Digital existence in the future rests on Cybersecurity
Ericsson Mobility Report forecasts that over 29 billion IoT devices are connected to the Internet by 2022. Every industry unanimously agrees to the fact that IoT devices have reaped impressive benefits. And, this is only going to get better with time. Likewise, the global market for IoT is expected to grow to $1.6$ trillion by 2025, a 16x jump from $100B in 2017. While this is the bright and shinier side of the IoT industry, things get alarming when we talk about the kind of IoT security challenges they bring.
1.51 billion Breaches in 6 months!
According to a research report, 1.51 billion IoT breaches took place in the first half (January – June) of 2021. This is a huge jump from 639 million in 2020. Challenges that arise with new emerging technologies like Edge Computing and Artificial Intelligence have made the cybersecurity landscape more complicated. The intruders can penetrate the network through the biometric system used for employee login, CCTV cameras, or even the HVAC systems.
Top 10 IoT Security Challenges
We will take you through 10 most critical IoT security challenges and threats your enterprise might encounter and, follow the solutions to safeguard your network.
1. Weak Passwords hand keys to Hackers:
As silly as it sounds, many device installation executives overlook the need to change the default logins and passwords of IoT devices. Many use factory default credentials, putting their IoT devices and networks at high risk. Weak and default passwords often top the list of IoT security challenges. Hackers use preset passwords and brute force to crack the passwords and gain access to the IoT device, and thereby to all the devices on the entire network.
As soon as you receive your IoT device, change its default password even before connecting it to the internet. Try to use a secured and sophisticated password and avoid common words. Hackers use hash key decrypting software that has a database of common passwords and their hash keys. It is strongly advised to limit logins to a single IP. This greatly prevents any access across geographies.
2. Poor IoT device management
While vast and deep networks of IoT devices are built, the aspect of security compatibility among the IoT devices is not given its due attention. Sectors like maritime, mining, healthcare, and retail host hundreds to thousands of IoT devices on a single network. These devices come from different manufacturers having different firmware and security requirements. Often legacy devices find their way into these complex networks and become the primary cause of IoT security challenges. Hackers scan for such devices to trespass and attack the network.
Enterprises should employ dedicated Operation Technology (OT) Manager who is sound and qualified when it comes to network management. Legacy devices should be taken off from the network, or their security firmware should be upgraded on par with other devices. It is best advised that enterprises micromanage the network by fractioning it into distinctive segments. Constant and periodic security checks on vulnerabilities, firmware updates, alerting, and reporting should be carried out across all IoT devices and their networks.
3. Is your sign-in secure?
IoT networks have multiple entry points through various channels. They can be apps, mobile interfaces, backend APIs, cloud, and others. Attackers often exploit vulnerabilities in insecure interfaces to gain access to the networks. IoT security challenges are high in digital environments where weak encryption or insufficient device authentication/authorization prevails. There have been instances where open-source code was used to build an inter-organization app, which later paved the way for a hacking group to enter the system.
To mitigate a potential breach in an organization, strict device authentication and authorization processes should be implemented, capable of protecting mobile and cloud interfaces. Enterprises should ensure all the IoT devices network are issued an X.509 standard certificate. This lets the OT manager identify, authenticate, or authorize any IoT device on the network. If anything suspicious is found, the respective device can be taken off the network. This reduces IoT security challenges to a great extent. Practical identity tools are useful to differentiate malicious users and legitimate users.
4. No updates mean, Vulnerabilities stay exposed
Outdated firmware, insecure update deployment, corrupt updates, and legacy operating systems can threaten the entire network. This opens doors to a slew of cybersecurity challenges and threats, often followed by large-scale attacks. Many enterprises paid the price heavily by opting for third-party hardware and software in a supply chain. Deprecated libraries and insecure software components can compromise the device, and the network to which it is connected. Adding to this, the lack of regular security patches and firmware updates only worsens the situation.
OT managers and other security experts should carefully scan any third-party software or hardware that is to be a part of the supply chain. At all times, frequent updates and secure update mechanism processes should be followed through secure and encrypted channels. The integrity of the updates should be verified along with their source before loading them onto the IoT device network. Enterprises can address IoT security challenges by staying away from insecure customization of operating systems of the devices.
5. IoT skills gap – The hidden dangers
As an enterprise, you might be investing millions to set up an efficient IoT network for smooth functioning and real-time monitoring of various assets. But do your employees have the skill to manage, monitor, and extract maximum benefit from your IoT devices? Are they prepared for emerging technologies?
