The Internet of Things (IoT), once a siloed niche of IT, has changed the way industries work. Manufacturing, healthcare, transportation, government, logistics, analytics, and cloud computing are just a sample of industries currently reaping the benefits of IoT. According to McKinsey & Company, IoT captured $1.6 trillion dollars of value in 2020. By 2025, they estimate that number to reach between $2.8 trillion to $6.3 trillion. Additionally, the International Data Corporation (IDC) projects that by 2025 there will be 55.7 billion internet-connected devices generating 73.1 zettabytes of data. Clearly, opportunities will continue to abound for companies to innovate their operations, services, and products with IoT. However, to achieve IoT’s promise of automation and interconnectedness, a company must have an effective security infrastructure and protocols to mitigate the associated risks.
Know the Risks of IoT
The same IoT technology that provides value to a consumer or organization also benefits the hacker. Because IoT deals with objects, by definition, the impact of a malware or botnet attack can be drastic for organizations and individuals. From medical devices to home appliances to devices reporting on machinery status, a hacker can exploit these endpoints for nefarious purposes. For example, a pipeline could shut down because a hacker accesses the pipeline pressure sensor to falsely report an overpressure situation. Or, a home appliance is accessed to cause overheating and start a fire.
Of course, not all intrusions result in system malfunctions. Hackers will also access IoT devices to exploit or steal important devices and personal information like location and other identifying markers. Even if a single piece of data is relatively benign by itself, it can be used as a reference point to complete a picture of an individual or device to then be exploited or attacked. With the increase in remote workers due to the pandemic, cybercriminals have taken a keener interest in IoT devices further highlighting the need for effective security measures to protect individuals and organizations.
Choose IoT Security Now, Rather Than Being Forced to Later
IoT’s innovation has outpaced legislation. Despite its ubiquity and prevalence of hackers, the rules and regulations regarding security are lacking. In 2020, the IoT Cybersecurity Improvement Act was signed into law. While this is a step in the right direction, it is not sufficient to fully safeguard individuals and organizations against cyberattacks. The act relates only to IoT devices acquired and operated by the Federal government leaving most of the IoT landscape open to its current “wild west” environment. Other legislation is in-flight that, if passed, would allow home appliance manufacturers to be held materially and civilly liable for damages resulting from exploited vulnerabilities. If it becomes law, this could open a new set of consequences for companies.
Because current legislation does not reflect the actual risk associated with IoT, companies should establish and apply their own security standards and practices now to protect their devices, consumers, and self-interests in the future. Despite a general awareness of security vulnerabilities, and even specific attacks from botnets like Mirai and Gh0st, many companies remain inert on taking effective, proactive measures to improve how IoT data is captured, stored, and transmitted. Given the improved market share that comes with a focus on ease-of-use and speed-to-market, it’s understandable that companies choose to defer security standardization. Again, this can be to a company’s detriment. By staying ahead of the legislation, a company can stay ahead of material and civil damages resulting from exploited vulnerabilities.
AIM Can Help You Protect Your Customers and Yourselves
Generally, an effective data protection strategy should include the following:
- Regular updates and patches for the software collecting the data (much like a server)
- Examination of authentication including requiring no hard-coded passwords be stored
- Robust identity and access management structure to ensure proper permissions are in place to prevent non-authorized devices from capturing and sharing data
- Require data encryption ciphers in transit and at rest for all data; close any and all telnet-type ports
- Develop penetration testing and hackathons to identify vulnerable data points and close them before they’re exploited in production
AIM’s Cloud and Operations team can help you understand your specific IoT vulnerabilities and implement the data governance model that will best serve your customers and organization. Let AIM help you securely achieve IoT’s grand promise of automation and interconnectedness!
Want to learn more? Get in touch here!