As the Internet of Things (IoT) continues to change the way organizations capture, analyze, and use data, it’s also exposing new vulnerabilities that cyber criminals have been quick to take advantage of.
With around 29 billion connected devices forecast by 2022—of which around 18 billion will be related to IoT—the “speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming,” SonicWall reports in its mid-year update for 2019.
In 2017, SonicWall logged just 10.3 million IoT attacks. Last year, that number skyrocketed 215.7% to 32.7 million. During the first half of 2019, the company recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year by 55%. “If the final six months of 2019 match the surge of 2018,” the company said in its report, “it will be another record year for cybercriminals’ use of IoT malware.”
The Top Risks to Watch
With IoT still in its relative infancy, one problem is that organizations simply don’t understand the exposure risk related to their IoT devices. The number of cyberattacks, data breaches, and overall business disruption caused by unsecured IoT/Industrial Internet of Things (IIoT) devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies, Deloitte and Dragos point out in How Much Do Organizations Understand the Risk Exposure of IoT Devices?
The top risks include:
- The lack of a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security that’s not incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
“In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work,” it adds. “Organizations should better understand how to manage the risks created by the known and unknown IoT and Industrial IoT (IIoT) devices.”
What’s the Solution?
In their report, IBM and Dragos tell organizations to use a “security-by-design” approach (i.e., one where software has been designed from the outset to be secure) to designing and deploying IoT and IIoT products. Focus on understanding the best practices and standards of your peers, they said, and then look to regulatory bodies to inform strategies. Other key strategies include:
- Understanding the current state of product security and develop a cyber strategy. Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected, and develop a cyber strategy to drive improvement.
- Establishing security-by-design practices. Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling, and security testing.
- Setting the tone from the top. Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.
- Having a dedicated team and providing them with ample resources. Don't expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.
- Leveraging industry-available resources. Rather than developing and providing unique questionnaires to your device vendors, use publicly available industry resources.
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind,” Deloitte’s Sean Peasley points out. “Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”