When discussing Internet of Things (IoT) security, it is vital to first recognise the increasing extent to which our daily lives are reliant on these entirely connected systems. Integrating IoT devices within mission-critical industries means that, while gaining efficiencies, we create a breeding ground for new points of attack. These networks are of vital importance, says Alan Grau, VP of IoT, Embedded Solutions at Sectigo; protection of the gate becomes a priority.
While even the layman citizen will realise the crucial nature of keeping the power grid or the water supply airtight, one element is frequently missing from the conversation, the central role of securing IoT devices including authentication using digital certificates.
There is now an imperative to authenticate all things connected and certificates are at the forefront of overcoming the vulnerabilities within our critical national infrastructure (CNI). And time is of the essence. The Ponemon Institute has revealed that 90% of CNI providers are already battling IoT attacks. Likely, the other 10% have not yet recognised they are also being attacked.
As an increasing number of distributed denial of service (DDoS) and ransomware attacks continue to target unsecured devices, organisations need to wake up and address the inherent risks posed by unsecured endpoints across ecosystems from servers to vehicles to power grids.
A growing number of governments have recently issued regulatory requirements for consumer device security, but the measures are far from global; nor are they comprehensive. It’s up to everyone in the ecosystem, from original equipment makers (OEMs) to end user organisations, to build in and adopt authentication technology that safeguards our CNI.
Keeping the healthcare industry secure
The healthcare sector faces the monumental challenge of handling multitudes of sensitive data. Whether it is managing intellectual property, confidential Personal Health Information (PHI) or the configuration of a connected device; data is justifiably the health sector’s most valuable asset and subsequently one of the most complicated to protect.
Any system or device that holds or transmits high-value patient, research, or organisational data is at risk. The threats, which can originate from both internal and external sources, now run the gamut from malware, ransomware, IoT Botnets and theft to phishing attempts, business email compromise (BEC), extortion, and large-scale data breaches.
Unfortunately, many healthcare organisations remain insufficiently protected. Most do not have the high level of data encryption required to secure both data in motion and data at rest. Many still do not make full use of the benefits that digital identity can bring across a variety of use cases.
Perhaps even more concerning is the often-overlooked risk posed by unsecured “things” in the sector. Most healthcare organisations with emerging business models that depend on the IoT often fail to recognise that their connected devices (biosensors for patient monitoring, wearables for telemedicine, pacemakers, pumps, and the like) represent a significant security risk.
The increasing digitisation of the patient experience, coupled with a growing reliance on data (including credit card payment data), means it’s imperative for organisations in this sector to continually fortify their security capabilities and close potential vulnerabilities to stay ahead of threats.
Securing every vehicle
The arrival of autonomous vehicles will ramp up the potential threat to property and life brought on by an IoT attack. In the not-so-distant future, delivery trucks, buses, taxis, and personal vehicles will be autonomous, offering rich targets for cyber attackers. Autonomous vehicle manufacturers state that the IoT technology that will allow these vehicles to talk directly to each other and to a city’s traffic system will result in a more efficient and safe travel system.
However, this communication requires a perfect, untampered-with flow of information between vehicles to ensure their close coordination while possibly traveling at high speeds, just inches apart.
According to the 2019 Consumer Watchdog report ‘Kill Switch’, more than two-thirds of new cars on American roads by 2022 will have online connections to their safety-critical system, putting them at risk of deadly hacks to vehicles’ “head” system, used primarily for infotainment, GPS navigation, and other features.
What happens if one of these vehicles gets hacked, crippling its communication, so that it cannot coordinate with other vehicles? At a minimum, the hacker can cause traffic to get tangled. At worst, the bad actor could cause serious accidents, possibly resulting in injury and loss of life for the passengers and/or nearby pedestrians. Another real threat is a massive ransomware attack against vehicles. Security is clearly imperative for connected cars.
Protecting the power grid
The benefits of IoT in the energy sector are clear. The massive collection of sensors and control devices ensure the reliability of the supply and can prevent outages by controlling the flux of power at any given moment. The modernisation of the system also means increased energy efficiency and less need for human intervention, a cost-saving advantage for organisations. In addition, by retrieving a rich supply of data, the smart grid can create predictive maintenance models, increasing overall safety.
There is of course a flip side to this automation and collective intelligence. Myriad cyberattacks and white hat incidents throughout the past decade underscore both the vulnerability of the energy industry and its high value as a target. Cyber criminals understand this and continue to actively find ways to implant malicious code in foreign grids in order to exploit it when it’s time to strike. One such example is Russia’s test attack on Ukraine’s electrical grid, confirming the country’s ability to turn out the lights at will.
Given the potentially catastrophic fallout, it is now more important than ever for the energy industry to make securing this increasingly widespread technology a major priority.
Designing a solution from the manufacturing floor
The solution is not only in the hands of legislators, but also device manufacturers and other parties involved in the supply chain. Identity management must be built-in by design, automated to avoid error or sabotage, and regularly updated throughout the entire lifecycle of each device.
Identity authentication tools are an essential safeguard for protecting critical infrastructure and its many devices. Digital certificates, secure boot and secure code updates, embedded firewalls, and other technologies enable healthcare, transportation, energy, and other critical enterprises to detect and block unauthorised connections before they enter the network, thereby keeping the gate closed to cyber criminals from the outset.
Enterprise and embedded IoT security are no longer solely the concern of technology vendors or grid operators. IoT identity has become a matter of national interest.
The author is Alan Grau, VP of IoT, embedded solutions at Sectigo
About the author
Alan Grau is VP of IoT, Embedded Solutions at Sectigo, a global provider of automated digital identity management and web security solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a provider of security software for IoT and embedded devices, where he was CTO and co-founder.
Follow us and Comment on Twitter @TheEE_io