The
Internet of Things (IoT) has been called the next Industrial Revolution —
it promises to impact the very fabric of communications within businesses,
governments, and consumers. As with all
hype, come the counterbalance of woes.
There isn’t a Security Manufacturer, Re-seller, or Consultant that isn’t
chatting about the impending doom IoT can present from a Security Perspective.
First
of all, let’s delve into whether this is a real phenomenon or not. Well, if Gartner is any indication, this is
much more than marketing hype.
- Now their numbers lag behind Business Intelligence of 15 Million IoT devices by 2015 – however, the projected 8.4 billion this year is close enough for Government work, with the 20.4 billion devices by 2020.
- Total spending on endpoints and services will reach 2 trillion this year.
Consumer
Applications to Represent 63 Percent of Total IoT Applications in 2017
The
consumer segment, with 5.2 billion units in 2017 is the largest user of
connected things, which represents 63 percent of the overall number (see Table
1).
Not
to be out done, Businesses are on pace to employ 3.1 billion
connected things by the end of this year, 2017.
Aside from automotive systems, the applications that will be most in use
by consumers will be smart TVs and digital set-top boxes, while smart electric
meters and commercial security cameras will be most in use by businesses,"
said Peter
Middleton, research director at Gartner.
In addition to smart meters,
applications tailored to specific industry verticals (including manufacturing
field devices, process sensors for electrical generating plants and real-time location devices for healthcare) will drive the use of
connected things among businesses through 2017, with 1.6 billion units
deployed. However, from 2018 onwards, cross-industry devices, such as those
targeted at smart buildings (including LED lighting, HVAC and physical security
systems) will take the lead as connectivity is driven into higher-volume, lower
cost devices. In 2020, cross-industry devices will reach 4.4 billion units,
while vertical-specific devices will amount to 3.2 billion units.
Table
1: IoT Units Installed Base by Category (Millions of Units)
Category
|
2016
|
2017
|
2018
|
2020
|
Consumer
|
3,963.0
|
5,244.3
|
7,036.3
|
12,863.0
|
Business: Cross-Industry
|
1,102.1
|
1,501.0
|
2,132.6
|
4,381.4
|
Business: Vertical-Specific
|
1,316.6
|
1,635.4
|
2,027.7
|
3,171.0
|
Grand Total
|
6,381.8
|
8,380.6
|
11,196.6
|
20,415.4
|
Source:
Gartner (January 2017)
Ok, so we’ve established that this isn’t
going away anytime soon, so let’s see what the concerns will be with this
tsunami of access. So far, all the risk
warning just post charts of the growing attack surfaces people will inherit
when they purchase these new “smart” devices; however, we were more interested
in actual data showing real IoT attacks thus far.
SURVEY SAYS…
Among the wild adoption of IoT in the
many sectors analyzed, i.e.,
Enterprise
72%
|
Industrial
62%
|
Healthcare
60%
|
Retailers
49%
|
Government
42%
|
To make things worse, Forrester predicts that more
than 500,000 internet of things (IoT) devices will suffer a compromise in 2017,
dwarfing Heartbleed. Drop the mic — enough said.
With the sheer velocity of how the distributed
denial-of-service (DDoS) attacks spread through common household items such as
DVR players, makes this sector scary from a security standpoint.
Corey
Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will
become the de facto target for botnet zombies. He continued,
“Many IoT
devices coming on the market have proprietary operating systems, On
the other hand, another class of IoT products are devices running embedded
Linux. These devices look very familiar to hackers. They already have tools and
malware designed to target them, so “pwning” them is as familiar as hacking any
Linux computer. On top of that, the manufacturers releasing these
devices seem to follow circa 2000 software development and security practices.
Many IoT devices expose network services with default passwords that are simple
for attackers to abuse,” Nachreiner says.
ACTUAL IoT Breach, A Fish Tank…
It also allowed hackers to swipe
10 gigabytes of data from the North American casino that just installed it,
according to a report from the threat intelligence experts at Darktrace.
The
tank's communications with the casino's network appeared normal enough. The
data it was pumping through to the outside was highly suspect. It was the only
casino system that ever sent data to the remote server in Finland that it was
communicating with. It also did so using protocols that are normally used for
streaming audio or video.
"This
was a clear case of data exfiltration," notes the Darktrace report,
adding "but far more subtle than typical attempts at data theft."
As
crazy as this hack might seem today, you can bet that things are only going to
get crazier. Many of the connected devices for sale today are seriously lacking
when it comes to security. They're under constant attack from the moment
they're hooked up to the Internet and can fall under hacker control within
minutes.
Ok So What Do We Do?
Four IoT security
principles for enterprises
Volker Gerstenberger and Tomi Ronkainen of Giesecke &
Devrient at the Liveworx 2016 Internet of Things event laid out
the 4 IoT security Principles for the Enterprise..
1. Address IoT security
explicitly by design – don’t adapt existing security. Ronkainen added that too
often, companies think they can adapt their existing security for IoT, and, he
says, “from our perspective, it’s falling short.” Designing for IoT security is
a specialty unto itself; do not assume existing developers, designers and
admins have the know-how.
2. Pay attention to all
layers of IoT security to avoid a vulnerable entry point. Whether its healthcare or
automotive or oil and gas, Gerstenberger acknowledged that all of them are
grappling with the many layers of IoT security: the hardware layer, the
software layer, as well as securing network connections, data in transit, and
application data.
3. IoT security is only as
strong as its weakest link, particularly on mobile devices. Gerstenberger seized upon a
home sprinkler app example to show how mobile security can be compromised:
Needless to say, those mobile domains could
include access to enterprise data and controls.
4. Complex machines like
connected cars are the hardest to secure. G&T is heavily involved in connected car
security, an issue that’s been grabbing plenty of headlines. I asked the guys
for how we should be thinking about security in those settings, where the
prospect of someone hacking into your vehicle remotely is very unpleasant.
Ronkainen:
Now we are talking super
complex environments. If you know Bruce Schneier who is one of the fathers of
cryptology, and an evangelist of security things, he always said that complex
systems are the most vulnerable because there is so many things in there, and
things can go wrong. The connectivity is one case where we have started [with
secure chips], but now we are working on more advanced security solutions
including firewalls, intrusion detections, certificate management and key management
systems for connected cars.
And, it goes without saying – no default
passwords on purchased equipment.
___________________________________________
We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!
Source(s)
- https://www.gartner.com/newsroom/id/3598917
- https://diginomica.com/2016/10/05/a-massive-iot-security-breach-hits-the-web-how-should-enterprises-respond/
- https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/#1ba3d9c732b9
- https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics-for-2017.html
- https://www.darkreading.com/endpoint/iot-security-by-the-numbers/d/d-id/1325583?
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502
About Rick Ricker
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff