ble at some point as the under­ly­ing soft­ware ages.
  • This is true glob­al­ly, and adver­saries take advan­tage of common cre­den­tials that ship on devices in spe­cif­ic regions.

Will IoT ever see a moment where it takes a big leap for­ward in terms of secu­ri­ty? Think about when Windows XP Service Pack 3 arrived and pro­vid­ed a huge step for­ward over pre­vi­ous gen­er­a­tions of soft­ware that just wasn’t ready for the Internet. Can there be such a big-leap moment for IoT?

For many rea­sons, this seems like a long shot. The IoT ecosys­tem is vast, and there are many sep­a­rate enti­ties respon­si­ble for parts of the process, from the time a device is con­ceived to when it gets installed on a net­work. One huge prob­lem is that end-users bear the brunt of the inse­cu­ri­ty baked into the ecosys­tem with few con­se­quences for other enti­ties in the chain.

And it’s quite the brunt end users. There have been mul­ti­ple times in recent years when attacks have occurred that struck at the core of the Internet’s sta­bil­i­ty. IoT is a jump point for many intru­sion cam­paigns. And the reports of large-scale vul­ner­a­bil­i­ties keep coming. In the past month, the Trek TCP/IP stack has had a set of 19 sep­a­rate vul­ner­a­bil­i­ties report­ed, with little chance that devices involv­ing the soft­ware will ever get updat­ed.

What should we do to fix this? Unfortunately, there are no easy answers.

Standards will have to be cre­at­ed and enforced around the basic design of such devices. Secure access, updates, and obso­les­cence have to be fac­tored in from the begin­ning. Consumers will need edu­ca­tion on topics, such as the safe deploy­ment and use of their devices. Service providers will need to run con­tain­ment oper­a­tions when large attacks break out. Governments have to hold all these enti­ties account­able. Every one of these enti­ties will need to play their part if we are to get any­where.

As the #IoT rev­o­lu­tion brings changes to soci­ety, it is intro­duc­ing new class­es of risk which must be under­stood and mit­i­gat­ed. #cyber­se­cu­ri­ty #respect­da­ta Click to Tweet

As a soci­ety, we have to rec­og­nize the role of the intel­li­gent adver­sary, who will adapt to these changes as they are intro­duced. In many instances, even as we progress in the secu­ri­ty of devices we have deployed, the adver­sary may also make sig­nif­i­cant gains in their abil­i­ty to exploit vul­ner­a­ble devices to their ends.

As the IoT rev­o­lu­tion brings changes to soci­ety, it is intro­duc­ing new class­es of risk. It’s upon us to make sure these risks are under­stood and mit­i­gat­ed if we are to reap the full ben­e­fits of the rev­o­lu­tion.

CPO Magazine source|articles

Recommended Posts

Start typing and press Enter to search