The dark side of business IoT
- Published: Wednesday, 05 April 2017 10:01
The Internet of Things will undoubtedly bring many benefits to businesses but also brings risks which need to be actively managed. Ian Parker explores the issues that IoT presents and what organizations need to do to mitigate the risks.
Imagine a scenario where some malevolent being has gained access to Earth’s secrets and data by controlling all our 50 billion network connected devices. This might be an extreme analogy but it’s a good way to highlight the way in which our increasingly connected world has left us closer yet more vulnerable than ever.
It’s useful to think of your business as a castle with strong perimeter walls, no windows and a single impenetrable gate. Your business’ sensitive information, personnel and data are, in theory, all protected from the dangers of the outside world.
In this context, connecting to the Internet is the same as allowing trusted personnel in and out of the gate with guards validating them as they come and go. With unsecured IoT, the castle is exposed by creating multiple doors all the way around the walls, allowing unrestricted access from the outside. You have now turned your castle into a tourist attraction, potentially allowing anyone in the world to come and enter through multiple entrances.
It’s not all doom and gloom however. By the same token, using Internet connected devices in business safely and correctly will provide considerable advantages to productivity, communication, operation and visibility and this should be harnessed. There are many business devices that could benefit from being connected to networks.
Securing business IoT is simple (if you know risks and vulnerabilities and can prevent them)
In short, IoT is only as secure as you make it. In today’s market, you cannot rely on manufacturers to produce a network-controlled device with security at the forefront. Unless the IoT device is a security device in itself, the manufacturers will want to make it as cost-effective as possible with a quick production cycle. Security, on the other hand, is time consuming, costs money and is not widely understood.
It is therefore up to the business to ensure these devices are secure and remain accessible by authorised personnel and devices only.
Security alarm bells…
A notable obstacle to security is that some companies that want to use network-controlled devices are not technology aware. Approximately 50 percent of employees think that their IT department (if they have one at all) is not aware of all the company’s connected devices, and around 70 percent perceive their organization as being at risk from a connected device related security issue. It has been predicted that 20 billion connected devices will be in circulation by 2020, so the problem must be addressed and rectified before it gets out of control and risks global security.
Potentially all these devices, if not secured, are open doors for any malicious organizations or individuals to gain access to internal networks or the device itself.
But how can this happen? For a device to be accessed via the Internet, it must have an address that the Internet knows about (a public IP address). If a device is configured with a public IP address it can therefore be seen and accessed by the connected world. Without the device manufacturer securing it, by means of closed ports or source address filtering for example, a would-be hacker could access the device with little effort. In addition, if an employee without technical knowledge has installed the device, it is likely that the security credentials remain the default ones, which a hacker can find with ease in the manufacturer’s online user guide.
Once the hacker has access to the device, it can be used to attack a targeted company in a DDoS attack, or they may even be able to hack into the internal network devices, leading to full control of your business environment. The outcome of the scenario may depend on where the hacker’s motivation lies; we have seen countless examples of hacktivist attacks, causing disruption or mayhem to a company to prove a point or to bring attention to the company’s inadequate security defences. Or more menacingly, they could be a cyber criminal, part of an organization whose sole purpose is to obtain money via ransom, credit card theft and identify theft.
Businesses must therefore ensure that their deployed network connected devices are protected and only accessed by authorised sources. In addition, as the intensity and growth of the device connected world continues exponentially and uncontrollably, the current version of the Internet Protocol (IPv4) will not be sufficient to sustain the number of devices needed to connect to the Internet natively. It is inevitable that the next generation of the Internet Protocol (IPv6) will be used for these additional connected devices, which in itself integrates a lot of security features that will reduce the risk and vulnerability of the device. However, most non-technical companies in the world don't know what IPv4 is, let alone IPv6.
Consequently, businesses need to ensure that they seek advice and expertise from professionals that are aware of the risks and vulnerabilities as well as the mitigation and prevention methods.
Ian Parker is a professional services consultant with Axians.