In 2020, COVID-19 left few stones unturned with its upending impact on health, society, the economy and technology itself.
Internet of Things (IoT) security was no exception. The novel coronavirus, which causes COVID-19 disease, brought new security issues to the fore, and these issues stand to ricochet through 2021 and beyond.
As many activities became remote, digital and more connected (think digital health, videoconferencing and facility remote monitoring), threats also became prevalent. Many of these IoT security threats only broadened the surface area for attacks and moved targets from centralized locations (the office) to the edge of the network.
“We saw a push to remote work, which certainly changed the threat landscape,” said Merritt Maxim, vice president and research director at Forrester Research. Examples include “trying to go after users through more sophisticated phishing attacks. Users [were] at home … [and] not as on guard as when they were in the office,” he said. “COVID-related threats are going to persist into this year and probably in the next and, in some cases, could be permanent.”
As IoT devices proliferate – and there may be some 21.5 billion devices by 2025 – it becomes even more critical to secure IoT environments and prevent breaches.
An Extreme Networks survey revealed that organizations remain highly vulnerable to IoT-based attacks. The research, which surveyed 540 security pros, found that 84% of organizations have IoT devices on their corporate networks. It also indicated that more than 50% of these organizations don’t maintain necessary security measures beyond default passwords.
As experts have noted, the proliferation of devices creates more weak points in the system.
In what follows, we explore key IoT security trends to expect in 2021 and how COVID-19 may shape these IoT security trends beyond the upcoming year.
1. Remote work and other edge use cases. During 2020, users’ home networks and devices became more significant attack vectors as workers were forced to stay home. IDC predicts that by 2022 more than 40% of enterprises’ cloud deployments will include edge computing.
And with proliferation comes increased vulnerability. According to the recent Cisco survey-based report “Securing What’s Now and What’s Next,” more than half of respondents (52%) said that mobile devices are now “very” or “extremely” challenging to defend. Mobile devices extend the network’s defensible perimeter beyond traditional data center assets or even cloud assets to the edge of the network.
“The attack surface has expanded significantly with IoT, cloud, 5G – [malicious attackers] are going to try to use the entry points that are least resistant,” said Sean Peasley, partner at Deloitte & Touche LLP.
Other vulnerabilities emerged as digital health became more prevalent with social distancing requirements.
According to the U.S. Department of Health and Human Services, the first half of 2020 witnessed a 50% increase in health care cybersecurity breaches. That’s partly because of the increase in remote work, which exposes corporate networks to myriad home devices and networks that may lack the security rigor of corporate counterparts. “Devices in the home could be compromised and then be used to move laterally to then get access to employees’ remote data with the surge in remote work,” Maxim said.
Indeed, according to a recent Healthcare Information and Management Systems Society (HIMSS) survey, 57% of respondents experienced an email phishing attack in the prior 12 months. With phishing attacks, it’s relatively easy for a malicious actor to use fraudulent messages to extract passwords or other personal data and then infiltrate systems further. In some cases, phishing attacks have been used to infiltrate IT systems, then cross over to breach IoT devices.
Experts say that education and training are critical as remote work becomes more prevalent. “It sounds cliché, but awareness and training are more important than ever,” he said. “[Employees] need to be as engaged and aware as possible, because they are ultimately going to help you stave off attacks.”
2. New IoT Cybersecurity Act legislation To date, the Internet of Things landscape has suffered from fragmentation and lack of consensus on common standards to which providers must adhere. As a result, devices use a range of protocols that aren’t interoperable and are often vulnerable, due to lack of patching and updates.
The IoT Cybersecurity Improvement Act, signed into law in December 2020, takes aim at this standardization problem in the U.S. The legislation establishes minimum security requirements for device manufacturers and uses standards provided by the National Institute of Standards and Technology (NIST), which will cover devices from development to final product. The act also requires the Department of Homeland Security to review and revisit the legislation up to every five years and revise it as necessary.
Experts say that the act will tighten security, but it’s no panacea. “The law does not ensure that everyone will comply, but the act does help,” said Sean Peasley, partner at Deloitte & Touche LLP. “The vendors are now expected to design and build the appropriate security capabilities into the products they develop.”
3. Increasing attacks on mission-critical infrastructure. In late 2019, pre-pandemic, a Siemens/Ponemon Institute study found that 56% of gas, wind, water and solar utilities around the world had experienced at least one cyberattack within the previous year that caused a shutdown or loss of operation data. Increasingly, the cybersecurity landscape has been defined by nation-state actors causing disruption through such breaches as NotPetya, WannaCry, Stuxnet and others. While some attacks seek to extract financial gain, many breaches by nation-state actors, Maxim said, seek to disrupt, disinform or otherwise throw a target off guard.
The remote work required by COVID-19 has amplified security vulnerabilities to critical infrastructure as well. Particularly as operations become more remote, it may augment these breach opportunities – often because workers do not have proper security built into home networks and connected devices.
“It will continue, and unfortunately, COVID may be the lever that [nation-state actors] use to spread disinformation about treatment, vaccines,” Maxim said. “Any time [malicious actors] can try to seed disruption or chaos in society, they will use that to their advantage.”
