After a record year in 2020, cyberattacks continue to escalate in severity, frequency, and sophistication. It’s a challenge exacerbated by the rapid expansion of the Internet of Things (IoT) ecosystem that includes everything from cloud-based operations and sensor technology to a plethora of devices. By 2025, the number of IoT connections could hit 30 billion. That’s a vast—and growing—attack surface. One that 77% of organizations are facing without an incident response plan. Alas, there are no failsafe precautions, but you can increase your cyber resilience and make yourself less of a target.
Securing the Internet of Things
In our rush to adopt new digital technologies, many businesses overlook the necessary security measures that will enable them to benefit from all that lovely data and connectivity while minimizing the risks. And rest assured, opportunities for hackers to penetrate your critical infrastructure exist right across the spectrum, from outdated hardware and VPNs to crypto storage and tracking updates and patches. Let’s take a look at six common points of entry.
1. Hardware errors and vulnerabilities
One huge challenge facing hardware is the inherent vulnerabilities within processors exploited to carry out attacks by injecting malicious code into trusted devices. Spectre is a security vulnerability affecting processors on desktops, laptops, smartphones, and cloud servers. It takes its name from ‘speculative execution,’ which enables processors to predict instructions, prep the resulting path, and fetch commands from memory. By breaking the isolation between applications, Spectre ‘tricks’ programs into leaking sensitive data, including passwords, via a side-channel.
- Monitor the uncovering of general security vulnerabilities.
- Identify critical infrastructure that can be affected by such vulnerabilities, ideally automating this process with the help of an inventory.
- Patch critical software with workarounds—even though this can have performance drawbacks.
2. Outdated, weak, and compromised firmware
Between October 2019 and June 2020, Mozi botnet—a peer-to-peer malware—eclipsed threats from other variants like Mirai to account for nearly 90% of observed IoT network traffic. The reason for the ballooning of this malware? The rapid expansion of the IoT landscape and its adoption of command injection (CMDi) attacks that exploit misconfiguration of IoT devices. Everything from home security cameras and vehicle trackers to industrial control systems can fall foul of ‘denial of service’ attacks, data theft, and spam.
- Keep devices’ firmware up-to-date.
- Use a device inventory that protocols firmware updates.
- Educate yourself about firmware exploits.
- Test every device against common attacks before putting them into service.
3. Locked master credentials
Weak, easy to guess passwords or old passwords are easy targets for hackers. Still, even if you’re diligent about cyber hygiene, many IP cameras cannot be protected by changing the default credentials, making security next to impossible. Because you can’t change the hardcoded credentials, attackers ignore new passwords and gain access to the camera and private videos, and even perform remote command injection attacks on other devices on a local network. Reviewing your identity, authentication, and privileges protocols is essential.
- Use truly independent keys for each device.
- Allow key-rotation.
- Separate admin keys from user keys.
- Use hardware-backed key-stores for critical devices.
4. False Data Injection Attack (FIDA)
As the IoT expands, FIDA has become a top priority issue. It involves sending stealth signals from a fake sensor to compromise readings that will trigger an undesirable action. It might be a water level sensor that prompts the opening of a flood gate. Or feeding users false data that skew an election result. It could include adjusting information on healthcare records to derail diagnosis and treatment.
IoT technologies like state estimation are used in smart grids to monitor physical and environmental conditions. By injecting malicious data that comprises meters, an attack can result in inaccurate real-time electricity pricing, even widespread power failures. Whether hackers demand a ransom for withholding sensitive information or opt for the direct disruption of services, fallout from a FIDA can be devastating. And the broader challenge goes beyond navigating the attack itself to include weeding out false information inputted via legitimate channels.
- Monitor the activity of each device to detect anomalies.
- Don’t use automated triggers without redundancy or sanity checks.
- Validate incoming data and verify device identities.
- Use dedicated and limited APIs for your devices.
5. Infiltrating the internal network via a weak device
It’s a challenge to review every device, but it only takes one weak link to bring down your entire system. Once infected, that device spoofs the network and looks for other vulnerable infrastructure like servers or workstations. Then you’re not only at risk of a serious data breach, but also denial of service when the network is flooded with traffic until it crashes. When critical IT components trust every peer in an assumed private network, the attacker can gain access or control to critical infrastructure like shared file systems or databases, so robust identity and authentication policies are part of strong IoT security.
- Use fine-granular VPNs that disconnect easily compromised devices from critical internal infrastructure through firewalls and network rules.
- Don’t trust devices just because they are on your network; always add another level of authentication.
6. Takeover of admin accounts to reprogram devices
Earlier this year, Transnet, a rail, port, and pipeline company in South Africa, experienced a cyberattack that disrupted its IT network, forcing the company to declare a force majeure. It meant halting operations at its container terminals—including Durban, which handles over 60% of South Africa’s container traffic. The result was massive delays to deliveries, increased road freight congestion, and disrupted exports.
- Protect your cloud infrastructure with fine-granular roles and permissions.
- Automate processes and eliminate the need for root access wherever possible.
- Use two-factor authentication and provide admins with thorough security training.
- Enforce a ‘four-eyes’ principle—meaning at least two people must approve an action or decision—for potentially disastrous operations.
Access the right expertise to get IoT security ready
Cybersecurity statistics point towards an increasingly hostile landscape. As the IoT ecosystem flourishes, it’s not a matter of if but when you’ll experience some form of attack. It indicates the need for greater cyber hygiene and proactive resilience planning—and testing. The sheer scale of the challenge is daunting, especially if you lack the necessary IoT security skills. But the right technology partner will help you conduct a comprehensive risk management assessment to pinpoint weaknesses, implement best practices, and draw up a watertight incident response plan to mitigate the damage if the worst happens.