This guest blog was contributed by Bud Broomhead is the CEO of Viakoo, a leader in IoT device remediation.
When asked why he robbed banks, infamous 1930s bank robber Willie Sutton simply replied, “Because that’s where the money is.” Likewise, hackers have found that IoT is a wide open door. As connected devices have grown to be parts of our everyday lives, cyberattacks and data breaches have increased in tandem at an accelerating cadence. This is no coincidence — these devices’ value to malicious actors is tied directly to the degree of trust placed in them, either by consumers or by organizations.
In 2022, organizations will need to devote significantly more attention to their IoT attack surface, as malicious actors have done already. Here’s what we see as the major threats facing enterprise IoT going into next year, and how to prepare your organization to defend against them.
#1: Increased adoption of zero-trust model for IoT
Because the scale of unmanaged and IoT devices is typically ten times or more than that of traditional IT systems, manual methods are out of consideration both because of time and cost. In one study of 8,800 IoT devices requiring only firmware updates, it was shown that 86 technicians would have to work full-time to simply keep firmware updated; other similarly sized teams would have to be put in place to handle the certificate and password management on top of that. Needing 258 full time people to keep over eight thousand devices secure is practically beyond the reach of most organizations, making automation the only viable approach.
#2 - Critical infrastructure will continue to see more attacks from organized cybercrime groups.
In particular, the growth of IoT devices across all types of organizations has made these devices attractive for black hat hackers to breach organizations, steal data, plant malware, extort ransoms, and more recently inflict physical damage. An unpatched cyber vulnerability in a Citrix VPN appliance led to a ransomware attack that shut down a German hospital in September 2021, causing the death of a patient. In the past year in the U.S we’ve seen water treatment plants have dangerous levels of chemicals released, oil pipelines shut down, and manufacturing plants of various kinds under the control of cyber criminals. Also in the past year we’ve seen older forms of cyber attacks (such as man-in-the-middle attacks) come back to specifically target IoT devices because defenses against them for IT and mobile devices do not apply to IoT devices.
To put it bluntly, most organizations deploy IoT devices with a “set it and forget it” mentality. While that can be viewed as a positive in some ways, it is the worst possible situation for managing cyber vulnerabilities. No wonder cyber criminals are focusing more on using IoT devices for planting ransomware and breaching corporate networks – it’s the easy route.
A good starting point is to assess your ability to perform what I like to call the “Cyber Hygiene Trifecta”; having all devices on the most secure version of firmware, using certificates on all devices to ensure their identity and encrypt traffic between them, and enforcement of password policies to prevent unauthorized access. These three practices remediate vulnerabilities that cyber criminals use to deliver ransomware and other cyber threats
#3: Emerging legislature for IoT device compliance will take priority.
IoT legislation will take two forms: mandates to take action on urgent threats, and requirements for cybersecurity in order to do business with the U.S. government. The number of known threats that can be exploited is in the thousands, many of which can have public safety impacts (e.g. cyber tampering with public water supplies). These types of threats will continue to be a focus for legislation, with mandates to have specific systems patched and remediated. Longer term, to prevent new threats from being exploited there will be legislation to foster best practices on cyber hygiene of IoT/OT/ICS devices and systems.
Will the legislation being considered significantly impact the functionality of IoT devices that are currently in use? No, especially since the functionality of many of these devices are mission-critical to their organizations. The focus of legislation therefore will be to remediate vulnerabilities while maintaining the functionality of the devices.
Key impacts will be to focus on automation, having data to support audit/compliance,and treating IoT devices equal to IT when it comes to cyber hygiene. While this may result in additional spend on solutions, this may not require significant additions to personnel depending on how automated the solutions for IoT cyber vulnerability remediation are.
To realize the promise of these exciting new technologies, which have already made our lives easier, made business more efficient, and spurred a wave of innovation, that trust has to be validated by implementing strong cybersecurity protections on IoT environments. As IoT environments emerge as the focus for more and more attacks, businesses must be proactive about securing that long-neglected attack surface.
About the Author
Bud Broomhead is the CEO of Viakoo, a leader in IoT device remediation. He is a serial entrepreneur who has led successful software and storage companies for more than two decades. He has experience delivering computational and storage platforms to the physical security space for over seven years, with an emphasis on infrastructure solutions for video surveillance.