According to Forbes, over 1/3 of respondents felt they had a skill gap when it came to IoT devices and operations. Surprisingly, over 80% felt they don’t have the skills to keep their IoT devices working and 76% felt they needed to up their game when it came to operating IoT devices. To add more, more than half of enterprises fail to identify the grey areas of their employees’ IoT skills. Many enterprises consciously shrug off the issue of the IoT skill gap, citing there is little to worry about. The truth is, this skill gap exposes the digital assets to a host of IoT security challenges and threats that could ultimately hurt the enterprise.
Adapting to dynamic needs challenges a company on all fronts. Is your company ready to adapt to such change? This is something that needs to be addressed, requiring a long-term strategy. How can you bridge the skill gap?
- Retraining and Upskilling – With an abundance of resources available, enterprises can sponsor retraining and upskilling of their employees in emerging technologies. This should be seen as an integral part of an enterprise’s IT budget. Reports have shown this approach also improved employee retention and loyalty among the IT giants.
- Recruitment Strategy – Enterprises should focus on recruiting for an unknown tomorrow than trying to meet today’s needs
- Building a future pipeline –Tomorrow’s needs should be understood today, be it the company’s or the customers. Creating a pipeline of people dealing with cybersecurity, those who can take on IoT security challenges, and importantly, those who can bring organizational changes in IoT connectivity should be pursued and be made a part of the organization.
6. Compromised Privacy and Protection draws unwanted attention
Data is the new oil and any access to it means money. Similar to cross-border shelling from a rogue neighbor, hackers constantly attack networks in a bid to find vulnerabilities. Poorly managed data with little to no protection attracts independent hackers and groups, who make the most of it by exfiltrating, demanding a ransom, or even putting it in the public. IoT Ransomware attacks are creeping their way as popular IoT security challenges. Over 98% of the data flowing between IoT devices is unsecured according to the latest research. This leaves troves of data in the open only to be exfiltrated by a rouge intruder. In 2017, a cyber-attack discovered on a casino showed that over 10GB of critical data was exfiltrated.
- Cryptography is an effective way to address data protection challenges
- Enterprises should employ strong data encryption to ensure confidentiality and privacy. This comes in handy during a data breach or a cyber-attack.
- Incorporating Federated Machine Learning (still in the development stage) is vital. In FML the stays local while the machine learning happens at the edge. Only the analytics are shared to the cloud. This can reduce many IoT security challenges by a large factor.
7. Insecure ‘A & A’ puts enterprises at stake!
Authorization and authentication of devices is the most critical element of an enterprise’s IoT network. With each device potentially being an entry point, it is imperative to ensure all the devices entering the network are authorized and authenticated with preset policies. Recent research trends have shown that on an average 15% of IoT devices on an IoT network are unauthorized. The issue of unauthenticated devices creeping into enterprise networks has even hit tech giants like Tesla. The Healthcare sector is at the top in terms of breaches and IoT security challenges. There is a rise in counterfeit devices that often come with a tampered operating system paving way for hacking.
- Enabling Two-Factor Authentication (2FA) as a default authentication to enter the network
- Deploy additional biometric authentication to critical systems and components
- Enabling digital certificates (Public Key Infrastructure) over prevailing authentication system
- Enforcing the use of strong passwords at all levels
- PAM (Privileged Access Management) is essential to bring down the number of IoT security challenges and threats.
8. Prevention and Identification run parallel
A breach at some point is inevitable no matter how many efforts and measures are put in place. But a breach does not necessarily mean your system or network is compromised. It only hints that an intruder found a way into your network. With hundreds (and even thousands) of IoT devices connected and heaps of processes running at any given moment, it becomes very difficult to identify the precise location of the breach. It is even more difficult to find to what extent confidential data is compromised if any. To overcome IoT security challenges and threats arising from these situations, it is important to discover and patch the vulnerabilities in the system. If not, sooner or later the entire network is at a high risk of being compromised.
An enterprise should opt for a long-term approach that involves vulnerability detection at the core and continuous upgrading of cybersecurity to prevent cyber-attacks. There is no one-time approach to combat IoT security challenges and threats in the dynamic virtual world. Enterprises should include the following along with their other essential operations.
- Deploying IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) can bring cybersecurity challenges to a great extent
- Using security intelligence and analytics to identify and report in real-time
- Carrying out ethical hacking and penetration testing often
- Automating log monitoring, threat detection, and associate processes
- Constant monitoring of the IoT network by OT managers is crucial
9. Lack of compliance
The lack of compliance among manufacturers is a worrying concern, especially with rapidly evolving technologies like IoT connectivity. In general, a device is expected to meet the following criteria:
- Operational Compliance
- Security Compliance
- Manufacturing Compliance
The lack of operational compliance can put an entire IoT network at risk. The network may be your employee login system or even power distribution to an entire city. Legacy operating systems delayed security patches, and other factors threaten the network on which they operate.
