The Internet of Things (IoT) has quickly gone from a trendy buzzword to a genuine set of emerging technologies promising to significantly improve operations for businesses of all kinds, as well as deliver exciting new experiences for consumers. However, in the rush to get IoT devices to market, security has often been overlooked, which creates opportunities for IoT devices to be used as entry points to compromise networks.
IoT devices tend to have little or no built-in security. Even when rudimentary security measures are built in, users often don’t change default usernames and passwords, making it simple for hackers to gain access to the devices. Many of these devices are used in applications that make their security critical. For example, automatic braking systems in trains or buses could create life-threatening situations if they were sabotaged by cybercriminals. It’s therefore essential to carefully consider security when implementing IoT devices and to not trust that security will be managed by the vendor.
One way to address this challenge is to create mutually-suspicious platforms. Isolating cores, memory, applications, operating system code, and other resources can form a breach-resistant group of barriers. This can make it more difficult for software developers, but the resulting applications are also far more secure, making this approach ideal when safety is at stake.
It’s also important to remember that systems that were previously secure because they were air-gapped, such as Controller Area Network (CAN bus) or ICS-related protocols, are now more likely to be fully connected and, therefore, vulnerable to attack. These also need to be defended.
Cyberattacks are escalating in intensity, severity, and frequency. IoT devices and other connected networks are providing new ways for attackers to sneak in the back door of organisations. Businesses shouldn’t let this stop them from embracing new and emerging technologies, especially those that promise to deliver business efficiencies and potential new revenue streams. However, it is essential for businesses to be well aware of the security implications and take the right steps to protect their networks.”
This should include choosing IoT products that include security by design and a commitment from the vendor to maintain the product and ship firmware and/or software updates throughout the serviceable life of the device. This approach removes the need for consumers or organisations to make security-related decisions by defaulting to secure settings. Two ways businesses can improve IoT security is to change default passwords to unique passwords and to regularly update the product with patches and other security updates.
Nick FitzGerald, Senior Research Fellow, ESET