BTEX 2023: How to Keep Your IoT Environment Cybersecure

Cybersecurity concerns regarding IoT were also raised during a recent presentation by Noor Bains, Principal Security Advisor with CDW Canada, during our 2023 Business Technology Expo in Toronto. According to Bains, the adoption of IoT has significantly increased the potential for more cyberattacks on business and that one in four Chief Information Security Officers (CISOs) who say they have adopted “large scale” IoT mentioned experiencing some type of attack in their environment.

Bains explained there are many reasons for IoT cyberattack increases, including rapid adoption of the technology, which has during the past decade seen 16 percent year-over-year growth in deployment. IoT use cases have extended to processes and applications such as incident command systems, heating, ventilation and air conditioning (HVAC) environments, manufacturing processes as well as countless personal assistant devices.

Bain explained the evolution of cyberattacks over the past two decades, which began with what he described as a first phase from 2005 to 2009, where most attacks were Windows-based malware and Trojans. From 2009 to 2015, as more devices became connected, cyberattackers focused on monetary gain, while certain nation states focused on geopolitical attacks designed to disrupt or interfere with other nations, he said.

From 2019 onwards, nearly every computing device became connected and there has been an explosion of IoT devices used by many business types and industries.

“Attacks are no longer against one particular organization or vertical,” Bains said. “It's attacks against attack surfaces that are potentially vulnerable and can be exploited.” By way of example, Bains cited a 2021 attack perpetrated by a drone in a commercial environment. The drone found a vulnerability in (smart) light bulbs…and ended up being able to take over operation of the entire facility.

“Any attack surface that's vulnerable will be exploited,” he said.

The potential outcomes of cyberattacks that target IoT connections can be lethal, when talking about self-driving cars or medical devices, he added, saying the key to protecting IoT environments is having visibility and understanding data you need to protect. Unfortunately, not all IoT environments are subjected to vulnerability scanning and that can create a serious visibility problem for IT and security administrators.

Bains further explained that teams that manage IoT environments need to understand what, where and how data is stored – whether it is in a public or private cloud, whether is it encrypted or not and how long should it be retained. That requires IoT governance, which means creating data policies and understanding risks, he said. And IoT governance and security policies are crucial.

“When we talk about IoT security policies, it’s a matter of both understanding data and how to categorize risk,” Bains said. “We must make sure that policies and procedures are implemented that address people, processes and operational technologies.”

It's also vital to evaluate and assess IoT devices and policies to determine:

• Is that device vulnerable?
• Do your security policies account for the presence of operating systems on IoT devices? 
• What data is stored on an IoT device – is it personal information?
• What type of device is it? (Does it have a camera? Are there sensors?)
• Who is responsible for the personally identifiable data that may be collected by those devices?

Bains said organizations should also look to put security policies in place that consider cross-functional team collaboration on IoT devices, which he says could present a vulnerability gap. And, if a device that has never been connected to the IoT is added but not properly security patched, then organizations need to consider the potential implications of that scenario.  

“If we can train procurement to make sure that they are able to detect any new IoT devices, then IT security can come in and make recommendations and determine if the (device) fits within the IoT security policies that an organization has,” Bains said.

From a process controls standpoint, there needs to be understanding of IT hardware that exists in the IoT environment, especially storage capacities. The greater the storage capacity, the more potential there is for data exfiltration in the event of a breach, he said.

With software, there needs to be recognition of the underlying operating system and whether it would allow a device to be remote controlled – another potential vulnerability gap. Another important question to consider is whether digital certificates can be introduced on a device. If certificates can be used, then that device can be identified and authenticated.

Technical controls are the last step, once IoT policies, procedures and governance have been established. Devices need to be authorized to run in network segments. Network segmentation is an important element of technical control and, when done correctly, can immediately stop the lateral movement of unauthorized traffic deeper into an IoT environment and effectively kill a cyberattack, Bains said.

Technical controls are established when an IoT device is added and will validate whether that device is trusted and authorized to run in the environment. Not all IoT devices within an organization can utilize technical controls due to the limitations of some, but most can use them. However, if an IoT-connected device cannot be brought under technical controls, then it should be noted and registered by the organization, Bains said.

And finally, always ensure proper security and analytics are used. In the event of a potential network or system compromise, an alert needs to be generated. Network access controls are needed to ensure devices should only be accessed from specific IP addresses and for monitoring, detecting and removing unauthorized devices from the environment.