Based on discussions we are having across our customer base, we know that the Internet of Things (IoT) is a growing phenomenon. It’s not particularly new - after all, organisations have been monitoring the state of their buildings and equipment, and managing where things are in the supply chain, for many years now. What’s changing is the range and scale of physical objects that we’re starting to see connected, from air conditioning units to office doors.
From our perspective of course, we are very interested in what this means in security terms. So, should organisations allow increasing numbers of devices and objects to connect to the Internet, or block all attempts to do so? From our perspective, the answer lies in being aware of the risks of doing so, and acting accordingly.
As a starting point, we believe the challenges lie in misusing what is likely to mean a major new entry point to the organisation. We already have a major example - Stuxnet, a sophisticated malware program which targeted Supervisory Control And Data Acquisition (SCADA)-based systems ranging from power stations to industrial plants.
Beyond intrusion and direct hacking, what kinds of security challenges might we also expect? The following potential risks are worth considering:
- Denial of service goes beyond hacking into a piece of industrial equipment. Many IoT scenarios are dependent on networks of physical objects - from supply chain to buildings management applications, from smart parking to intelligent waste disposal. DDoS attacks could target all the end points of a particular use case, making the things inaccessible and breaking the use case they support.
- Equally, in the same way that Botnets target insecure desktop and laptop computers, increasingly smart devices could be turned to unplanned use. Imagine if the processor in every plug socket became able to send Spam, to generate costly SMS messages, or indeed participate in a DDoS attack.
- Weakening perimeters. Physical objects were generally not designed to be internet-connected, and therefore network security was not considered by design. Could it be that a ‘smart’ vending machine in the office canteen could actually be used to breach perimeter security and gain access to corporate systems?
- Organisations should be aware of the potential for unintended consequences of IoT use cases. These include potential privacy breaches (for example over-intrusive staff monitoring) and the possibility of ‘gaming the system’, for example customers simply walking through a store to gain loyalty points.
- Inadvertent breaches through use of IoT could also become an issue, for example the CEO’s car broadcasting its location. We would also advise keeping a careful eye on new devices people bring into the office - could that plant watering monitor provide an accidental gateway?
All of the above can be implicated in new attack vectors, which as ever, come from unexpected directions. We will no doubt see new variations on themes such as ‘man in the middle’ or ‘watering hole’ attacks, this time targeted at information flows from physical objects rather than people and their computers.
As with all new areas of technology, organisations shouldn't panic unnecessarily about the potential for harm. However, as new use cases emerge, it is worth looking at areas such as these in the risk assessment process, and acting accordingly.
Do you agree? It would be great to hear your thoughts.