Stacey on IoT | Internet of Things news and analysis

Internet of Things

  • Home
  • Analysis
  • Startups
  • How-To
  • News
  • Podcast
  • Events
  • About
  • Advertise
  • Speaking
    • Facebook
    • RSS
    • Twitter
    • YouTube

IoT security is too hard, so we’re giving up

May 21, 2018 by Stacey Higginbotham 3 Comments

A lot of consumer IoT products and devices employees bring into work are flying under the radar at enterprises, according to the Pwnie Express report.

We’re putting a lot of technology in a lot more places these days, and we’re connecting it to the internet in the hopes of being able to see new patterns so we can change our lifestyles and businesses. This has opened up a huge attack surface. In the last two years, not only have a range of new threats come to light, but old threats have become more powerful, all of which has led experts to believe that the next big cyberattack could take down critical infrastructure – and it’s only a matter of time before it happens.

We’ve covered how an exploit of a piece of Schneider Electric industrial process equipment took an oil refinery offline. Most people are also aware that last year, a malware variant called NotPetya took hospitals in the UK offline because of computer issues and because equipment such as MRI machines were affected. For most security professionals, those attacks are just the beginning.

A new report out from security group Pwnie Express claims that 85 percent of the 500+ security professionals it surveyed believe that their country will suffer a major cyberattack on its critical infrastructure in the next five years. What’s even worse is that most of these respondents believe that the least prepared industries are those with the biggest ramifications for health and safety – public health, water and wastewater, and the energy sector. In many cases it’s not that these organizations are doing nothing, it’s that the threat is so large and new they don’t know where to begin.

Back in 2015, I was talking to the CEO of American Electric Power at a Fortune event, and he told me that the company had an entire floor of employees focused on cybersecurity vs. just a handful of employees a few years earlier. And those employees were constantly fending off attacks. But his focus at the time was centered more around protecting the organization’s computer networks. Now threats come over networked cameras or through hackers attaching a rogue thermostat to a network.

And as to the facilities that are getting connected, their IT operations staff are busy doing other things. The security folks Pwnie Express surveyed said their employers were more than twice as likely to have a security policy in place for IT devices than for IoT. If those companies do have a security policy, only a little more than one-third of their security pros said that they themselves are involved in checking that the devices are compliant, and two out of five said they either didn’t ensure devices were compliant or they weren’t sure if anyone in their organization checks if they are or not.

So basically when it comes to things that aren’t computers, most of those tasked with IT security are running blind. To solve this, I’ve proposed thinking about IT security more like the facilities guys view operations security. Todd DeSisto, CEO of Pwnie Express, adds that when companies buy connected products, someone from the security team should be involved in the purchasing decision. A doctor excited about a connected MRI might not think about the patching and support contract associated with the machine, but keeping it free of vulnerabilities will be at the top of the CISO’s mind.
DeSisto also says the survey results that surprised him the most were that professionals were abundantly aware of increased risks, but their companies had done little to try to address clear problems, such as not knowing what was on a network. “The complexity makes it hard for people to solve,” DeSisto says. “There are a lot of stakeholders, no standards, long life cycles, and any number of things in the wild, running in non-traditional environments.” So they give up.
Unfortunately, many of the concerns about security vulnerabilities are going to get worse before they get better. Almost a third (64 percent) of survey respondents said they are more worried about device threats than they were at the same time last year. The reigning solution so far seems to be some type of network monitoring function that can help security professionals. And it would be beneficial for companies to at least know what’s on their network, especially when 51 percent are concerned with purpose-built rogue devices yet only 24 percent can monitor for them in real time.
The solutions, however, are difficult to implement, require skilled people, and can be costly. That’s the opportunity Pwnie Express is banking on, but it’s also leading to a bunch of security checklist offerings such as this one issued recently by AIG. The checklist aims to be a “set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks” and “is intended to help strengthen, prioritize, and focus on a smaller number of actions with high pay-off results.”
But if you download the document looking for the easy way out, I’m sorry to say that the checklist contains 46 items that range in complexity from “Eliminate unnecessary services and unused ports” to “Conduct security testing on third-party devices and software utilized in your business and products.” The problem with putting connectivity in everything is that criminals can take advantage of just about anything. No wonder security professionals are ready to give up.

Want the latest IoT news and analysis? Get my newsletter in your inbox every Friday.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Filed Under: Analysis, Featured Tagged With: AEP, AIG, Pwnie Express

Sponsors



Become a sponsor

Subscribe to Blog via Email

Enter your email address to receive notifications of new posts by email.

Comments

  1. Paul Hutchinson says

    May 21, 2018 at 9:07 am

    I’s hard to keep track of all the malware.

    AFAICT NotPetra was not the one that affected UK NHS Hospitals, that was WannaCry.

    https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#Impact

    See also:
    https://en.wikipedia.org/wiki/Petya_(malware)
    “Experts believed this was a politically-motivated attack against Ukraine, since it occurred on the eve of the Ukrainian holiday Constitution Day.”

    https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

    http://www.bbc.com/news/uk-politics-43062113

    Reply
  2. Ron Harris says

    May 21, 2018 at 5:30 pm

    Its not that hard. We can make the connected devices invisible!!!

    Reply
  3. New York Nerds says

    June 26, 2018 at 7:13 am

    The data is always visible even if it travels on an invisible network because when communication happens, the IP addresses give a clue.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IoT Podcast

Listen to the latest episode of the Internet of Things Podcast. Just press play!

Sponsors

Become a sponsor







Get Stacey’s free weekly Internet of Things newsletter

  • This field is for validation purposes and should be left unchanged.

Recent Comments

  • Michael Rada on Podcast: Hacking sensors and securing medical devices
  • Jon Smirl on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Lawrence K on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Hugo on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart

Stacey on Twitter

Tweets by gigastacey
Copyright © 2023 SKT Labs, LLC · Privacy Policy