Organizations are failing to factor IoT risks into business continuity plans
- Published: Tuesday, 30 January 2018 09:25
New data from Databarracks shows that only 27 percent of organizations have policies in place to protect against IoT threats. Organizations must address this gap in their business continuity planning or face an increase in disruptions from this source, says the company.
Peter Groucutt, managing director of Databarracks stated: “The IoT device market is still relatively immature and somewhat of a wild-west. According to industry experts, by 2020 there will be over 50 billion connected devices. Understandably, manufacturers are racing to capitalise on the opportunity, but unfortunately, many are doing so at the expense of basic security measures.
“Organizations need to be aware of these risks, even if they don’t use any IoT devices – the growing number of connected devices globally means there is an increased risk of DDoS attacks through IoT botnets – but our data suggests firms are ignoring these threats. Research from our annual Data Health Check survey revealed that only 13 per cent of businesses saw IoT threats as a major concern. Additionally, just over a quarter of organizations (27 per cent) had set policies in place designed to protect against IoT threats.”
Groucutt states that for organizations incorporating IoT devices into their IT infrastructure, there are several considerations:
“Firstly, organizations should not rely on existing policies for evaluating the security of devices, but should develop new policies for IoT devices. Questions to consider are what protocol does the device use? Can the IoT network be isolated from our other systems? Is it connecting directly back to the data centre or to a hub – either in the cloud (hosted externally) or to an Edge server that you manage? How do we login and authenticate? Can we integrate with our existing authentication products, and finally, what O/S is used and do we have competency?
“Secondly, when factoring IoT into your continuity planning, you must define the risks and put in place the necessary controls to minimise them. A plan should be in place to deal with any disruptions.
Groucutt explains: “In practice, if a sensor governing a process on a production line is faulty, or worse, hacked, it will need to be removed from the network, while you fix the problem. Depending on the function of that sensor, the lesser impact might mean that you lose some monitoring data for a period, but not necessarily halt operations on that production line. If the sensor, however, is responsible for a more critical process, operations will be hit and contingencies will need to be in place to continue. In this instance, speed of resolution is vital to minimise the financial impact of any downtime.
“The unique challenge of IoT continuity is that the devices, by their nature, are remote and numerous. Remote access, and the ability to apply changes and fixes to multiple devices at once, makes them easier to manage, but that comes with a risk of compromise.
“If a remote fix cannot be carried out, an engineer will be required to physically visit the device or devices to address the issue. Again, due to the nature of IoT devices – that they are remote and numerous, that means significant cost for remediation. This might be an internal engineer physically traveling to reach a faulty device, or alternatively, enlisting the support of an external engineer, for example, the manufacturer of the device, to fix the problem.
“While this remediation is taking place, a business must be able operate without that device. Returning to the example of sensor on a production line, is there an alternative, manual workaround? If not, whenever there is an issue, production will be brought to a halt until the problem is resolved.”
Groucutt concludes: “IoT will revolutionise the way we live and work. However, fundamental security risks remain ever-present. There are currently no controls in place to protect users from sloppy programming and unsecure devices being connected. Recently, the US introduced a bill to regulate IoT devices. The requirements aren’t strenuous – guidance around updates and patching, to not use default passwords and to not have any known vulnerabilities. That legislation only applies to the supply of devices to the US government. For organizations in the UK, even these relatively simple steps are not required of device manufactures. Organizations therefore must assume responsibility in understanding the threats surrounding IoT and protect for them accordingly.”