What is the Internet of Things (IoT)?
The “Internet of Things”, commonly referred to as IoT, brings internet connectivity to everyday devices allowing them to communicate and interact. IoT devices are meant to automate tasks for people at home, in the industry or within the enterprise. IoT devices may include door locks, doorbells, watches, thermostats, security cameras and smart sensors just to name a few. They often come shipped with minimal configuration needed. One prediction, made by Gartner, estimates 20 billion connected IoT devices will be in use by 2020 while other predictions state that number could more than double by the year 2025. Just to put that into perspective, in just over 5 years there will be 4x the number of IoT devices on the planet as there are people.
IoT Security Falls Short
Unfortunately, today there are no mandated standards for IoT security by the device manufacturers. Each manufacturer can incorporate secure architecture as they see fit, or not at all. Ease of use and rock bottom prices have caused many vendors to place price above security. Fixed credentials and non-industry standard technology create backdoors for hackers, allowing the devices to be used as tools to execute cyberattacks. Common attacks include the creation of botnets (a group of computers connected in a coordinated fashion for malicious purposes) to execute cryptojacking (unauthorized use of someone else's computer to mine cryptocurrency) or distributed denial of service (DDoS) attacks. Gartner also predicts by the year 2020 more than 25% of identified attacks in enterprises will involve the IoT.
Sending it to the House
This may all sound quite grim. However, early last week the Internet of Things Cybersecurity Improvement Act of 2019 was introduced for a vote in both the US Senate and House of Representatives. The bill takes aim at the first steps in creating IoT security standards for vendors providing IoT devices to the US Government. If passed, the federal IoT security bill would require recommendations from the National Institute of Standards and Technology (NIST) on which security standards/protocols the federal government should follow. It will require all IoT vendors that sell to the US government to have a vulnerability disclosure policy. Additionally, it will require verification from each vendor that their device:
- Is free of any known security vulnerabilities
- Uses industry standard technology
- Does not utilize fixed credentials
What to Do?
Although the legislation shines a light on IoT cybersecurity, it is more of a flashlight than a spotlight. Since it only addresses vendors selling to the US government, we can only hope that with time the standards will permeate throughout the industry and consumer purchased devices. In the meantime, businesses must do their part in securing their own IoT landscape. Here are 4 key tactics businesses can use to reduce their IoT risk:
- Build a culture of security awareness through employee training
- Inventory devices and systems connected to the network
- Isolate systems by implementing network segmentation
- Enable a real-time monitoring solution to identify network traffic anomalies
We pride ourselves in taking a customer-focused approach, providing a tailored, customized service based on your organizational needs. To help combat threats introduced by IoT devices in your organization, our S.H.I.E.L.D training awareness platform will educate and empower your workforce, creating a more secure environment. Our Vulnerability Assessment and Penetration Testing services will help you identify and evaluate the vulnerabilities of IoT devices residing on your network.
Take a look at our complete line of service offerings to see what else we can do for you.
Written by Aaron Moore
Aaron has over twenty years of IT experience spanning a variety of domains including: Banking, Agriculture, DoD and CPG industries. Aaron possesses his Security+ CE certification and currently serves as a Sales Engineer at TechGuard Security. In this role, he acts as the liaison between the sales and technical teams, matching client needs to the core capabilities. Aaron has served as a consultant for multiple Fortune 200 organizations, fulfilling roles in application development, database design and database administration. In his spare time, Aaron and his wife can usually be found at the baseball or soccer fields watching their kids play sports.