It is estimated that 80 percent of connected devices are vulnerable to data breaches.1 With 8.4 billion connected products in use in 2017, and estimates for 20 billion by 2020,2 cyber security and interoperability are suddenly considerations for product design across multiple industries. As the Internet of Things (IoT) continues to grow, it’s important to closely examine major threats that could result in data breaches, as well as ways to mitigate them and ensure an integrated ecosystem with seamless communication.
According to a recent study3, some of the most common cyber attacks include:
- Malware: By far the most frequently encountered threat. There has recently been a rise in click-less infections and file-less attacks, as well as increased attacks on operating systems previously were considered “safer,” such as MacOS and Linux. The primary targets for malware are vulnerable software products, non-secure connected devices and users.
- Social Engineering/Phishing: Accounting for nearly 90 percent of social attacks, last year nearly one-third of phishing breaches were targeted. Almost all successful phishing attacks are followed by malware installation.
- Malicious code: Especially risky when working with outside vendors and suppliers, malicious code can make devices susceptible to attacks.
- Botnets: A large percentage of IoT devices are assumed to be vulnerable and, when compromised, can become part of botnets.
- Malicious insiders: Insider threats have been a major risk for years. They continue to present risk since it is difficult for most organizations to distinguish them from benign activity.
- Ransomware: Comprising between 60 and 75 percent of malware payloads, incidents of ransomware are on the rise. Healthcare providers and critical infrastructure are particularly vulnerable to these attacks.
When it comes to IoT devices, it’s important to consider the following during product design, as they can all lead to the threats listed above:
- Security vulnerabilities: Devices shipped with software that is outdated or becomes outdated over time offer an opening for attacks. Additionally, weak authentication and authorization in products not designed or built with security in mind makes malicious attacks on IoT devices easier.
- Flaw remediation & patching: Having a process that (a) acknowledges vulnerabilities will be identified in deployed devices, and (b) prioritizes and fixes the vulnerabilities and pushes out patches to end-users in a timely manner is key to mitigating security vulnerabilities.
- Non-secured (unencrypted) communications: When a connection is not encrypted, it can be accessed and is prone to threats by malicious software, as well as unexpected events. Non-secured connections allow anyone searching for information to access networks and data, such as logins, passwords and other private information.
- Malware infection: Malware can infiltrate IoT devices, disrupting operations and compromising their data.
In addition to training employees, consumers and vendors about general safety around things like malware, social engineering, phishing, botnets and ransomware, there are several ways that manufacturers can mitigate cyber security risk in connected devices.
- Develop/Use certified and correctly configured products. This will help address issues with malicious code, botnets, malicious insiders and potential ransomware. For developers, the benefits include identification of security flaws early in the product development cycle, thereby reducing mitigation costs later. It also builds product reputation by offering more secure products, and peace of mind, to consumers. Additional benefits include easier product comparison, quicker buying decisions in buying and buyer confidence and assurance.
- Certification of information security management systems. Use the four-stage “Plan, Do, Check, Act” process outlined in ISO/IEC 27001. Among other things, this process reduces risks related to stolen devices and malicious insiders. An information security management system can preserve the confidentiality, integrity and availability of information by applying a risk management process applied to the design of processes, information systems, and controls. The benefits include demonstrating a commitment to managing information security, competitive advantages, improved operating processes and a better opinion of an organization.
- Third-party consulting for threat risk assessments (TRAs), vulnerability assessments (VAs) and penetration testing. Using the techniques laid out in in ISO/IEC 27005 and 27032, a TRA can indicate weak points; ISO/IEC 27002 security controls can then be used to establish fixes. VAs identify latent vulnerabilities, as well as providing recommendations for improvement. Penetration testing can illustrate how vulnerabilities can be exploited. VAs and penetration testing can be done along with TRAs or separately, depending on an organization’s needs.
- Supply chain assurance assessment and certification. One compromised link within a supply chain can affect many organizations and these attacks are becoming more mainstream with expectations to continue to grow. Running assurance assessments and certification processes within the supply chain can help ensure the safety of a product and protect against bad code and software issues. By reducing weak links, you can mitigate the risks attackers seek to exploit.
While assessments and mitigation for cyber threats can help secure a single product, in today’s connected world, interoperability is another component that must be addressed, both for security and performance needs. The connected world relies on products to exchange, share, and interpret data. Interoperability ensures that systems can form an integrated ecosystem, communicating with one another effortlessly.
When designing IoT-enabled products, consider the following:
- Other devices that may be on the network with your product, and their function
- Risk factors around access control
- Default and/or hard-coded credentials
- A clear path to update legacy firmware
- Clear text data transmission and storage
- Unneeded open ports
Testing products and devices for interoperability ensures that components work together in a secure manner, without sacrificing performance. Iinformation security management systems utilize the four-stage “Plan, Do, Check, Act” system and this can be employed to test interoperability.
- Plan: This phase involves identifying improvement opportunities with the product and systems. Evaluating the current process and pinpointing causes of failures will allow you to develop an action plan that can be implemented when the need arises.
- Do: At this step in the process, it is time to implement the identified improvements, collect analytics and data, and document issues and failures. It is important to keep all the information on hand for future use.
- Check: During the “check” phase, any results from the previous stages must be reviewed and analyzed. After the analysis is complete, it is time to identify whether the necessary improvements were made. If they were not, return to the “Plan” and “Do” phases until improvements have been met. As with other steps, documentation is important.
- Act: Based on the previous stages’ observations and failures, this is the time to implement changes to whatever did not work and continue practices that did. It is important to continue to reiterate the PDCA process, starting at this phase.
One of the most effective ways to test for interoperability is to place products in a simulated environment to check for interoperability issues and how new devices connected to the system impact the performance of other devices on the network. Software testing is also an important component of interoperability as it uses manual and simulated test processes to verify the product meets all functional, performance, security, and quality requirements. This will include test plans, simulations and analysis.
IoT is growing at an exponential pace. Manufacturers across multiple industries, from healthcare to consumer products to HVAC systems and home security need to successfully navigate the new waters of cyber security concerns and interoperability considerations. With new regulations like GDPR coming online, it is important to take whatever steps are necessary to protect data, keep consumer information secure and create seamless communication between devices. This ensures the success of the IoT, its products and the reputations and brands of the manufacturers providing the experience of this new frontier.
- AdaptiveMobile estimates up to 80% of ‘connected’ devices do not have adequate security measures. March 22, 2016 https://www.adaptivemobile.com/press-centre/press-releases/adaptivemobile-estimates-up-to-80-of-connected-devices-do-not-have-adequate. Accessed 3/20/18
- Gartner. Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. https://www.gartner.com/newsroom/id/3598917. Accessed 3/20/18
- Accenture and Ponemon Institute. 2017 Cost of Cyber Crime Study.
For additional information, visit the following links:
- – http://www.intertek.com/knowledge-education/iot/connected-world-cybersecurity/
Filed Under: Cybersecurity, M2M (machine to machine)