Few IoT device manufacturers use open-source code or code that is not properly tested on their devices. These IoT devices when becoming a part of a network can put the entire system at risk. Devices that come with weak encryption and sub-par testing methodologies and test sequences, should not find a place in any enterprise. Lack of security compliance only elevates IoT security challenges. Many IoT device manufacturers do not manufacture patchable IoT devices.
Participate now: CISO Peer Survey 2022
A good percentage of IoT devices come with a host of manufacturing defects. Hackers use these physical defects to take advantage to impair an entire organization. John Machnicki (VP & Director, Risk Control Laboratory) rightly quoted, “IoT has the potential to cause physical damage in the real world”. The manufacturers do not spend enough time and money on improving and testing the security of the devices.
To reduce the IoT security challenges arising due to noncompliance; manufacturers, enterprises, developers, and testers should adopt the following:
- Manufacturers should strictly adhere to local laws, regulations, and compliant standards
- Enterprises should thoroughly investigate and test the IoT device for any manufacturing defect and lapse in compliance
- Complete transparency should be there in data storage and processing, firmware updates, and other key information exchange
- It is always advisable to develop own code rather than depending on open source, especially in the case of IoT devices that later become a part of huge networks
- Encryption of data flowing to and from the IoT device should be mandatory
10. Cryptojacking through IoT botnets
Often enterprises worry about data breaches. What about the processing power? Is your OT manager monitoring the usage of processing power by IoT devices and networks? If not, it is better late than never. If you notice any steep climb in the processing power and the resources, it is most likely your network is being used to mine cryptocurrency.
In a new trend known as cryptojacking, new-age hackers are focused on preparing large swarms of IoT botnets for crypto mining. After injecting crypto-mining malware on your IoT device/network, hackers combine the computing power of thousands of such IoT devices and use them for resource-intensive crypto mining. This is no good news for an enterprise of any size.
Prevention is better than cure. Ensure your IoT networks, resources, and other IT sources are constantly monitored for any kind of anomalies you might find.
- Install updates and patches as and when available and ensure all the systems are secure
- Constantly review, upgrade, and if required, update security policies and measures
- Equip your cybersecurity and IT team with the latest technologies and information
- Opt for external ethical hacking and penetration testing services
- Before buying IoT devices, check whether the devices are patchable or not.
Why cybersecurity is must?
IoT attacks are truly a nightmare!
- 1 in 3 attacks targeted at critical operations – 33% attacks on IoT devices impact critical operations
- 1 in 4 attacks target the devices – 27% attacks saw loss or theft of IoT device
- 3 in 4 have no trust in IoT connectivity – 74% global consumers worried losing their civil rights
- 3 in 4 attacks are via routers – In 75% attacks routers pave way
- 2 in 4 business fail to detect IoT security breaches – 48% enterprises are unable to detect IoT security breach
- 1 in 3 use workplace in Password
- 1 in 3 use child name, birthday, and partner’s name in Password
- 1 in 2 use Same Password – over 54% reportedly used the same password on multiple work accounts
- 1 in 2 attacks have Trojan malware
- 1 in 4 attacks target banks and financial institutions
- 1 in 5 websites are infected with malware
- 3 in 4 have access to ex-employers secrets – over 77% employees still have access to their previous employer’s infrastructure and other resources
- 1 in 4 IoT attacks target password – Over 26% of IoT attacks are aimed at password breaking
- 3 in 4 devices are to be IoT active devices by 2030
- 1 in 4 IoT devices fail to comply industrial standards
- 1 in 4 IoT devices have poor authentication – Over 26% of IoT devices have ineffective access controls and/or device authentication
- 1 in 4 IoT devices expose data – Over 27% of sensitive data found is linked to IoT devices
- Only 1 in 5 can identify majority of their Organization’s IoT devices
- Only 1 in 10 enterprises are confident about being safe from IoT-related cybercrime
- 9 in 10 businesses attacked in Australia – Over 88% business in Australia suffered ransomware attacks
- 8 in 10 businesses attacked in Singapore – Over 78% business in Singapore suffered ransomware attacks
- 3Q – 2Q = 388% – Jump in ransomware attacks between 3rd Quarter and 2 Quarter of 2020
- 600,000 IoT devices can be unlocked by 5-year old – over 600,000+ GPS devices manufactured in China came with the ‘123456’ default password
- 4200 US municipalities that have issues with IoT devices
- 1 in 4 attacks are due to rouge employees – Over 25% of the cyber-attacks and/or data breaches are due to former and rogue employees
- 1 in 11 seconds – 1 Ransomware attack took place every 11 seconds in 2021
Are enterprises being responsible ENOUGH?
