Internet of Things (IoT) Risks: A Cyber Security Danger Zone?

The Internet of Things (IoT) is revolutionising the way we work. The surface hype about consumer smart speakers and smart fridges is just the tip of the iceberg; IoT devices unlock a wealth of possibilities for business, achieving ground-breaking cost-efficiency, safety compliance, and customer satisfaction.

However, there is a risk that businesses see these benefits and jump in feet first without considering the cybersecurity implications – of which there are many. So, let’s explore.

How Businesses Use the Internet of Things

Before we look at the dangers, we need to understand how the Internet of Things is changing the way we work.

Part of IoT’s growth has come from its sheer versatility. Because it isn’t reliant on any particular kind of function or technology (apart from internet/network connectivity), the label can be applied to a wide range of devices.

Here are a few common ways that businesses use IoT:

• Buildings Management/Automation Systems – These are internet-enabled systems which are designed to control and/or monitor physical premises. Depending on the system, they can monitor/control heating, air conditioning, ventilation, security, physical access, lifts, plumbing, PA systems, lighting, and electricity supply.
• Industrial Control Systems – These systems are designed to monitor and control processes within manufacturing, heavy industry, and infrastructure. This can include the monitoring and control of industrial assembly line sensors, cutters, conveyor belts, and industrial robotics. This forms the backbone of a particularly thriving subgroup of IoT called IIoT (Industrial Internet of Things).
• Vehicle Monitoring/Tracking Systems – These systems help to manage fleets of vehicles and keep physical logistics as efficient as possible. GPS-enabled IoT can identify the shortest, least congested, most fuel-efficient routes, enabling savings on fuel, time, and vehicle wear and tear. Internet-enabled sensors can also provide real-time information about load weights, driving habits, and on-board vehicle diagnostics.
• Maintenance, Repair, and Overhaul (MRO) – These systems are used by aerospace, rail, and other instances of heavy industry to identify and track components for asset management and maintenance purposes. By automatically gathering diagnostic information about individual parts, these organisations can increase safety whilst minimising costly human oversight.

The Benefits of Using IoT

Looking at the practical applications of IoT, it’s easy to see how they’re beneficial. Boiling it down, there are three main reasons why companies decide to adopt IoT systems:

Monitoring

The Internet of Things systems offer a remarkable amount of real-time visibility into areas where previously a trained human operative would have had to carry out manual checks.

This automated visibility can identify maintenance and safety issues early, allowing for smooth operations and minimal downtime.

Efficiency

By automating essential buildings management, industrial, and monitoring systems, businesses can increase speed, accuracy, and efficiency – most of which also come with some kind of cost saving element.

These added efficiencies can also increase a business’s competitiveness within the market.

Minimising Errors

Humans occasionally make mistakes, get tired, or just have “off days”. Automation reduces the need for human input, and therefore reduces the chances of human error

The Worrying Cybersecurity Implications of IoT

It should go without saying that IoT technologies provide numerous commercial advantages and opportunities. However, often companies get so excited about the positives that they sometimes ignore the negatives.

And when it comes to cybersecurity, there are some quite hefty negatives to consider. Here are the main Internet of Things Security risks:

Poorly Secured IoT Can Provide Backdoor Access to Your Network

IoT systems can be very difficult to secure from a cyber standpoint. The software that individual devices use is often optimised to be as lean as possible – only using the bare minimum code needed for the device to do its thing. In one way, this makes the device incredibly efficient but from a cybersecurity standpoint, it’s tempting fate.

Because the software is often so “bare bones”, there’s no way to apply “normal” endpoint security protections like antimalware controls. This makes IoT devices particularly vulnerable to hacking attempts as they’re often an under-defended way into a network.

Once in your network, a hacker can cause all kinds of havoc: spreading malware, performing recon for a future attack, overloading valuable assets, and even tinkering with mission-critical systems.

Example:
In accessing a poorly defended Industrial Control System, a hacker could potentially access a networked supplier ordering system.

They could order a lorry-load of materials with a short use-by date, costing the company significantly, inconveniencing their warehouse, and leaving them with quickly degrading, unusable assets.

IoT Devices Can Suffer DoS or “Flooding” Attacks

One common kind of online attack is called a DoS or Denial of Service attack. It works by flooding a particular networked/online asset with requests, overloading it and slowing it to a crawl, meaning that legitimate requests can’t get through or become infuriatingly slow.

These kinds of attacks can be thrown at anything with an IP address: websites, servers, cloud storage repositories, and even IoT devices. Rendering an IoT device inaccessible by overloading it comes with a number of very real dangers.

Web Application Firewalls can limit these attacks on networks.

Example:
Imagine a heavily populated building in a particularly hot or cold climate.

A cybercriminal could overload their buildings management system, rendering it unable to control the building’s internal climate and leave some of the building’s longer-term inhabitants quite unwell.

