SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Has IoT increased our exposure to cyber threats?
Thu, 12th May 2016
FYI, this story is more than a year old

By Sandy Verma, Senior Director, IoT Strategy, Asia Pacific, AT-T

Cybersecurity is already top of the agenda for many corporate boards, but the scale and scope of Internet of Things (IoT) deployments escalate security risk, making it harder than ever for C-suite executives to protect their businesses.

The rapid rise of the Internet of Things (IoT) presents organisations with the opportunity to improve internal efficiencies, provide better customer service, enter new markets and even build new business models. From healthcare to utilities, automotive, manufacturing and logistics, industries are already being transformed by IoT, and the expectation is that almost every sector will be impacted in the near future.

This has serious security implications. The scale of connected devices greatly increases the overall complexity of cybersecurity, while the scope of the IoT ecosystem amplifies these challenges.

According to the AT-T State of IoT Security survey,  only 10% of respondents are fully confident that their connected devices are secure, and only 12% are highly confident about the security of their business partners' connected devices. The issue for today's CEO is not how to convince their board of directors that the risk is real, but how to identify the threats, design and implement mitigating measures and communicate this preparedness to win the full backing of their directors.

Where are the risks?  At the most basic level, a lot of the vehicles, shop-floor equipment and other devices now being IoT enabled were not built with Internet connectivity or security in mind. This leaves a lot of weak spots through which hackers and other cybercriminals can enter corporate networks. Over the past two years, AT-T's Security Operations Center has logged a 458% increase in vulnerability scans of IoT devices.

Furthermore, many IoT devices are not properly monitored. Nearly half of the AT-T survey respondents admit they are merely estimating the number of connected devices they have; only 38% use device management systems or software to identify connected devices and just 14% have a formal audit process in place.

The security challenge increases as IoT devices begin to bridge the digital and physical worlds. Thousands of interconnected IoT devices already control physical infrastructure, such as production lines, supply chains and utilities, as well as airplanes and cars. For example, in the IoT-connected car, IoT sensors gather performance data to monitor maintenance schedules, troubleshoot problems and analyse usage. Other sensors, paired with voice controls and mobile apps, add functions such as navigation and a variety of infotainment features.

From an organisational point of view, any data breach can significantly damage share price, market position and corporate reputation. When your IoT deployments also carry a risk to human safety, no matter how small, the stakes are much higher. This adds an entirely new level of complexity to your information security strategy.

How can we respond? Given this level of risk, security must be the bedrock of every IoT development and deployment, not an afterthought.

First, it is imperative that the CEO sees to it that security expertise is infused into the IoT development process from the earliest stage. Building security into IoT devices and their connecting networks from the start is key to helping to protect a growing IoT infrastructure. This means multiple layers of security controls, including encryption, to help protect mission-critical functions. It also means architecture that is designed to restrict the interdependence of connected systems.

In the connected car example, critical safety systems and engine control units can be isolated so they cannot be accessed through infotainment and communication systems.

Second, it may be that corporate boards and C-suite executives will need to modify their existing cybersecurity policies and systems to accommodate IoT strategies. In any case, IoT strategies must be tightly integrated with wider corporate IT and business strategies. You will need to take steps to timely patch and update software and firmware, and implement controls to identify and contain security breaches as they occur.

To be effective, this integrated security strategy will need to encompass the entire IoT ecosystem, covering not just your own devices, data and applications, but those of your partners and customers as well. In an industrial setting, where IoT sensors, actuators and other devices monitor and control machinery to improve efficiency, this will mean establishing authentication and authorization controls throughout the ecosystem.

Prepared for success The magnitude of the IoT, and the consequences of a breach, are now so significant that it is vital that businesses anticipate security needs before new devices are deployed. Clear lines of responsibility, consistent security procedures and top-down engagement in IoT security are necessary to avoid problems and deal with inevitable attacks. The attention and involvement of the executive team and board members is a strong indicator of IoT success. By Sandy Verma, Senior Director, IoT Strategy, Asia Pacific, AT-T