The answer is both a feeble yes and a strong no. While few enterprises understood the IoT security challenges cropping up with technology, others have taken a step back. As already presented, many see IoT connectivity as an emerging technology and ignore the need in bridging the gap between their present and required cybersecurity needs. For many, this only affects a sole organization. The reality is far from the truth. Given the rapid growth of the SaaS industry, networks of enterprises are interwoven beyond one’s supervision. This plays a large attack surface area to hackers who are continuously in pursuit of vulnerabilities.
One grave vulnerability can potentially bring operations to a standstill. In a pessimistic scenario, this can give away access to critical infrastructure to the intruders, further worsening the situation. Enterprises should advocate the need for complete cybersecurity of IoT devices and networks in their industry sphere. This mitigates cybersecurity challenges and threats to a large extent.
Impact of IoT attacks in range of Billions and Trillions
- $10.5 Trillion – Cybercrime damage in 2025 which is greater than combined GDP of Japan, Germany, and UK
- $1 Trillion – Enterprises like to spend on cybersecurity in 2025
- $20 Billion – A 57x jump in ransomware attacks cost from 2015 to 2021
- $265 Billion – Projected ransomware attacks cost by 2031, greater than GDP of Finland.
- $50 – The amount computer tech giant ACER was demanded
- 456 Hours – Average downtime due to ransomware attack
- 127 Families – Year 2020 saw an upspring of 127 new ransomware families (only detected ones)
Artificial Intelligence – The newbie in Hackers toolkit!
Irrespective of the size of your employees and the business you carry out, you should protect your enterprise from IoT security challenges and threats. From traditional DDoS attacks to using Artificial Intelligence, cybersecurity intruders have always found new ways and means.
Leveraging Artificial Intelligence, hackers are en route to developing and creating intelligent malware programs that are showing capabilities beyond the current realm. In a parallel world, security experts are finding means and ways to take advantage of Artificial Intelligence and Machine Learning in combating menaces in cybersecurity space. Such programs can aid in identifying and detecting threats before any human intervention. Recent history has proven AI capabilities. AI has been extremely successful in detecting unusual patterns and responding by executing an action, and/or alerting the admin. It will be interesting to see how enthusiastic enterprises are ready in adapting to future cybersecurity demands.
Effects of IoT hacks in Numbers:
- 70 Million – Data pertaining to 70M customers was stolen during TARGET Company hack. Hackers entered systems through a third-party HVAC provider (Nov 2015)
- 225,000 Homes lost power – In an attack on Ukraine’s power grid, hackers were able to cut off power for over 225,000 homes and 30 substations using stolen credentials (March 2016)
- 1.5 Million Vehicles recalled – Researchers managed to control JEEP manufactured cars remotely, forcing the company to recall 1.5M vehicles (July 2015)
- $400M losses annually – If not for FBI, the Puerto Rico Utility would have continued to lose $400M annually, after the Smart Meter Hacking (April 2012)
- 230,000 Newbies – The number of new malware samples that are created daily
- 143M Social Security Numbers exposed – The Equifax Hack compromised social security numbers of over 143 million in the US
- 300,000 – The number of computers affected by WANNACRY in 150 countries
- 41M attacks per month – The US Department of Defence is hit by 41M cyber-attacks per month as of 2017
- Human errors are responsible for over 95% cybersecurity breaches
- Google recorded 27% increase in phishing websites registration. As of January 2021, 2 million phishing websites are registered with Google.
- 69% of cyber-attacks are targeted!
- Pandemic brought 300% rise in cybercrime!
- 18M malware emails hide in the disguise of Covid-related emails
Countering new-age IoT security challenges and threats
Most of the above-mentioned threats are a result of negligence, lack of compliance, and rationing of funds and resources. Enterprises should engage pro-actively in the management of their IoT devices and networks. Following a diligent routine in monitoring and scanning their IoT networks can evade most of the IoT security challenges. Above all, enterprises should opt for a cybersecurity partner like Sectrio, which secures your IoT networks at all levels and at all times. At Sectrio, we recommend every enterprise implement the following for a secure and safe IoT environment:
- Enforce strong passwords at every entry point
- Opt for Two-Factor authentication wherever and whenever possible
- Allowing access through single IP for critical systems
- Constant surveillance of IoT devices, and the entire network
- Implementation of Privileged Access Management
- Installation of updates on time through a secure mechanism
- Implementing Micro-segmentation process