The Internet of Things (IoT) promises to revolutionise the relationships businesses have with their data. While it is still in its nascent stages, companies from every industry and sector are exploring different IoT use cases, looking for greater efficiencies and productivity.
One of the most widely discussed risks in IoT is that of security and privacy.
“There are critical elements in any ecosystem that must be assessed and evaluated for protection against cyber attacks, ransomware, and data breaches, and this is even more important when it comes to IoT,” says Jayson O’Reilly, GM of Cybersecurity at Atvance Intellect. “By their very nature, IoT devices pose new risks for organisations, as witnessed by the recent incidents at major international manufacturers.
“A cryptocurrency miner was found on several IoT devices, including automatic guided vehicles, with multiple incidents recorded across over 50 sites in the Middle East, North America and Latin America.”
He adds that IoT is still a relatively new technology, so its vulnerabilities are still emerging. “While the security and integrity of the devices and the network have been the focus of most security initiatives until now, we are fast discovering that IoT poses another underrated risk: Its role in supply chain attacks.”
According to research done by the Ponemon Institute, IoT providers have a lack of visibility into third-party safeguards and IoT security policies. The result is a “dramatic increase from 15% to 26% over three years in IoT-related data breaches specifically due to an unsecured IoT device or application”.
The Ponemon study concludes that there is a gap between proactive and reactive risk management, stating that it’s no longer a matter of “if” but “when” organisations will have security exploits caused by unsecured IoT. As a result, board members of organisations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into the network, workplace and supply chain, the authors say.
The challenge, says O’Reilly, is that the IoT ecosystem consists of hardware, software, and services that are being provided by different vendors. The variety of vendors create risk on several levels, not least of which is the new interdependencies that companies might not fully appreciate.
“Supply chain attacks are all about finding and exploiting weak links so attackers can hop between organisations. By creating hundreds or thousands of weak links, the IoT is a cyber criminal’s dream. It is therefore essential for businesses using IoT ecosystems to start thinking about protection strategies to extend security throughout the entire IoT supply chain,” O’Reilly says.
A recent global survey of 1 300 companies found 90% were “unprepared” for supply chain cyber-attacks. Supply chain attacks now make up as much as 50% of all cyber attacks.
“In light of this, businesses must start defining security and controls for all supply chain partners, including every single vendor involved in their IoT ecosystem. A typical IoT ecosystem is made up of hardware, software and services. Each of these requires specific considerations and risk assessments. Also, as more devices are connected, more data is generated, leading to a whole new set of challenges. As the IoT matures, so will the security that needs to be in place,” O’Reilly adds.
NIST (the National Institute of Standards and Technology) is just one of many organisations passing guidance and laws around IoT devices. Companies must start to understand their risk and what the impact of an IoT supply chain attack may have on the organisation. A clear understanding will help drive decisions to develop the right contingencies and mitigation measures.
“The path to mitigation is a clear insight into the environment and having the data to understand the risks,” O’Reilly concludes.