In this article, we will be using the term “Internet of Things” or “IoT” as a catch-all term to describe interconnected smart devices, machine-to-machine (M2M) communication, and related software/hardware technologies.
The data insights and automation potential provided by Internet of Things (IoT) technologies have created great opportunities for process improvement and other revolutions in how businesses operate. The popularity of these devices is rising greatly – The global IoT market is estimated to reach 22 billion actively connected devices for different IoT industries worldwide by 2025.
As with any new technology, the Internet of Things is not without its cybersecurity drawbacks. Any business seeking to implement IoT devices need to do so with cybersecurity as a predominant concern if they wish to keep their devices, systems, and data safe.
How Can IoT Help Businesses?
Technologies under the IoT umbrella can do wonders for businesses across a variety of sectors, though a significant impact has been demonstrated with its use in industrial companies.
IoT devices, along with other rapidly developing technologies such as 3D printing, artificial intelligence, quantum computing, and advancements in energy storage, have sparked an unprecedented revolution in the capabilities of industrial companies, leading to what is becoming known as the Fourth Industrial Revolution.
IoT devices allow industrial companies to:
- Remotely control and monitor their supply chains
- Combine IoT sensors with existing technology to aid in the prediction and implementation of preventative maintenance by monitoring for signs of wear and enacting the needed solution.
- Operate their processes in a more energy-efficient way through real-time energy data
For businesses in other sectors, IoT devices can bring forth considerable change in the form of improved data insights. These improvements can provide companies with benefits that include greater stock/inventory control, improved efficiency of scheduling, and waste reduction, among other enhancements.
The Dangers of IoT
While there is a clear advantage that can be gained through the data collection and automation that comes with IoT devices, they are not without their risks. Many IoT and smart device users do not realise how accessible some of their devices may be. The search engine Shodan scours the web for devices with lackluster password protection and displays screenshots of what it was able to access – the most notable examples being streams from IoT security cameras used in both business spaces and private dwellings.
This list is far from comprehensive, however, it serves as a reminder that insecure IoT devices can be exploited and should be implemented with due caution.
Lack of Built-In Security for IoT & Smart Devices
Businesses wishing to leverage the power of IoT need to ensure that the manufacturers of IoT devices they use are taking cybersecurity seriously.
In an effort to mass-market their devices and keep costs low, many smart device manufacturers have opted to forgo investing in cybersecurity and have instead prioritised the cost-effectiveness of their devices to attract buyers for this evolving market.
While governments such as the UK and the US are beginning to take IoT cybersecurity legislation seriously, for the most part, external pressure on smart device manufacturers to prioritise cybersecurity in their device development process has not been sufficient.
Many smart devices do not come integrated with two-factor authentication (2FA) features, nor do they encrypt the data they collect and transfer. Until smart device manufacturers are held responsible for implementing security as a priority from day one of development, smart devices will continue to be a viable vector for cybersecurity threats.
Examples of IoT Security Breaches
Historically, IoT devices have been used as an entry point for malware attacks. To provide further context, here are a few high-profile examples.
Distributed Denial-of-Service (DDoS) Attacks
In 2016, a botnet known as “Mirai” executed a Distributed Denial of Service (DDoS) attack by exploiting the default passwords of a variety of IoT devices. The DDoS attack led to the loss of internet connectivity for a large segment of the east coast of the United States.
The relative ease with which this attack was implemented provides insights into how IoT technologies can be exploited for nefarious purposes, and it was far from the only botnet attack powered by compromised IoT devices.
Stuxnet’s Attempt to Destroy Nuclear Machinery
While the creators of Stuxnet are not confirmed, extensive study of this highly evasive computer worm has confirmed its purpose – to target centrifuges used in nuclear plants and reprogram them to perform cycles that are damaging to their physical components. Stuxnet provides a cautionary tale that the vulnerabilities of connected machinery can cause issues greater than lost data and disabled software – they can cause serious physical damage to the devices, or even endanger lives.
