acm-header
Sign In

Communications of the ACM

BLOG@CACM

Protecting Enterprise Use of IoT


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

Let us take a look at potential Internet of Things (IoT) device connectivity issues in companies, review the most common uses for the Internet of Things in enterprises, and touch upon some of the biggest IoT vulnerabilities. We will also talk about three ways to keep things safe when using the Internet of Things. And finally, we will develop some key recommendations for the reliable and safe use of IoT devices in the organization, which will allow you to focus on ensuring the efficient operation of the enterprise and forget about security issues.

IoT devices are used everywhere, including in a corporate environment. The Internet of Things brings big benefits to organizations: it increases employee productivity and makes mission-critical business processes run smoother, more intuitively, and efficiently.

However, this technology makes the organization more vulnerable in many ways. In 2021, the attackers hacked Verkada, gaining access to the recordings of more than 150,000 CCTV cameras. The recordings themselves belonged to 95 customers, and the compromised CCTV cameras allowed attackers to view various facilities — prisons, schools, buildings of other companies, and even the Tesla car manufacturer. Verkada had previously stated that its systems were "virtually unbreakable." However, the results of the investigation revealed a weak corporate culture that should have long been suspicious. This hack is not unique as there have been too many similar incidents lately.

Vulnerability of the Internet of Things in healthcare organizations

The healthcare industry has always used the most advanced technologies. Hospitals and other medical institutions, as a rule, quickly introduce new technological innovations. That leads to better, more efficient, and more affordable healthcare.

But when it comes to the latest IoT-powered developments, fears are that security issues could ultimately go beyond healthcare facilities affecting patients themselves.

According to some estimates, by 2025, the total volume of the global IoT market will grow to $534 billion. There are approximately 646 million IoT devices in the healthcare industry today. And given the rise of telemedicine in the COVID era, the PWC 2021 report calls on healthcare organizations to "strengthen their cybersecurity efforts."

The ramifications of IoT attacks can be enormous:

  • Loss of access to services: The November 2020 cyberattack on the University of Vermont Health Network disabled the chemotherapy and mammography services.
  • Paying ransom: Hospitals spend an average of $430 per patient to fix data leaks.
  • Total cost: In 2019, the average damage to a healthcare organization from a cyberattack that exploits IoT vulnerabilities amounted to $346,205.

In some cases, the vulnerability of these devices is truly shocking. For example, to illustrate the risks of using IoT devices, one woman hacked into her own pacemaker. She then stated, "We need to make the manufacturers of different devices aware that this is something they should be concerned about."

There are a huge number of medical IoT devices, and they are usually divided into three main categories:

  • Wearable devices, familiar to anyone who has ever used a smartwatch. Modern technology goes further: there are new ultra-light wearable biosensors that monitor the condition of patients.
  • Implantable devices: Any device that is implanted into the body. For example, smart pacemakers, insulin pumps, and defibrillators.
  • Other devices used in healthcare facilities, from thermometers to smartpens, that feed patient data into medical record systems.

In addition to devices specifically designed for medical purposes, most hospitals and other healthcare facilities benefit from the use of IoT devices that other organizations also widely apply:

  • Smart office equipment: tag readers, cameras, and routers.
  • Smart building: a system of elevators, heating, ventilation, air conditioning, etc.
  • Personal gadgets of employees that provide access to the hospital network.

IoT devices bring tremendous value to healthcare facilities. They provide patients with more freedom, simplifying the process of the treatment itself. They also provide continuous monitoring and analysis of medical data that would not be possible without these technologies. Plus, they give healthcare providers instant access to up-to-date patient data.

In particular, since the beginning of the COVID-19 epidemic, the use of IoT technologies has repeatedly proven its benefits, including helping to provide medical services remotely.

However, the more people use telemedicine, medical applications, and remote monitoring devices, the more system infiltration opportunities emerge for cybercriminals seeking to take over patients' data or launch ransomware attacks.

For any company, whether in the medical industry or not, every smart device on the network poses certain risks. The challenge for any organization in the world right now is to figure out how to maximize the efficiency of its operations using IoT technologies while reducing all possible risks, ideally, to zero.

IoT devices: risk factors

The Verkada incident has shown that IoT devices have several inherent disadvantages. Here are some of the main reasons this technology poses a high security risk:

  • Lack of standardization creates confusion among devices. IoT devices lack standardized interfaces and control systems. Therefore, it is nearly impossible to develop a uniform security policy, update software, or even set strong passwords without a dedicated IoT security solution.
  • Unlike software we are used to, such as Windows or Android, IoT devices are not designed with security in mind. They are usually not serviced or managed.
  • Outdated or unsupported code architecture, firmware, software. For example, up to half of all connected devices, such as ultrasound and MRI machines, run on outdated operating systems. Hence, no security support or other fixes are available for them.
  • Each additional device using the network increases the attack surface. Although this vulnerability is easy to control when working with most of the devices we are used to (phones, computers), in the case of IoT devices, the situation is not so simple.
  • Medical devices, on the other hand, lack cybersecurity certification, which is ironic given that medical device safety is one of the most stringent regulatory areas around the world.
  • Most organizations tend to use a jumble of different equipment. This makes it nearly impossible to manually inventory each device and track what it is doing.

