The risks associated with IoT, despite being numerous and well documented, have not deterred businesses from expanding on their use of it. The advantages offered in terms of utility and efficiency are just too great, and uptick in the use of IoT devices so far seems to outpace the security measures taken to accommodate them. Security, though, is crucial, and the history of IoT is marred by vulnerabilities and risks that survive to this day. IoT-enabled devices and networks have been the weak points that have led to thousands of attacks in the past, and with the ongoing adoption for commercial use, the number of vulnerable networks continues to grow. So what kind of issues could this widespread adoption of IOT cause, and what steps do businesses need to take to avoid them?

A Brief History

IoT, or Internet of Things, is a technology that has already changed industry forever, levelling us up from industry 3.0 where computers augmented existing automated processes, to industry 4.0, where a marriage of computers and sophisticated automated agents have allowed us to begin to construct smart factories, for example. IoT is backbone of industry 4.0. By providing network connectivity to things that previously had none, it allows for remote controlling and remote monitoring of more than has ever been possible before. It is the connectivity that unites machine and data, allowing industrial processes to self-assess, to self-monitor, and to self-analyse. 

IoT will also be an important part of the move towards industry 5.0, where advancements in industry are expected to come about through the use of artificial intelligence. IoT will be the means by which AI can interact with machines, providing them a new ability: self-determination. This will allow machines to make operational decisions for themselves, based on data that they collect themselves, paving the way for fully autonomous industry.

To achieve this, more and more IoT devices will be designed and employed, however, every single additional IoT device added to a network is an additional endpoint, and the consensus among security experts is that these endpoints specifically are weak points.

For context, there have been a large number of security incidents relating to IoT in the past. One that may immediately come to mind will be the Mirai botnet attack which occurred in 2016, where a vulnerability in IoT technology allowed these malware distributors to assemble an enormous botnet, which they used to launch distributed denial-of-service (DDoS) attacks. That same year, a DDoS attack against Dyn was launched, also using a botnet of IoT devices. This caused widespread internet outages. Then, in 2017, the WannaCry ransomware attack took many by surprise as IoT devices, including those used in medical and industrial settings, were also affected as part of a huge ransomware campaign.

Commercial and industrial incidents

In 2020, Nokia released a report that 30% of all cyberattacks perpetrated against mobile and wireless networks exploited IoT vulnerabilities. This statistic includes attacks against all IoT devices: not just consumer-grade but also commercial and industrial. In theory, consumer IoT devices might be more likely to forsake good security in favour of better performance - Bluetooth Low Energy (BLE) protocol, for example, which was developed to improve battery life on Bluetooth devices, contains a widely-exploited vulnerability which disproportionately affects portable devices. It is often the case that this is the trade-off: security for performance. However, consider the vulnerabilities not-yet discovered, and the impact of a severe security flaw in a future where over a trillion more IoT devices are employed than are today.

When Stuxnet infected an Iranian facility built to refine uranium isotopes, almost a thousand centrifuges were irreversibly damaged, causing a 30% drop in efficiency in uranium refinement. These IoT-enabled centrifuges were found to be infected with the Stuxnet malware. When Stuxnet infects a machine, it checks for any programmable logic controllers (PLCs) that are connected to it - these being a key architectural component of industrial IoT configurations. The virus is programmed to alter the speeds of rotation of the centrifuges until they break. This attack on Iran's uranium refinement industry serves as a case study for attacks on industrial IoT today, but the smart factories of the future may be even more severely affected.

In a commercial setting, IoT devices harvest vast amounts of sensitive data about staff and customers, including their location, appearance, shopping habits, and payment information. Data of this type can make impersonation of compromised individuals much easier for bad actors, and also makes them much easier to target with social engineering attacks. It is therefore vital that companies do all that they can to safeguard this data, and unfortunately, they do not. Though over 84% of companies use IoT technology, less than 50% have taken any precautions to secure their networks against cyberattacks that may target IoT devices. Additionally, one of the biggest disadvantages in the improvement in IoT devices in staff redundancy also has the knock-on effect of poorer hardware monitoring, making USB ports more easily accessible, card skimmers easier to install, and so on.

Risk Mitigation

It is crucially important that businesses are prepared for cyber attacks. IoT attacks specifically can be difficult to diagnose. Currently, there is a vast quantity of IoT devices and a great deal of diversity - each device might have its own proprietary software-defined processes and operating system that introduces a whole new host of vulnerabilities to the network it's placed within. Additionally, attacks against this network can occur at multiple layers of the OSI model: Stuxnet, for example, was distributed via a physical layer vulnerability. This can make it hard to effectively safeguard your network, when the number of possible weakpoints is simply that high. That said, by following these good practices, you can decrease your overall susceptibility to IoT attacks.

1. Keep IoT devices on a separate network. If a device or network is infected, this reduces the risk of that infection spreading outside of that network and keeps your other devices secure. You may also opt to take steps to further secure the communication between your network segments.
2. Deploy patches to your IoT devices as soon as possible. This will best protect your network against new malware strains by fixing whatever vulnerabilities that they exploit as soon as a fix becomes available.
3. Educate your staff on best practices. Your staff need to be aware of more than general cybersecurity principles - they should also be aware of current campaigns and trends, be exposed to phishing simulations, and to proactively monitor hardware and their systems for any anomalies.
4. Use strong passwords and Multi-Factor Authentication (MFA). This is the easiest way for a bad actor to gain access to your network in general, and credential reuse is the downfall of a huge number of businesses that become victims of cyberattacks.
5. Enable encryption wherever available. Be aware that some IoT devices do not support encryption, so opt for ones that do. All data stored and all data transferred should be securely encrypted both within a network and when transmitted to another network.
6. Maintain a comprehensive device inventory. This is especially important in commercial or industrial settings where hundreds or thousands of IoT devices might be employed - it is important to know what you have and where you have it, and to routinely collect diagnostic information from your devices.
7. Disable unneeded functionality of IoT devices. If a device has Bluetooth and Wi-Fi connectivity, but your business only needs the Wi-Fi, then disable the Bluetooth. This reduces the ways that a bad actor can interact with the device if it is compromised.
8. Secure your endpoints. Employees accessing your work network from home or bringing their own devices, for example, might have already suffered IoT attacks that could move laterally to your own. A rigorous endpoint-management system can protect your business against your employees' own compromised networks and devices.

Conclusion

IoT devices are here to stay and will only become more commonplace in industrial and commercial settings. They are the means by which industry 5.0 can be brough about, and the goal of fully autonomous industries can be realised. But IoT devices carry with them a lot of severe cybersecurity concerns, and the consequences of a security breach can have catastrophic consequences for businesses. It is vital that companies take care to secure their IoT devices and IoT-enabled networks to the best of their ability, to safeguard their business, their staff, their data and their customers.

Sources

https://www.whiteblueocean.com/newsroom/internet-of-things-safe-or-not/

https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

https://www.nokia.com/about-us/news/releases/2020/10/22/nokia-threat-intelligence-report-warns-of-rising-cyberattacks-on-internet-connected-devices/

https://www.itu.int/hub/2020/04/arm-predicts-1-trillion-iot-devices-by-2035-with-new-end-to-end-platform/

https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html

https://www.forbes.com/sites/dennismitzner/2022/09/14/self-checkouts-iot-and-the-rise-of-retail-cyber-security-threats/?sh=26987ce457f5

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.