Managing IoT Data Breaches
Written by Andy Brown, CEO of Sand Hill East, LLC & Matthew Rosenquist, CISO Eclipz.io, Inc.
We are surrounded! Smart devices are everywhere and being integrated into all facets of our lives, from toothbrushes to automobiles. Entire cities are becoming “smart,” as are factories, governments, global retail, freight logistics, and all national critical infrastructure sectors. As individuals, we are becoming hubs for multiple connected devices in our homes and on our persons. Phones, watches, health monitors, medical devices, and clothing manufactures have joined forces to develop connected apparel and accessories. Cameras, doorbells, appliances, televisions, thermostats, voice assistants, and light fixtures are just the beginning of the digitalization of our homes. These wonderful tools of the modern world, some no bigger than a coin, provide amazing capabilities and tremendous convenience; they connect and enhance our lives in amazing ways.
Most IoT devices are miniature and very limited when it comes to the computing resources necessary for secure capabilities. It is difficult to know who owns or possesses them, if they have been hacked, and if they are acting in undesired ways. This makes IoT devices not very trustworthy. To compound the problem, IoT devices tend to share data over insecure networks like wireless and the Internet. This mix is a recipe that cybercriminals and hackers enjoy. The functional backbone for IoT devices is all about gathering, processing, and sharing data. One of the primary challenges is to protect the data going to and emanating from the devices. Legacy technology largely fails when it comes to secure communications at this scale and difficulty. More comprehensive, effective, and sustainable capabilities are needed to keep pace with evolving threats. Connecting IoT technologies to share data securely is difficult. Some standards exist for specific use-cases, such a web browsing, but most of the emerging IoT devices and services require a synthetization of architectures, algorithms, and compatibilities that current solutions don’t satisfy. That is why we are seeing a flood of IoT compromises and the future advances of hackers will only increase the victimization unless something extraordinary happens. Where there is innovation leadership, hope survives.
The founders of Eclipz recognized this problem years ago, and were chartered by the U.S. government to develop capabilities that could be integrated with products and solutions to enable them to transmit data securely while facing the most capable adversaries in hostile environments. Eclipz originated as a government program to secure untrusted devices over insecure networks from around the globe. The opposition was powerful nation-states that would endeavor to undermine the technology to gain access to U.S. secrets. Successfully tested and deployed, Eclipz core technology has proven itself for years, and is now being brought to the consumer market.
Eclipz is a natural fit to greatly bolster security for IoT ecosystems because it addresses a key weakness—the secure transport of data—in a way that is elegant, scalable, and more secure. Its features are designed to close yesterday’s vulnerabilities and adapt to preserve data confidentiality and integrity against future attacks. IoT devices and the infrastructures to which they connect must be better secured in a more cost-effective manner, and in a way that does not create friction for users. Eclipz was designed for this challenge.
Originally published in Cybersecurity Magazine
September 2020 Vol 4 – Issue 09
To view the original publication follow this link: https://cisomag.eccouncil.org/iot-data-security-risks/
The demands to defend the information on edge devices have reached a new pinnacle and continues to grow beyond what current capabilities can handle. Legacy cybersecurity systems that ensure the confidentiality, integrity, availability and the proper use of data from edge devices are not sufficient for the growing scale of Internet of Things (IoT) and Industrial IoT (IIoT). Innovation in technology and process is needed to deliver the robustness necessary to defend against a world of ever-evolving cyber threats. A policy framework is required that is specifically crafted for edge environments and implemented through technical controls and configuration. A structure of robust architectures and practices must protect the data from exposure, exploitation, and manipulation. They must be designed for sustainability over the extended lifecycle of these types of products and adapt to the new tactics of emerging threats.
Since their inception, internet-connected devices have become vastly more complex, capable, and specialized. To improve performance and responsiveness, much of the computing is now pushed closer to end-users, thus becoming edge devices. These act as sensors capable of providing valuable data to localized feedback loops. Continuous streams of information enable real-time insights into operations, potential issues, and emerging opportunities. Such designs empower organizations around the world to automate processes and make favorable decisions promptly. In short, feedback loops powered by edge devices are fueling the global digital transformation to deliver efficiency and modern automation.
A significant reduction of costs and an increase in functionality have propelled the explosive adoption rates of IoT/IIoT devices. However, the benefits of greater visibility and empowerment come with risks that are unfamiliar and, in many cases, hidden. The exposure and corruption of this feedback data can cause catastrophic downstream impacts for the continuity of operations, protect personal privacy, and people’s safety. The breaching of sensors and the data they create can be wielded for unethical or undesired purposes, to the detriment of organizations, partners, customers, and society.
Secure the Data
Data security has emerged as a crucial requirement for complex automated systems. However, providing trust in digital systems is proving difficult because legacy technologies are not well-suited for a more autonomous world. All major industries are embracing digital technologies for enhanced capabilities, faster results, and better decisions. In doing so, they are also inheriting the risks of undermined systems. Data provides a competitive advantage. Manufacturing, retail, transportation, defense, and every sector of Critical Infrastructure (CI) are leveraging digital sensors and becoming reliant upon the insights they provide. A continuous stream of the right data is the key to assessing situations and acting decisively. In complex environments, interconnected feedback and decision loops are the backbones of most operational practices. These systems need a constant stream of incoming information to adjust and achieve the desired goals. However, erroneous or tampered data may pose a risk by providing incorrect information that undermines good decisions. Without proper security controls, honest mistakes or malicious attackers can undermine the very foundations of automation and business decisions.