Because of these reasons, hackers can hack IoT devices in any institution and cause damage: steal personal data of customers or employees, intellectual property, control the network in order to obtain a ransom.

The point is that IoT technology developers create and sell these technologies based on functionality and ease of use. They often bring products to market intending to outperform the competition without considering security.

Initially, they may have assumed that hackers would not be interested in these seemingly insignificant devices. But it has already become clear that extortion and the sale of access to corporate systems bring a lot of money. Both of these scenarios are truly nightmarish for most organizations.

Let us look at a typical cyberattack pattern and three easy ways to make the Internet of Things more secure.

Anatomy of a cyberattack targeting IoT devices

Usually, hackers follow a standard scheme:

Step 1. Hack an IoT device as the weakest element in the network.

Step 2. Get access to any data on the device itself and intercept its communication with other devices.

Step 3. Move to other computers and devices on the network using the discovered vulnerabilities.

Step 4. Carry out the theft of confidential information and/or attack critical functions of devices.

How to exclude risk propagation?

Since IoT devices continue to be used anyway, you need to know how to use them safely. There are three best ways to stop hackers:

Establish full visibility. An integrated approach to cybersecurity can only begin when the IT department is aware of all devices accessing the network. Many organizations keep on relying on manual device updates and management. Manual control can be applied to, for example, traditional servers and workstations but cannot keep up with IoT devices that require an automated solution for complete control.

Reduce the number of vulnerabilities. The ability to analyze and remediate new threats in real-time is the backbone of any security program. Most organizations also use a system patching tool to streamline their workflows. However, most IoT devices are nearly impossible to upgrade. Therefore, a solution that provides firmware updates has the best chance of success.

Segment the network based on the Zero Trust approach. As we have seen above, sideways dissemination allows hackers, having infiltrated the network, to move to certain devices, such as mail servers, and also gain access to or damage protected information. The solution is to search for tools that simplify network segmentation, allow you to isolate secure areas based on the Zero Trust approach, and make it possible to use them only for legitimate activities.

In addition, governments around the world are planning to enact IoT cybersecurity legislation. Taking action to mitigate risk today will put organizations in a better position against the backdrop of new IoT security policies to be established by law. Also, a growing list of privacy and compliance standards can lead to significant penalties unless a secure network environment is properly ensured.

Best protection practices for IoT devices

Here is a list of basic guidelines to follow to protect an organization from cyberattacks:

1. Improve passwords

Most organizations use weak passwords set by default on IoT devices. And it is not about laziness; it is often very difficult to change the password due to the huge number of IoT devices to be managed. The interface of such devices is usually not completely clear or is difficult to use. At best, each device should have its unique password. Then, even if an attacker gains access to one device, the damage will be significantly lower.

Tip: When investing in new IoT devices, make sure it is easy for you to change passwords from time to time.

2. Apply updates as soon as they are available

IoT devices appear and are replaced by new releases rather quickly, which ties the hands of update developers. However, software or firmware support is available for certain devices. Following high-profile cyberattacks targeting the Internet of Things, this issue has become critical, and some manufacturers have begun to optimize and release relevant updates.

Tip: When choosing new IoT devices, make sure that the manufacturer has provided an upgradeable system.

3. Move towards Zero Trust

Today, many organizations are beginning to adopt the Zero Trust model, based on the "Never Trust, Always Verify" principle. Each user is validated before being granted access. This model can prevent attacks on neighboring devices even if an attacker hacks the network. Network segmentation is another way to block untrusted users or attackers from moving across the network in a company.

Tip: Make sure to use the Zero Trust model when working with all IoT devices.

Towards better, stricter standards

It is no longer a secret that most IoT devices create security vulnerabilities that are just waiting to be exploited, but things have already begun to change. For example, in December 2020, the U.S. passed the Internet of Things Cybersecurity Improvement Act, which calls for improved and stricter standards for IoT devices. This is an important step towards preventing the serious threats posed by these devices.

However, even such legislative initiatives are overdue for most companies that have already been using the Internet of Things from unregulated creators. Obviously, choosing the right vendor whom you can trust and who is known to put security first is critical in buying new devices.

Also, managing a huge number of IoT devices calls for a unified system that provides full control over all connected devices on the network. If there are such devices, it is never too late to secure them.

Conclusion

IoT devices are by far one of the weakest elements of the network (besides humans). The larger the attack surface, the more devices are connected to the system, the more opportunities for hackers to intrude. The key point is that companies need to understand all the security weaknesses of the Internet of Things and make decisions to protect organizations' data.

 

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. He runs the MacSecurity.net and Privacy-PC.com projects, which present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking.


 

No entries found