4. Ransomware attacks. At the same time, experts note that ransomware has targeted applications and data rather than IoT device hardware. In the third quarter of 2020, Check Point Research reported a 50% increase in the daily average number of ransomware attacks compared with the first half of the year.
Through another lens, though, IoT devices may be more protected than, say, traditional IT assets from ransomware attacks.
“That is one of the reasons that connected devices haven’t been as prevalent – it’s harder to monetize,” Maxim said. “From a hacker-effort standpoint, it might give me data to use for identity theft or scams, but it’s probably easier for them to get credit card numbers than go after your device directly.”
On the other hand, disruptions to OT systems can be far more dangerous than those caused by traditional ransomware.
“If you have access to credit cards, it’s not good, but it won’t stop operations. The OT incidents that have occurred have had a devastating impact on operations. The stakes have increased,” he said.
5. Increasing standardization. As enterprises increasingly rely on the cloud, virtualization and digitization of assets to become more efficient and cost-competitive, they often try to standardize systems. Standardization is generally good for business. It allows companies to scale products more quickly and enable back-end systems to interoperate more easily.
The downside of standardization, however, is that systematic flaws can more easily proliferate through systems that are built on common building blocks. Consider the Ripple20 code breach, which stemmed from common use of a TCP/IP library with bugs. Numerous enterprises used this code, rendering the breach associated with its buggy code more widespread.
“Standardization has also opened the door to new vulnerabilities. Once these standards are well known and well adopted, bad actors get smart to leverage those to our disadvantage,” Peasley said. Ultimately, though, standardization can forward business goals – particularly for cloud-to-edge infrastructure, which requires myriad systems to work with one another.
6. IT-OT convergence. While IT (information technology) involves data and applications, OT (operational technology) involves the equipment that gathers information. IoT technology is, thus, a part of both IT data and OT operations.
“There is a natural need to meld IT and OT together,” Peasley said. “It will create some necessary integration of the two.”
Peasely noted that the risks to OT are significant enough to have compelled these two siloed disciplines to merge further.
“If [malicious actors get] access to credit cards, it’s not good, but it won’t stop [company] operations,” Peasley said. “The OT incidents that have occurred have had a devastating impact on operations. The stakes have increased.”
During the pandemic, experts have noted, IT and OT necessarily moved closer together as many companies limited the number of workers on-site and defaulted to more remote monitoring and automation. While this provided benefits for social distancing and even automated response to anomalous events, it also merges vulnerable OT systems – systems that are not always updated or patched – with more mature IT systems.
“The pandemic may have forced more of that convergence, so [IT and OT departments] may have had to converge some of this stuff because people physically weren’t in the same building anymore,” Maxim said. “But IT is different from OT. A gas turbine in a power-generating plant is different from an employee’s PC. They provide different value and have different threat profiles.”
7. AI in cybersecurity. Increasingly, companies have turned to artificial intelligence to better identify and address cybersecurity threats. According to one survey of more than 800 IT pros with involvement in cybersecurity, 96% of respondents said they use AI/ML tools in their cybersecurity programs. AI helps security pros identify anomalous behavior automatically and sift through thousands or millions of data points daily. AI helps IT pros build policies to identify malicious activities and automatically quarantine traffic before it penetrates the network or other systems. AI-driven tools can also learn over time to identify new and previously unforeseen events far more efficiently than humans alone.
AI can also be used for ill, though, where malicious actors can use botnet attacks or other AI-driven means to assault organizational vulnerabilities. Forrester’s Maxim said that malicious actors may try to determine a company’s AI-driven thresholds to identify fraudulent activity, then deliberately keep attacks under that threshold of detection.
“Cyber is not a panacea. AI doesn’t mean that hackers can’t use it for their benefit as well,” Maxim said. Indeed, according to one Deloitte report, 56% of respondents said that their organization has slowed adoption of AI technologies because of emerging risks, including cybersecurity.
8. Best practices. Experts agree that there are key best practices that all organizations must adopt to stay vigilant and prevent threat actors from infiltrating corporate systems to gain access to data. It may take a threat actor less than a minute to proliferate a system once it has gained access.
Best practices include security by design (building security into your design architecture upfront), network segmentation (separating IoT devices from other network systems) and zero-trust policies (trust-but-verify policies, combined with policies that give users the minimum amount of access needed to be productive and multifactor authentication), say experts.
For IoT, it’s critical for these devices to be separate from other IT systems, enlisting network segmentation.
Security-by-design principles ask builders to think about security as they architect devices and systems – and to think about their interaction with other systems – rather than bolting on security after the fact. “Security is now a key business requirement in the early stages of a product lifecycle. Data, applications infrastructure, cloud all need to be considered,” Peasley said.
Zero trust takes a “trust but verify” approach and often requires more than one method of authentication.
Bug bounties are also a part of the strategy for organizations, where companies hire so called white-hat hackers to identify vulnerabilities in systems and software before malicious actors do.
And finally, employees need to be educated on new threats before they overtake an organization.
“It sounds cliché, but awareness and training are more important than ever,” he said. “[Employees] need to be as engaged and aware as possible, because they are ultimately going to help you stave off attacks.”