Since Kevin Ashton coined the term "Internet of Things" in 1999, interest in the topic has steadily grown. But it's most noticeably grown over the last few years, as more and more devices become Internet connected, and the buzzword factor continues to amplify curiosity.
Another buzzword: The Internet of Everything.
Internet of Things vs. Internet of Everything
To keep it simple, think of the Internet of Everything (IoE) as having a much broader scope. The Internet of Things (IoT) refers to the actual Internet-connected devices themselves and their particular connections, whereas the IoE involves not only the things, but also their connections, the data streams passing between them, the people using the data or the connections ... all of it.
Software provider CloudRail explains the difference, "In some ways, you can see the Internet of Things as the equivalent of a railroad line, including the tracks and the connections, whereas the Internet of Everything is all of that, and the trains, ticket machines, staff, customers, weather conditions, etc."
If you are to understand how the IoT and IoE might affect your business's risk and performance, you must understand that you don't connect to the IoT or IoE as if it's a separate internet network, explains Twinstate's Red Team Manager Jennifer Allen.
"The internet is the internet," Allen says. "But these are buzzwords indicating interconnected and automated components that present a whole new stratosphere of functionality, complexity and risk."
Says Allen, "Explicitly, it (the IoT and IoE) is on the same Internet, and that’s why this is important. Because all of these items — these sensors, smart devices — are items that are interconnected that aren’t what we typically consider consumers of the Internet." But now, they have become so.
And that newness, that sort of Wild West approach to connectivity, presents risk for your organization.
Business Implications of IoT
To really nail down how these ideas affect your business, consider that the IoT means the advent of an additional layer of non-human Internet users, such as smart refrigerators and WiFi-enabled coffee makers.
With that additional layer comes the potential for impact.
First, any of these devices can break. Each new device adds a new point of failure; complexity increases risk.
Second, the attack surface is a huge X factor that increases your risk of a security failure, explains Allen. We simply don't have a conceptual image available for the millions of devices, connections, data and humans that make up the IoE.
Consider that until just recently, three to five major manufacturers produced Operating Systems, and would roll out the necessary patches on given dates to protect your systems. When we introduce smart devices to the mix, we're now looking at thousands and thousands of non-standardized operation systems and APIs — which means predicting security risk is exponentially more difficult. In the past, you could trust your OS provider to address issues. Today, that's no longer the case. You might have 20 to 50 device vendors who are all outsourcing to other vendors, making every smart device you bring into your business into, essentially, a black box.
"The advent of easily accessible and increasingly cheaper components means everyone is making their own smart devices. It’s become completely unpredictable," says Allen. "The fact that all of these devices might provide direct access to the internal network is a giant problem for the cybersecurity community to lasso."
How do you do due diligence on these vendors, many of whom might not see their device as a potential security concern? How can you plan for maintenance, response time or good cybersecurity hygiene?
Three Business Benefits of IoT Sensors
1. Added efficiency and added complexity
One important thing to keep in mind about IoT devices is that they often come with added efficiencies. That not only applies to the device itself, but potentially also to your home or business network.
Usually, an IoT device you'd use for business serves a function that improves the performance or the feature set of a prior technology, explains Jennifer Allen, Twinstate's Red Team manager. But that added layer of efficiency can also come with an added layer of complexity, Allen says. An embedded IoT device may increase the difficulty of integrating security infrastructure with that device. That means there is more responsibility on your end to do your homework.
There isn't any current regulatory compliance standard for the IoT or IoT devices. With the diversity of devices and the lack of compliance regulations, the onus is on you, not the vendor or manufacturer, to make the right decisions about what to integrate and how. Allen notes that regulation will likely soon begin to take shape in high-risk industries, such as automotive, government, financial and health care. If you're not in one of those industries, and are just a person who wants a bluetooth-connected toy for your kid, what do you do?
Suggested Read: Business Implications of IoT and IoE
2. Consumer demand will create standards, later
"The real long-term pain of the IoT exists in end consumer and home devices," says Allen. "Those tend to be designed in the least expensive way possible. They're lower risk in and of themselves, based on functionality."
That means that people likely don't think about the other risks these devices can carry, such as entry to their home network, or the ability to begin to use that network as part of a botnet.
"Most consumers don't know how to pressure vendors for better manufacturing standards," Allen says. "So those high-risk industries will change over to regulated soon, but the seemingly lower risk ones are bent on consumer pressure. That could take a while."
3. In business, balance and risk assessment are priorities
"Organizations need to recognize that smart devices are the future of any market," says Allen.
They'll add functionality and automation, and you, as a leader, should embrace that idea in order to maintain a competitive stance in your industry. A competitive posture requires the latest and greatest tech on your side. On the other hand, though, you need to know not to trust manufacturers to create secure technologies.
It's up to you to educate yourself on the basics of the tech and on changes in IoT device regulations. That way, when you make decisions about integrating smart tech with your day-to-day products and services, that decision can come from the top. Leadership will need to know this transition is necessary, even with all of the risks that come with unpredictability.
A top-down approach demands that you understand consequences and benefits from a process standpoint. How can integration help your business? How can interruption impact your bottom line? If the executives of your company devote themselves to grasping the full implications of every device that enters the organization, the transition to IoT sensor use will be much more successful.
Internet of Things Security: A New Frontier
We're going to discuss some of the major challenges presented by individual internet-connected devices, so that you can help your business avoid the risks presented by these challenges.
