Industrial IoT Concerns Worsen As More Devices Connect To The Web

It’s no secret that the “Internet of Things” (IoT) is one of the next big discussion points in the cyber security space. That is, security practitioners are actively seeking ways to shore up defense and get a handle of the network.

Gartner predicts that by 2020, upwards of 20 billion devices will be connected to the internet. Some of these devices will augment direct patient care; others will be deeply embedded in manufacturing.

The IoT network has grown so rapidly that cyber security teams are trying to play catch-up. They’re grappling with ravenous black hats who are attempting to lure IoT devices into botnets to inflict distributed denial-of-service (DDoS) attacks; or they’re attempting to crawl horizontally on the network to tap into sensitive data (say, personally identifiable information (PII) or protected health information (PHI)).

In a previous Cyber Security Hub report, we reviewed some of the dangers of the IoT network as it affects healthcare and industry. The July 2018 report read: “As IoT goes more mainstream – augmenting medical devices and next-gen industrial tools, etc. – it will no doubt require global standards. In the medical space, specifically, patient care could be directly dependent on IoT, meaning that there must be a fail-safe in place. That could be for smart devices in the hospital room, or even such devices as pacemakers. What’s more, as industry becomes more automated, these next-gen tools will likely depend on the interconnectivity of IoT.”

See Related: IoT Spending Predicted To Rise While Industry Calls For Regulations

Today, our focus is on the industrial Internet of Things (IIoT), and ways in which this growing platform could spell true danger for the enterprise. IoT devices managing critical infrastructure could prove vulnerable in the coming years, as threat actors prey on the devices and potentially impact power grids, chemical plants, pipelines, etc.

Threats like the VPNFilter botnet – going after network access storage (NAS) devices and other IoT products – lassoed half a million IoT products in Ukraine in May 2018. Experts believe that it was an attempt at a Russian cyber-offensive on the Eastern European nation.

Because many IoT products have proliferated in an age of less-than-stringent industry regulation, they may not be operating with a security-first mentality. Threat actors can seize these devices, disrupt critical infrastructure and potentially put lives at risk.

See Related: 5 Reasons IoT Security Is Becoming A Priority

Statistics around IoT safety are not that comforting yet, either. In a 2016 Tripwire Breach Detection Study, 60% of energy professionals were unsure how long it would take for automated tools to discover configuration changes on their endpoints or for vulnerability scanning systems to ping them with an alert.

What’s more, Chief Information Security Officers (CISO) and other executives must also be cognizant of the financial stakes of a service outage (or worse). For example, Tripwire references a 2016 ransomware attack on the Michigan Board of Water & Light, which cost the organization $2 million to employ security experts and a law firm. Going back a few more years, a 2012 malware attack on the oil company Saudi Aramco cost the giant approximately $1 billion – in replacing 35,000 computers, hiring six firms and dozens of experts to initiate incident response.

It’s now clear that the IoT network must soon be cut down to size – with regulation, budgetary attention and cross-sector information-sharing. If not, critical infrastructure around the globe could be at risk, especially because many industrial companies and suppliers are embracing the cost-saving connected devices.

Stay tuned to the Cyber Security Hub for more IoT coverage!

Be Sure To Check Out: 'The New Normal': Security Concerns Around IoT Inundation