Increased Scale and Complexity
Much of our growing digital ecosystem is, or will be reliant on the principles of the simple feedback loop, through sensors that provide data for instantaneous decision-making. There is a race to embrace new technology and adopt automation solutions that deliver a business advantage. The possibilities are as limitless as our imagination, but so are the associated risks. Sensor data makes possible the automated online processes we have come to take for granted, such as online storefront order processing, shipment logistics, and healthcare monitoring. Manufacturers can increase production speed and improve consistency. Dangerous environments can be monitored and managed for safety. Manipulation of digital sensors and data can make all of these automated processes go wrong. Industry professionals have long expressed concern that most of the billions of IoT and IIoT devices in the world are vulnerable. This reality places global services, national economies, personal privacy, and the safety of people’s lives at an ever-growing risk.
The defense of sensors and edge devices can’t be achieved with the same techniques that evolved with traditional desktops, servers, and laptops. Modern personal computers and servers are built with tremendous computational power, memory, and storage resources to be flexible across a wide range of tasks. IoT sensors and devices are designed with the opposite in mind, generally with a specific purpose to be as economical and streamlined as possible. They are in a different class entirely and do not benefit from an abundance of computing resources.
Current Tools Fall Short
Most cybersecurity tools have evolved to leverage the extensive system resources in personal computers and servers to provide comprehensive protection. These solutions are not compatible due to IoT limitations. Very few solutions are available to meet the specialized needs of something as small as a sensor.
The scale and diversity of the IoT landscape compounds the problem. An additional 4 billion IoT devices are predicted to come online in 2020. These systems will add to the vast amount of data already existing for an estimated total of 100 trillion gigabytes by the end of 2020. IoT/IIoT are often deployed in clusters, aren’t very well-protected, and may represent the weakest link that hackers and malicious agents can use to gain a foothold to attack other systems.
The IoT industry has begun to address the first order of issues that resulted from poor designs and the omission of basic security features. As a first step, the focus is on protecting the devices themselves from exploitation. Changing default passwords, removing manufacturer administration and testing backdoors, and requiring user authentication are now standard practices. What has not been addressed is the more difficult problem of fortifying the data and network connections to and from these devices. Vast exposures are still present.
After years of warnings from cybersecurity professionals, the predictions came true: attackers turned their attention to IoT devices. Everything from industrial controls, healthcare tools, entertainment systems, vehicles, telecommunications, and home surveillance cameras have been successfully hacked.
What Exactly is at Risk?
Digital sensors and systems contribute to the safety of employees and customers and are vital components to critical systems. Due to this importance, they are targeted by cyber threats. The more the world relies upon computer-based services, the more the attackers’ leverage when they disrupt or control these systems. As automation increases, the complexity grows, and systems become more sensitive to significant impacts. An increasingly online yet unguarded world creates many possible safety concerns.
After years of warnings from cybersecurity professionals, the predictions came true: attackers turned their attention to IoT devices. Everything from industrial controls, healthcare tools, entertainment systems, vehicles, telecommunications, and home surveillance cameras have been successfully hacked. An IoT-powered botnet brought down significant portions of the Internet on the American eastern seaboard for an uncomfortable amount of time in one attack. Implanted medical defibrillators and pacemakers were shown to be exploitable and had to be replaced in patients. Power plants and regional distribution grids have been targeted. Hackers can also tap into cameras and watch victims in public settings, offices, and in the privacy of their homes. There have been instances of hackers taking control of automobiles and aircraft. Private information has been scraped from retail devices and personal health monitoring devices. Implanted medical devices and emergency room equipment are vulnerable to compromise. The range is incredible, from small sensors and home appliances to the biggest planes, ships, chemical plants, and power distribution networks.
Even a trivial device makes a difference. Sensor data for chemical spills, fires, and unsafe breathing conditions may automatically trigger fire suppression, evacuations, and emergency response. Data that falsely report an unacceptable temperature drop in stored foods might require the assets to be discarded. Worse, if the controls were tampered with and the temperature did drop to unsafe levels without any alarms, then lethal consumables might be released for distribution to the public.
The list of confirmed vulnerable devices grows every week, demonstrating that these systems and the data they generate are at significant risk. The abundance of these dangers, whether actual or potential, requires a greater oversight to support a higher degree of confidence in the technology upon which we all depend. Malicious online attackers breed new threats that can undermine the confidentiality, integrity, and availability of data. Criminals target systems that they can easily manipulate to seize control, commit fraudulent activities, and steal sensitive information. Data, both at-rest, and in-transit must be protected from such attacks, and edge devices are easy targets on the front lines.
Innovation is Necessary to Safeguard Data Across the new Digital Landscape
The traditional model for digital security begins to unravel when enormous numbers of less sophisticated IoT/IIoT devices generate a vast amount of data that is not adequately protected. Current solutions simply don’t operate well within the limitations of IoT deployments. As cybersecurity professionals, we need innovative new technologies and processes to mitigate risks posed by current and emerging threats for this fastest-growing sector of computing devices. Solutions must overcome the challenges that traditional protections are unable to address. Securing devices, network connections, and the data that travels across them is paramount. The future of the Digital Transformation (DT) movement resides in preserving the trust that people place in technology, that it will act for their benefit and not maliciously against them. The solutions of the past become more obsolete as every day passes. Innovation that is specifically tailored to IoT is necessary to safeguard the benefits across the new digital landscape.