1. Default Accounts
One huge problem found in some internet-connected devices is the presence of hard coded passwords. Cisco's discovery of such a vulnerability in ComfortLink thermostats in 2014 struck fear in the hearts of security gurus everywhere. After all, if those credentials can be used to log into a system over SSH, any good attacker could gain network access through a random, seemingly innocuous device, such as a refrigerator.
2. Manufacturer backdoors
A backdoor into your network is a security nightmare. If your enterprise IT network is connected to your IoT devices, you've got a serious challenge on your hands.
A backdoor is a secret (not always secret, but very often) method of bypassing authentication to obtain unauthorized remote network access. Products that connect to the internet could be released into the market with these backdoors in place for manufacturer access, leaving vulnerabilities attackers can exploit. The challenge you face is ensuring these are never exploited in a way that compromises your data or network, which requires strict monitoring and immediate remediation.
3. Poor encryption standards
Oftentimes, an IoT device manufactured by a company without encryption prowess can contain information in cleartext. (Unacceptable!) Further, the level of difficulty it would take to establish or maintain your own encryption standards for these devices can become a challenge in itself, says Jennifer Allen, Twinstate's Red Team manager.
4. Lack of vendor standards
In general, a lack of standards (password encryption, no hardcoded accounts, etc.) comes down to the vendor's discretion. What if a vendor doesn't protect configuration settings properly, or has no process for patching or updates? That's a challenge you'll have to overcome upon purchase and installation, which is less than ideal: you don't want to introduce an already vulnerable device to your network.
5. Lack of control
Probably the most obvious and frustrating security challenge presented by internet-connected devices is that you likely don't have control over configurations, patching, updates, settings, etc.
As Paul Ionescu writes for Security Intelligence, "Many embedded devices are designed for networks that are completely isolated from the outside world, and therefore, authorization controls for these systems are often very lax, if they exist at all. The administrative Web interfaces for these systems aren’t expected to sustain the type of attacks you’d see on a publicly facing website. In many cases, they aren’t even protected by basic security controls and devices."
And that means that you and your team won't have control, either. You won't be able to install updates or account for patches, and you won't be able to accurately detect compromise without better access to controls.
6. Understanding functionality
Consider the structure of a typical homeware company. Developers are likely separate from engineers, who are separate from marketers. If you're choosing IoT devices, you might speak to a vendor representative who isn't aware of the limits (or lack thereof) of the device's functionality.
But you need to understand capabilities, and all the types of communication the device will bring into your environment, before you let anything touch your network. And it's not just user-facing functionality you need to worry about, but all underlying communication functionality.
"How do people interact with the device and what features can a user access?" asks Allen. "Does it broadcast a signal? What if someone can walk up to a device, push a button, and interact with another device hosted outside the building? That's something you need to know."
How Should You Handle IoT Security Challenges?
Aside from banning any device connectivity (which will become even less realistic once your employees are wearing connected clothing), how can you address these challenges?
"It really comes down to smart consumption," says Allen. "Take the time to review the product documentation, and not just the website and sales sheet. Talk to the vendor and try to understand how well they know their own product."
That means that when you shop for devices, you're shopping for more than the device itself. You're shopping for vendors.
"Imagine working with a vendor who never updates products," says Allen. "You need an understanding of the maintenance lifecycle, of how easy the vendor will be to work with if you discover a vulnerability, or whether or not they use a third-party software library."
It turns out that your education is your best line of defense for the security challenges presented by the IoT — as it is with every security challenge.
Internet of Things: Complexity, Risk and Awareness
We've discussed how complexity adds risk, how risk is hard to predict due to near-infinite complexity, and how these truths mean your business will have some major concerns if you don't perform due diligence.
You won't know how to define a maintenance cycle for each device, or how to create the proper resource allocation for that cycle. You won't know what possible physical safety concerns might arise.
Imagine what might happen if your heating system got hacked. At a Black Hat convention, Daniel Buentello, a student security researcher at the University of Central Florida and one of four presenters who talked about hacking the Google Nest, noted the real issue: people can gain access to your home network through such a device. But there's more: what if a truly malicious person had access and wanted to seriously damage your heating systems, or find out when you aren't home — or when you are? What if you bought a connected crockpot, and someone hacked your settings such that your home burned down? It's frightening, but not far out of the realm of possibility.
So what can you do to mitigate the risk of introducing convenient smart devices into your business environment?
You must understand that every device you purchase today might, in fact, have some functionality that allows it to connect to a network. Rather than thinking of the IoT as a separate entity and your new coffee maker purchase as fully removed from the concept, understand that you need to assess every device and its activity. Think about how each purchase might impact your business.
Rather than thinking of the IoE as the ephemeral Internet of Everything, think of it as the data in transit over your network architecture, so that you never lose sight of your business's (already existing) relationship with it and the risk that may present.
Remember that the standards for these concepts are still being developed. The devices we've discussed are often not well-vetted and don't fall into an established structure.
Ultimately, explains Allen, when it comes to the IoT and IoE, you are on the hook.
You need to ensure you and your employees understand the functionality, the vendors backing the technology and the inherent risk presented in order to decide if a device or connection comes into your environment or stays out.
Even if you made a blanket decision to never allow for smart devices, we're willing to bet your employees have mobile phones. Those employees are part of the IoE. And so are you. That means good cybersecurity hygiene is more important than ever.
Originally published on Jun 17, 2020 8:14:37 PM