How a Thermostat Lead to a Data Breach
An unnamed casino in Las Vegas had a database of customer data stolen in the most unexpected way possible – through their aquarium’s thermostat. The casino used a wifi-connected IoT thermostat to monitor and adjust the temperature of the aquarium. As the thermometer was on the same network as their customer’s data, cybercriminals were able to exploit the thermometers vulnerabilities to use it as an entry point.
Shifting from Cloud Computing to Fog Computing
Contrary to popular belief, the Internet of Things can function without an external cloud computing provider, however, the advantages of cloud computing must be strongly considered before deciding to shift to a cloudless solution.
Businesses that wish to have total control over their data can leverage their own locally-controlled “fog computing” infrastructure to allow them to process and transmit their IoT data without sharing it with an external cloud computing provider.
Fog computing is a decentralised computing infrastructure that transmits data from IoT devices to a gateway on the local area network (LAN) that handles the transmission of the data to the appropriate processing hardware – the use of local hardware for this data processing is often called “edge computing”. While fog computing and edge computing offers a suite of advantages including reduced latency and greater control of how data is shared and transmitted, they are not without their vulnerabilities.
Businesses that leverage fog computing and edge computing to store and transmit their data are the sole providers of the physical, procedural, and technical cybersecurity measures needed to protect the data they collect, which is no small task.
Leading cloud computing providers are heavily invested in implementing and maintaining leading cybersecurity measures to protect the data they store, transmit, and process as their entire business model is reliant on their reliability and security. Businesses that simply want to use IoT devices as an upgrade to their usual operations may not reasonably be able to maintain a similar level of security as cloud computing providers, leading to greater cybersecurity risks if their use of fog computing is not performed with equally robust cybersecurity measures.
How to Use IoT Devices Safely
While not without their risks, IoT devices do present an unprecedented opportunity for advancements in data collection and transmission that can lead to incredible gains in capabilities and efficiency. To use IoT devices safely, there are key security measures that can be implemented.
Encrypt Sensitive Data
While the process of encrypting data before it is sent for processing to the cloud computing provider can cause delays in data transmission, it is an important step for sensitive data. Companies that transmit sensitive data (such as medical data) from an IoT device to the cloud need to take the sensitivity of that data seriously, however more innocuous data can be left unencrypted.
Use Unique Passwords
As seen with the Mirai botnet DDoS attack, one of the methods that are used to exploit IoT devices is through software that attempts to gain entry by using known factory-default passwords used by the manufacturer of the IoT device.
In addition to changing the factory-default passwords to a unique password, IoT devices that are used must be manufactured in a way that the devices cannot be reset to the factory-default password as the ability to reset to a default password could provide cybercriminals with an added vector for attacks.
Use a Separate Network for IoT Devices
For businesses that are controllers of sensitive data, that data must be held on a network that is separate from your IoT devices. Due to the relative immaturity of IoT device security, keeping them on a separate network reduces the possibility that they can be used as a point of entry to the main network.
Choose Your IoT Cloud & Device Providers Wisely
Businesses that opt to take advantage of the power of cloud computing for their IoT devices need to carefully choose an IoT cloud platform provider that they can trust to secure the data they store and processes on their systems. They will also need to choose IoT products that are manufactured with cybersecurity as a significant concern.
When deciding IoT device providers for your needs, consider the following:
- Does the device manufacturer provide a public point of contact for cybersecurity vulnerability reports? Do they have a history of taking these reports seriously?
- How long will the device manufacturer provide security updates for their products?
- Does the device manufacturer prioritise cybersecurity as a part of its production mandate?
IoT cloud service provider (CSP) cybersecurity considerations:
- Does the CSP have a history of taking cybersecurity seriously?
- What cybersecurity measures has the CSP taken to protect data?
- Can the CSP offer encryption and other security measures at scale as the IoT infrastructure grows?
The above list is far from comprehensive and each business use-case will have unique cybersecurity considerations. As IoT technologies continue to contribute to rapid growth, businesses looking to take advantage of the evolving insights and features provided by them will need to prioritise cybersecurity first and continue to research and implement the best possible solutions for their needs.