In a business environment, this could also slow productivity to a crawl and cause irreversible downtime. The criminal could use this attack to hold the building’s management to ransom, only handing back control when management pay up.

IoT Malware Is a Thing – And It’s a Growing Threat

Even though the software that IoT devices run is usually quite lightweight, that doesn’t mean that it’s invulnerable to malware threats of its own. In fact, according to SonicWall’s Mid-2020 Cyber Threat Report, global IoT malware attacks are up 50% – Q1 of 2020 saw more IoT malware attacks than Q1 in 2018 and 2019 combined.

But what does IoT malware do exactly? One of the more common kinds “recruits” IoT devices into a hacker-controlled botnet – a network of internet-connected devices that a cybercriminal uses to carry out a number of nefarious ends.

Botnets are commonly used to carry out DDoS (Distributed Denial of Service) attacks. These are DoS attacks at scale, with numerous devices across the globe hijacked into sending phony requests to a target device. The hacker in control can obtain a scary amount of information about “recruited” devices and their networks. Botnets can also be used to send spam emails and steal valuable data.

Aside from botnets, IoT malware can also scan a network for weak points, carry out recon, or force access to other IoT systems.

Third-Party Access May Not Be as Secure as You Think

IoT manufacturers often require some kind of “backdoor” access to the IoT devices they supply so they can monitor performance, automatically carry out maintenance, and obtain usage analytics. This makes sense as it helps to keep everything running smoothly for you as their customer, and they can continue to be a proactive and supportive supplier.

However, it’s worth noting that different providers have different priorities when it comes to cybersecurity. If the connection between your network and theirs is poorly defended, then that could pose a significant cybersecurity risk for the both of you, potentially leaving the door open for hacking or snooping attempts.

If you have a manufacturer who requests this kind of access, ask them how their connection is secured and how they secure their internal networks to ensure that nothing nasty escapes from their network into yours or vice versa.

Example:
In 2013, US retailer Target suffered a hack that exposed 110 million sets of credit/debit card details.

Hackers used phishing and malware to compromise Target’s HVAC supplier, knowing that they had backdoor access to IoT-controlled HVAC units on Target’s network.

Without getting too complicated, it was simply a case of leapfrogging over from the supplier’s network to Target’s, making their way through to Target’s point of sale systems, and the rest is history.

Industrial Espionage and Sabotage Possibilities

Consider the possibilities if a hacker accessed an industrial manufacturer’s ICS or SCADA systems. Firstly, they could simply steal the instructions sent to robotic arms, cutters, and actuators, effectively stealing the company’s intellectual property.

Secondly, they could make slight, yet damaging, changes to the instructions that the machinery follows, making the resulting products faulty, dangerous, or generally not fit for purpose. This will damage the company’s reputation, and could lead to injury or even death.

Alternatively, if the company is responsible for manufacturing or maintaining crucial national infrastructure assets, an independent hacker or foreign actor could steal plans or tamper with critical components, potentially causing widespread destruction and strife.

Should I Avoid IoT Technologies?

So, are we saying that companies should avoid IoT?

No – IoT devices provide incredible convenience, cost savings, and efficiency. But even though IoT can save companies a lot of time and money, a cyberattack could wither those financial and manpower savings in one fell swoop.

In order to sensibly make the most of IoT, you need to implement robust security controls to keep you safe from some of the threats we’ve discussed.

How To Keep Your IoT Devices Secure

• Always apply software and firmware updates as soon as you are prompted to do so. If you aren’t prompted to do so, regularly check in with your manufacturer to make sure you’re running the latest versions.
• Always change passwords from the pre-loaded defaults. If possible, implement some kind of Multi-Factor Authentication security to any IoT-related logins too.
• We recommend upgrading to a new firewall every 5 years without fail, as well as exploring other network defences like Advanced Threat Protection, Intrusion Prevention Systems, Deep Packet Inspection, Network Monitoring, and Sandboxing.
• Never directly connect IoT devices to the open internet – always connect them “behind” your firewall and other defences in order to keep them protected.
• If possible, reboot your IoT devices every so often, especially if they’re behaving oddly. In certain circumstances, this can clear the cache of any malicious code and have you up and running normally again.
• Keep an exhaustive inventory of all IoT assets and check in with them periodically – how are they acting today? Has anyone reported any strange behaviour from them?
• Encrypt all IoT traffic where possible, especially if it’s interacting with the open internet.
• Regularly work with a cybersecurity company to perform penetration tests on your systems, paying close attention to ways they can exploit Internet of Things connections.

A network is only as safe as its weakest link. Are you concerned that your weakest link could be your Internet of Things devices? Give Just Firewalls a call and claim your free, no obligation network security health check!

There’s never any pressure to buy anything, you just need basic knowledge of your network, up to an hour of time, and an open mind. It’s our aim to pair companies like yours with the best IT security for their needs (whether we end up working together or not!) so get in touch today on 0808 1644414