The Internet of Things: A Force Multiplier for Cyber-Risk

Unprotected IoT devices represent a grave threat. Here's how you can make sure your company is not at risk.
Published: September 17, 2018

For a long time, the security community has warned about the risks associated with the Internet of Things (IoT). The surprise, as these risks materialize into growing costs and losses, is that it is a surprise. The Mirai Botnet attacks in 2016 represented a global wake-up call, highlighting the reality of insecure Internet-connected hosts and forcing us to re-examine our assumptions about IoT security. This article will provide a practical starting point for business to address growing IoT security risks.

Externalities: Not My Problem!
Cybersecurity challenges relating to the IoT can be explained by economic externalities—or, in simple words, “not my problem.” In the case of the Mirai Botnet attacks, the vendors of IoT devices, gateways and routers suffered no adverse consequences when their equipment was exploited, and the owners of the equipment were unaware of their participation in the resulting massive cyber-attacks.

The FBI has attempted to translate awareness into action, with their recent advisories to regularly reboot home routers. As a counter-measure, the Hide ‘N’ Seek botnet can survive device reboots, making it immune to the FBI’s advisory action. Action does, however, need to be taken. Rather than regularly rebooting those devices, maybe it is time for replacement or decommissioning. How many insecure devices serve a forgotten purpose? The fundamental truth remains: many of these devices should not be directly connected to the public Internet.

The Internet of Things: A Force Multiplier for Cyber-Risk
The growth of our modern economies is substantially underpinned by digitization—which, in turn, is underpinned by the expansion of systems vulnerable to cyber-risks. The IoT represents a force-multiplier in digitization—and that’s why it’s a big deal. For that very reason, it also represents a force- multiplier in cyber-risk.

Bugs lead to vulnerabilities, which lead to exploits, since these bugs are in the libraries and operating systems that are both commonly used and mature. So, here are some simple questions to ponder: For any given IoT device, gateway or router, what’s the probability that it has a bug? What’s the probability some of these bugs represent vulnerabilities? What’s the probability that these vulnerabilities are exploitable, now or in the future?

It’s time for a reality check: it is almost certain that any complex system of hardware, firmware, software and distributed applications have bugs, which represent vulnerabilities and could be exploited. Even when there are regulatory processes and compliances mandated to mitigate the risks, experience tells us it’s not possible to eliminate such risks. The IoT represents a class of system that’s inherently going to have the potential for vulnerabilities to be exploited.

What makes the current state of IoT security particularly challenging is that the owners of many of the insecure devices have no plans to refresh or replace the devices until they wear out mechanically. That could be decades! So, like it or not, we’ll have to manage the problem of enslaved devices being exploited by script kiddies, cyber-terrorists and cyber-criminals for a very long time.

Devices, which have not been designed from the ground up to be secure, now and in the future through secure software updates, shouldn’t be on the public Internet. That leaves a difficult problem, because there are already millions of devices out there and they are currently insecure or will be in the future.

Addressing IoT Security Risks
If you are a business, and you have devices in the field, which are vulnerable, what can you do to address this issue?

Start by identifying all your devices and put in place processes to maintain an inventory your business can trust. For each device, establish the value it is adding to your business and first consider decommissioning it. For those devices that remain, have you followed the vendor’s advice in terms of network security? Determine how old the software is, and whether the device is running a version the vendor recommends. Can you upgrade or replace old or insecure devices? This will immediately help you determine which devices are supported by vendors that, from a security perspective, you can trust.

How can you trust the vendor’s device security? For a start, the company should make it easy for you to find out network security requirements, if your device is up to date and how to upgrade it securely. If you have insecure devices that you can’t replace or decommission, you will need to manage the risk.

Establish a policy for decommissioning IoT devices and set explicit decommission dates to your inventory. Add network-based security solutions to manage the inherent risk that the devices represent as part of an overall defense-in-depth approach to IoT security.

Another practical consideration for businesses is to recognize that there is a cost to building and running secure systems. Demand security from your IoT suppliers, but be willing to pay for it, too, keeping firmly in mind the underlying business drivers for investing in IoT security: reduce your potential for loss, decrease your people costs and keep your business running.

As I was finalizing this article, James Mickens was delivering his entertaining keynote at the 27th Usenix Security Symposium. Mickens suggests a healthy degree for skepticism—which, applied to connecting stuff to the Internet, he summarizes entertainingly as:

In three words: think before you deploy. In two words: think first. In one word: don’t.

Tom Maher, the CTO and co-founder of Asavie, is the technical visionary behind Asavie and oversees the development team responsible for delivering the Asavie PassBridge platform. Tom has a long engineering career, delivering data/telecommunication and security products on time and in-budget for industry leaders such as Baltimore Technologies, AT&T Network Systems/Lucent, Eicon Technology and AEP Systems. Tom has computer science qualifications from Trinity College and Dublin City University, and an MBA from the Michael Smurfit Graduate School of Business, UCD, in 2000. When not sitting in front of his screen, Tom can be found spinning on his specialized road bike around the hills of Dublin and Wicklow.