Last October, long-standing predictions that the burgeoning Internet of Things (IoT) would form a launching pad for new cyberattacks hit home in a big way. As many as 100,000 malware-infected IoT devices flooded two major internet service providers with superfluous traffic in a broad distributed denial of service (DDoS) attack. Among the many commercial websites impacted were Twitter, Amazon and Netflix.
Now, several months out, the concern about IoT-based attacks has started to fade in some quarters. The threat only continues to grow, however, and organizations can’t afford to let down their guard.
The AT&T Cybersecurity Insights report The CEO’s Guide to Data Security sheds light upon the amount of suspicious activity directed against IoT devices. During the first half of 2016, AT&T tracked a 400 percent increase in scans of IoT devices – a clear sign that these devices were being probed for vulnerabilities and for possible attack or “recruitment.” With the number of IoT devices expected to grow from about 6 billion last year to more than 20 billion by 2020, this mushrooming IT sector presents an irresistible attack target for hackers, thieves and others of ill intent.
There are two fundamental reasons for organizations to do all they can to provide security for the IoT devices they deploy. The first reason is for self-protection, as compromised devices may reveal sensitive data or in some instances, be forced to malfunction. With IoT devices controlling everything from factory robots to cars to human pacemakers, the consequences of malfunctions can be dire.
The second reason to provide security for these devices is simply one of good corporate citizenship. As illustrated by the October 2016 DDoS attack, compromised devices can be marshalled into botnets that can then be used to hurt third-party targets.
The 2016 AT&T Cybersecurity Insights report The CEO’s Guide to Securing the Internet of Things explored IoT cybersecurity threats and protections in some detail. The security advice provided by that report still holds true. Best practices for securing IoT devices include:
Assessing risk – As with any cybersecurity plan, you need to start by identifying the devices deployed, their locations, the types of data they generate, the equipment they may control and the networks over which they communicate. Then you must contemplate worst-case scenarios for data or device compromises, so you can develop security protections commensurate with the potential risks.
IoT device security – Far too many IoT devices ship and are installed with easy-to-identify default passwords (a vulnerability exploited by the October 2016 attack). In addition to creating unique and strong passwords for each device, IoT devices should have software/firmware updating capabilities, a system reset option to return to original factory settings and no backdoor entry points. They also should restrict their activities and communications to those functions that directly relate to their core role.
Organizational factors – As with all cybersecurity initiatives, IoT protections should be developed by cross-functional teams that include IT and security professionals, business unit managers and C-suite executives. Beyond device and network protections, IoT security plans must include incident response blueprints and other relevant information, such as legal and regulatory requirements that may apply.
Approached systematically, IoT devices and networks can be made highly secure. But accomplishing this first requires that organizations recognize the nature and scope of the threat. You can’t become complacent just because major IoT attacks aren’t a weekly occurrence.
Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.