IoT networks are under attack, with potentially dire consequences for organizations that fail to protect them with adequate security and control measures.
Last summer, the FBI issued analertthat warned of cyber criminals ramping up attacks on Internet of Things. Specifically, adversaries are taking advantage of weak authentication, unpatched firmware or other software vulnerabilities, and authentication credentials that can be attacked over the Internet.
The proliferation of IoT devices combined with this reported increase in cyberattacks presents a nightmare of special security challenges faced by industrial enterprises that commercially deploy IoT devices. Unfortunately, it’s not feasible to replace or redesign IoT devices already deployed in the field. But by overlaying security and control measures on existing IoT networks, these organizations may just have found the key to mitigating vulnerabilities.
Let’s take a deeper dive into IoT vulnerabilities and security risks, as described by the National Institute of Standards and Technology (NIST). NIST’s 2018 report “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” identified three problems faced by organizations that deploy IoT devices.
First, IoT devices interact with the physical world in ways conventional IT devices usually do not. NIST points out that cybersecurity and Privacy policies must take into account the ramifications of IoT devices making changes to physical systems and affecting the physical world. For instance, the security ramifications of a compromised device controlling a town’s water supply are vastly different from a compromised device disclosing customer records. NIST also notes that “operational requirements for performance, reliability, resilience and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.”
Second, many IoT devices cannot be accessed, managed or monitored in the same way conventional IT devices can. Because many IoT devices are on private networks or in remote locations, organizations many need to perform manual tasks when updating or protecting large numbers of IoT devices. Employees may need special tools and training, and security models may need to account for manufacturers and other third parties having access or control over devices. Obviously, manual tasks are cost-prohibitive and time-consuming for those organizations that have geographically dispersed locations that must be protected and updated.
