As digitalization increases, industry leaders are increasingly adopting IoT technology. Paul Keely, Chief Cloud Officer and Open Systems, elaborates; explains what IoT and OT are and draws our attention to the importance of understanding the key issues that threaten IoT and OT systems.
Enterprise deployments of Internet of Things (IoT) devices are growing rapidly as more connected devices are deployed by businesses large and small around the world. From smart fridges in breakrooms to copiers that order their own toner to sensors that detect failures early in mission-critical equipment, IoT enables companies to monitor, automate, control and manage many aspects of their business operations.
However, these devices and their network connections represent a potential increase in an organization’s attack surface and provide more vulnerabilities for attackers to exploit. A key reason for this is that these devices often have built-in vulnerabilities that are often overlooked or even unknown to IT staff, as smart devices are rarely managed as carefully as their traditional IT counterparts.
Internet of Things explained
Simply put, the IoT is a system in which devices and sensors are connected to collect and share important data. IoT devices connect to the Internet over a variety of networks such as Wi-Fi, cellular, Bluetooth, and Zigbee. In addition, these devices can also use Google Home, Amazon Echo and other such gateways for internet connection.
The wide variety of IoT devices ranges from simple sensors to detect and monitor temperature, motion, sound, light, gases and other factors to complex devices including smart thermostats and even cars. The data collected from IoT devices can be used to monitor and control the devices, as well as to track and manage the data collected from the devices.
Focusing on the industrial use of the IoT; We are entering a category of these devices called Operational Technology (OT). This more business-oriented category of IoT refers to the hardware and software used to identify, monitor, and control physical devices, processes, and events in an organization.
One early adopter of OT is the agribusiness, which has embraced it with enthusiasm. Connected devices are widely used for real-time monitoring of solar radiation, soil moisture, humidity, temperature and other factors affecting crop health. This data is then used to automate irrigation along with other farming operations. Similarly, both local and national governments use a variety of smart devices to monitor energy usage, water and air quality.
What are the security issues for IoT and OT?
One of the main issues with IoT devices is the lack of awareness that IT organizations have of their ownership – this is primarily true for IoT and less so for OT devices. The reason for this is that OT devices usually cost a lot of money and actually drive the business functions that a company uses to do business; like the CNC machine tools of an industrial manufacturer. IoT devices, on the other hand, suffer from “device sprawl,” making it easy to deploy relatively cheap devices in office buildings, most of which only use Wi-Fi for connectivity.
This lack of awareness means these devices are not part of the company’s patching and firmware update processes. In particular, this failure to routinely update firmware has been quite a problem up until now.
Data breaches, cyber attacks and privacy issues are often the result of compromised IoT devices. Once a vulnerable IoT device has been attacked, malicious actors can often move sideways within an organization’s network, depending on the architecture of the network and how the device is connected.
Even more worrying is that we are now seeing IoT devices falling victim to command and control (C2) attacks. It was recently discovered that Trickbot, a malware previously targeting computers and IT systems, is now affecting IoT devices. Trickbot compromised IoT devices and then used those devices to attempt lateral movement and gain access to the target network with more critical data.
As if this weren’t enough, the increasing adoption of OT in many industries – and particularly manufacturing – presents attackers with a potential opportunity to carry out cyberkinetic attacks, where their attack in cyberspace affects the physical world. For example, by preventing a centrifuge from automatically slowing down at a certain point, an attacker could cause the centrifuge to keep spinning until it fails, potentially injuring nearby workers.
The potential for such attacks to disrupt or even bring down business operations is real. To ensure adequate protection against these attacks, it is important to first understand the key issues that put IoT and OT systems at risk:
The old saying; “You can’t protect what you can’t see” applies to IoT and OT as well as other IT environments. Unfortunately, many companies lack the necessary instrumentation to discover all of their IoT assets and gain visibility into their entire IoT holdings.
Most standard device management toolsets like Microsoft’s Configuration Manager are unable to patch IoT devices. Even when organizations consider the IoT devices in their environment, they don’t always manage them appropriately.
- Insecure software and firmware
It’s an unfortunate truth that IoT and OT devices often have inherent software and firmware vulnerabilities, despite the hard work of the people managing the systems. There are frequent reports online showing insecure devices being sold with known vulnerabilities years after discovery.
- Mismanagement of accounts and passwords
Failure to properly manage accounts and passwords remains a critical problem. Thousands of security cameras used by numerous organizations were hacked after an administrator’s account credentials were leaked online.
- Weak and inconsistent monitoring
Effectively using SIEM and other cybersecurity tools to properly monitor IoT and OT devices and reliably detect threats has been extremely difficult. This often results in these devices being monitored or manually checked by a secondary system, or sometimes not monitored at all.
While the threats are real and the issues that limit effective security are challenging, the value of IoT and OT is too great to ignore.
Luckily, properly securing IoT and OT devices is pretty easy. It starts with deployment when devices should be properly configured. Installing patches immediately is just as important as practicing good cyber hygiene at all times. In addition, it is important to maintain an up-to-date inventory of all IoT and OT devices. Without such an inventory—which should contain relevant information about all of these assets—organizations don’t have the visibility to protect these devices.
Click below to share this article