Thales Blog

The Growing Presence (and Security Risks) of IoT

November 6, 2019

As most of us know, IoT devices are on the rise in enterprise networks. According to McKinsey & Company, the proportion of organizations that use IoT products has grown from 13 percent in 2014 to 25 percent today. That pace is unlikely to slow down over the coming years; Pagely noted that organizations are still turning to IoT devices as a way to automate and optimize their business processes as well as save on energy costs. Reflecting organizations’ persistent interest in IoT, International Data Corporation (IDC) estimates that overall, the number of smart devices will reach 41.6 billion in number and generate 79.4 zettabytes (ZB) of data by 2025.

The issue is that these tens of billions of new devices will likely amplify the inherent security risks of IoT. In the absence of IoT security regulations, many smart product manufacturers simply release new devices that lack built-in security measures and have not undergone proper security review and testing. Bad actors can subsequently exploit these security weaknesses to accomplish a number of malicious purposes.

Avast explains that one of the biggest IoT security threats is the use of vulnerable devices to access organizations’ network and thus may gain access to sensitive information. Vulnerable devices could be used to spread malware within the enterprise, used for corporate espionage, surveillance of personnel, or plan whaling phishing campaigns. Cyber attacks against the company aren’t the only relevant threat, however. For instance, malicious actors can use malware to enslave exposed IoT devices into a botnet and launch distributed denial-of-service (DDoS) attacks. That’s precisely what happened in the case of Dyn back in October 2016.

Digital criminals can also cause physical damage to smart products so that they fail to function properly. Such disruption could have serious consequences depending on the type of organization that’s affected.

Take manufacturing, for instance. As systems become increasingly automated, manufacturers will begin deploying Industrial Internet of Things (IIoT) on the plant floor and/or incorporating smart gadgets into their products. Without the proper safeguards, these devices could cause trouble for everyone involved. Travelers explains that some advanced manufacturing systems might lack proper safety protocols that could jeopardize workers’ safety, for instance. Concurrently, IoT-powered products could malfunction in a way that threaten customers with injuries, economic losses, and environmental damage, as could be the case with IIoT in the energy sector with oil, gas, and utility entities. In those cases, customers might respond by filing lawsuits against responsible organizations or ceasing to do business with them if they can.

Healthcare is in Need of a Check-Up

The effects mentioned above in the manufacturing and energy industries are quite similar to those involving healthcare organizations. Medical IoT-or IoMT (Internet of Medical Things) devices can react in real-time to relay critical information to the doctors, first responders, and caregivers that are saving lives, improving health outcomes, and patient experiences. Check Point is right to point out that malicious actors can leverage vulnerabilities in these connected medical devices like insulin pumps and pacemakers to target specific patients and prevent them from receiving vital healthcare treatments. In fact, according to the 2019 Thales Data Threat Report-Healthcare Edition, the healthcare industry experiences the highest rate of attack compared to any other industry studied. But that’s not digital attackers’ primary motivation for targeting medical IoT-or IoMT. As noted by CNBC, healthcare records can fetch up to as much as $60 per stolen record on the dark web. Digital attackers, therefore, have an incentive to target these devices so that they can move laterally across the network in an attempt to steal patients’ protected health information (PHI).

IoT Protection is Key

No matter the industry, without proper security standards from the federal government and leading industry bodies, organizations have no choice but to take IoT security into their own hands. Here are a few things organizations can do to ensure they have a safe and secure IoT strategy.

1. Invest in the right technology.

The best way businesses today can protect their IoT assets is by assigning machine identities to each IoT device that’s connected to their network. Organizations can accomplish this task by using a sophisticated security platform to encrypt data handled by IoT devices. Additionally, they need to manage the encryption keys used by organizations to secure their smart products.

2. Choose your partners wisely

Organizations must consider integrating key security features that prevent IoT devices from falling victim to any malicious activity. In a previous blog, we discovered that less than half of companies (48%) could detect if any of their IoT devices have been breached. Breach detection and mitigation are crucial, and businesses must partner with the right security companies that can help ensure safe data storage, compliance and security protection features.

3. Meet security compliance regulations

Personal Identity Information (PII) is increasingly becoming a hot button for consumers at large. A prime example of this is what California is doing with the California Consumer Privacy Act. Privacy will continue to be a focus for legislators over time, so it is imperative for businesses to understand regulatory mandates and compliance issues and how those impact their overall IoT strategy.

Learn how your organization can use Thales’s Vormetric Data Security Platform and its hardware security modules (HSMs) to own its IoT devices.

See how our HSMs can act as a root of trust to secure your IoT initiatives by downloading this white paper.