IoT devices have exploded over the last several years due to the increase in individuals working from home and the rapid move towards a more connected experience for many industries. IoT has enabled workers to perform tasks allowing them to work remotely, contributing to the need for more and more devices to operate while not on-premise, expanding the network. According to analysts at IDC, IoT spending in Europe is expected to reach $202 billion in 2021, and with the arrival of 5G, it will continue to experience double-digit growth through 2025. Despite this mass adoption, there is a clear downside: IoT devices are creating a new, broader attack surface, exposing end users and enterprises to unknown vulnerabilities in environments where connected devices are pervasive.
One of the biggest challenges today is that IoT devices are hard to monitor and secure. For example, cyber security solutions are sometimes far too complex for low-power sensors used on production lines, many of them use outdated software which lack encryption and some devices only connect sporadically. On top of this, unauthorised or third-party IoT devices open up additional attack vectors which organisations might not have visibility into. All of these elements make it a labour-intensive nightmare to discover, manage, and protect.
The broad attack surface of IoT devices
Tracking and securing the increasing amount of connected devices is difficult and a frustrating part of the job for many CISOs and security experts. Security teams need to know if a device is there to patch and secure IoT, but the growing amount of devices makes it difficult to keep up.
In many cases, it’s up to individual employees to install updates on these devices and many lack the skills required to do this. This leads to vital updates not being applied properly or at the right time, leaving network resources exposed.
In many other systems, security teams can deploy end-point or logging technology, but the normal security telemetry cannot be deployed with small and unsophisticated IoT devices. This causes a monitoring gap, outside of full network visibility – meaning IoT devices are left open and vulnerable to attack.
Connected devices can cause chaos
Some industries have struggled with the fast adoption of IoT, resulting in dire consequences. For example, manufacturing has been quick to adopt IoT, allowing companies to monitor and maintain equipment performance, such as temperature and usage, without manual labour. But, without the right security and robust monitoring, these devices could cause chaos in a cyber attack, disrupting the supply chain – something seen with the attacks on the Colonial Pipeline, the world’s largest meat processor JBS and IT software provider Kaseya.
Healthcare has also moved towards the broad use of IoT, allowing doctors and nurses to access real-time information on patient wellbeing and treatment, as well as tracking the location of critical equipment. But, the growing list of potentially insecure devices could result in danger to the patients. This became a worrying reality with the first human death associated with a ransomware attack occurred when a hospital in Germany was targeted by an unknown hacker. The internal networks at many hospitals are expansive and are renowned for using legacy systems, making this sector easy prey for attackers.
The WannaCry attack brought the UK’s NHS to a standstill as hundreds of trusts, care organisations and GP practices were affected, putting patient data at risk. This was seen again with the attack on the Irish Health Service, as attackers threatened to publish or sell data they had stolen until the ransom was paid.
There are also examples of organisations falling victim to unknown and unmanaged IoT devices. Recently, Mandiant, a threat intelligence firm, the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek, an IoT solution for cloud surveillance, reported a vulnerability in millions of IoT devices that could let attackers watch live camera feeds, create botnets or use hacked devices as a stepping stone to further attacks – the stuff of nightmares for organisations.
This vulnerability in the Kalay Software Development Kit (SDK) is used by numerous other organisations as Original Equipment Manufacturer (OEM) software to integrate their security cameras and other IoT devices with the Kalay cloud platform. OEMs manufacture and sell products or parts of a product that another company sells to its customer under its own branding.
Exploits like this should be a wake-up call for any industry which leverages IoT devices to mitigate risk. Cyber security tools must extend to all connected devices including security cameras, hospital pumps and MRI machines to prevent exploitation, which can have unimaginable consequences.
Monitoring the unmonitorable
It’s clear the inevitable rise in IoT devices and expanded threat vectors requires organisations to better prepare and protect themselves with more sophisticated network segmentation, or Zero Trust policies, meaning no asset or network segment is implicitly trusted.
But, OEM’s and Machine-to-Machine (M2M) IoT component producers also need to have a plan for device discovery, containment and be able to gather deep forensic insights to establish the root cause of the threat.
IoT devices require a network security tool like network detection and response (NDR) to display east/west movement and a comprehensive device inventory. Most organisations lean on endpoint or EDR tools for this, but they can only monitor an object if they’re able to be deployed on it. They also have an internal view – think of them as the nanny cam inside the house. An NDR tool can see the entire neighbourhood, count each dwelling and see what kind of traffic is flowing between them.
Security teams need to be able to pull together an actionable plan and eradicate the risk or vulnerabilities from the environment quickly and deep forensic insight can help. Defense and forensics capabilities give organisations a tool for the full spectrum of response, from hunting and investigations to remediation. This way organisations can streamline workflow and investigative capabilities, allowing them to respond quickly at the time of the attack.
IoT is only going to continue on an upward trajectory, as will ransomware and advanced cyber attacks. The time is now to ensure organisations have the right tools in place to better identify their overall threat exposure and reduce response time – stopping ransomware in its tracks.