Securing smart ‘things’ is getting more difficult, and more important

Study after study has shown that smart devices are proliferating consumer and business markets. One report estimates that connected Internet of Things (IoT) devices will increase from 15 billion in 2023 to nearly 30 billion by 2030. This estimate includes both customer-focused items and Industrial Internet of Things (IIoT) devices like maintenance sensors and control devices for a ‘shop floor.’ These devices are used in every sector for too many purposes for us to cover. Pick any product or service, and there’s a device somewhere that can automate something in the workflow.

What’s so scary about IoT?

This leads us to one of the biggest cybersecurity concerns today: how do we get the full benefit from these devices without being exposed to the threat actors who are using them to get into our homes, offices, and production areas? Anytime you establish remote access to a device, you are creating a doorway for an attacker. Whether the door is secure from intruders is up to you.  This means that it is your responsibility to 1) know there is a door, 2) lock the door, and 3) hide the door.  

Let’s start with that first one. Consumer-facing IoT devices are intended to be easy to install. They all come with a warning to change the admin password, and maybe there’s a setting for automatic updates. Most people just want to start using the device, and if the device doesn’t enforce security, then the device might never be secured. Cyberattacks aren’t on the minds of most home users, though there is a risk to them if a hacker makes it through. There is a legitimate business concern that consumer-grade IoT devices make it into an office without being authorized and managed. If you have a single, unsegmented business network, this type of device can create a new pathway to your data.

What’s inside your IoT?

Another scary scenario is that many IIoT devices and Operational Technology (OT) devices have critical security vulnerabilities that cannot or have not been remedied.  These devices are embedded in the management of critical infrastructure, supply chains, security operations, and probably every type of production environment. Many of these industrial systems have been in service for decades and have outlived their supported lifecycle. They may have even outlived their manufacturer. You can never guarantee that such a device is protected from known vulnerabilities unless you have a third-party developer building new updates for that device.

Compounding the problems with legacy devices is that many IIoT and OT deployments have inconsistent configurations. Large-scale manual deployment is tedious and can lead to distractions and mistakes. There’s no reason to deploy devices manually when so many SASE solutions like Barracuda SecureEdge can automate the process. Configuration templates and automated deployments make it much easier to ensure that all devices are meeting the same security requirements. A configuration mistake in this environment usually requires less time and fewer steps to fix once it is discovered. This type of automation puts the system administrator in control of the entire deployment in terms of security patches and configuration updates.

Multi-year IoT projects are challenging

Companies that roll out their projects over several years may encounter unexpected challenges. It is not unusual to schedule large projects in multiple stages, but the differences in device capabilities from project year 1 to project year 3 can be huge. Technology changes rapidly, especially when it’s hot tech like IIoT and OT. These differences can create security gaps and compatibility problems.  All devices must be brought up to standard and added to the current security and patch management plan. Companies that expand to new facilities or acquire existing companies through merger/acquisition also face these challenges.

The risk posed by the proliferation of smart devices is not just about unmanaged consumer devices or legacy industrial systems. Sometimes companies purchase the vulnerabilities when they purchase the system.

• Unpatched vulnerabilities in a video-enabled smart intercom allow threat actors to access the attached network, steal photos and videos, and control the camera, microphone, and locks.
• Vulnerabilities in Trusted Platform Module (TPM) 2.0 can allow an attacker to compromise a device. TPM is a security technology used by billions of devices and computers.
• Shenzhen i365 Tech shipped hundreds of thousands of personal tracking devices with a default password ‘123456.’ These passwords can be changed by the user, but several other vulnerabilities exist that allow threat actors to hijack these devices, take control of the microphone and speaker, and track the user’s location.

A recent study shows that IoT cyberattacks have increased 87% year-over-year from 2018 to 2022. These attacks will continue to rise because threat actors know there will always be vulnerable devices attached to something valuable.  These criminals are looking for that big payday by infiltrating systems and creating damage that goes beyond the company. Depending on the type of victim, a cyberattack can leave customers, suppliers, and partners without the products they need. In some cases, a cyberattack has a big enough footprint to cause employee layoffs and market price fluctuations. 

Defending IoT and OT devices

There are billions of connected IoT and OT devices in homes and companies around the world. That is a huge attack surface to defend, but there are things we can do to reduce the risk of attack:

• Maintain a current inventory of all IoT and OT devices that are connected to the network and include them in the patch management strategy. Monitor the activities of these devices and watch for anomalies. Do not allow rogue IoT devices like smart appliances on the network and terminate the connections of unused or unmanaged devices.
• Separate IoT/OT devices from critical systems and data to limit the reach of a compromised device. A segmented network can stop the lateral movement through the network and prevent a threat actor from getting into sensitive business data and applications.
• Change the default password of a device as soon as its deployed. Enforce a strong password policy that makes sense for your organization. Enable multi-factor authentication (MFA) on these devices when possible.
• Choose tamper-proof devices that support secure firmware and software updates. Protect devices with Barracuda CloudGen Firewall Rugged or Barracuda Secure Connector when possible. With Barracuda SecureEdge you can automate the secure deployment of these devices.
• Maintain a culture of security in the workforce. This includes enforcing complex passwords, MFA, the principle of least privilege, and training employees on secure practices across all threat vectors. IoT/OT should be included with this training and in the company Acceptable Use Policy if applicable.

Individual consumers aren’t off the hook either. There are plenty of things people can do to keep the devices in their homes safe from intruders and malware:

• Make sure your home router is secured by a unique and complex password and MFA if possible. Change the default login credentials right away, turn on encryption, and install security updates when they are available.
• Keep your IoT devices secured and updated with complex passwords, encryption, the latest updates, and MFA if possible.
• Use a guest network for your IoT devices to limit their access to your home computer network. This reduces the risk of access to your data. This is especially important for people who keep sensitive data on their home network.

In short, use the security features you have on home devices to the best of your ability. It’s not always practical to have complex and unique passwords on every device, but it’s important to make sure that no one opens a door to your network. If threat actors gain entry to your IoT devices, they can make those devices part of a botnet. Then your own network will be used to aid in cybercrime.

Barracuda offers several solutions to protect business networks and IoT/OT devices. Find out more and get a free trial or a demo at www.barracuda.com.