MEF IoT Advisor Andrew Parkin-White explores the issues surrounding IoT security and how the Covid-19 virus will affect its development.
With our members, MEF has been exploring IoT security and how it is key to growing the overall IoT ecosystem. It is very apparent that enterprises are facing a series of challenges with IoT security and the impact of Covid-19 will clearly affect how enterprises manage security in a new environment.
The question is therefore, will IoT security become more of a hurdle as enterprises and home networks become more vulnerable? He discusses these issues with Stuart Mitchell, Chief Evangelist at ZARIOT.
Before the virus hit, research by Microsoft revealed that 97% of enterprises cited security as one of their key concerns and a survey by the GSMA identified security as one of the top three challenges to overcome. Simply put, the IoT ecosystem would not grow without adequate security against a backdrop of security breaches, the true scale of which is not evident. This is not helped by the reluctance for enterprises to report them as new threats continue to emerge. Furthermore, enterprises often lack the necessary skills in IoT security to be confident in managing the shift driven by digital transformation and operational changes as disconnected environments attempt to connect.
The cybersecurity industry is facing the very new challenge of being confronted by a pandemic, and the importance of IoT security is growing as we begin to understand the impact that Covid-19 is having. Cybercriminals are able to exploit the vulnerabilities in the security of medical facilities, homes and in manufacturing. We are seeing that the frequency of attacks is increasing and enterprises need to increase their vigilance. Governments are rethinking physical security with surveillance infrastructure to enforce coronavirus quarantines. Home working is placing pressures on existing security with a less secure environment through broader access from the home to enterprise infrastructure.
Clearly, these factors combine to drive the requirement for enhanced IoT security that will be critical during the pandemic. Stuart points out that we have seen an increase in SMS spam taking advantage of the public’s understandable concerns about Covid-19. There are still a lot of concerns about SMS as a channel for phishing and malware. IoT devices, although better protected than user handsets, are not completely immune from threat. The responsibility is still firmly with mobile operators to secure their subscribers from risk.
IoT security clearly raises some very real concerns at a time when the focus of the enterprise is on maintaining critical services, and this may well push IoT security onto a backburner. An enterprise may not have a deep understanding of the breadth of IoT security, with IT teams typically coming from a background where they fail to grasp the extent of security requirements in connecting things outside the boundaries of traditional corporate networks.
Major safety concerns could result if a vehicle or medical device is hacked. With increased IoT spending in healthcare during the pandemic, these systems are vulnerable to hacks and ransomware attacks and may lack the latest security updates and patches. Critical infrastructure may be the subject of attacks particularly in light of reduced workforces with organisations looking to conserve cash. Furthermore, manufacturers are under threat with their operations and supply chains becoming more exposed.
With a large number of employees now working from home, there is a clear risk to enterprise security as home networks are not as inherently secure. Vulnerabilities result from the exposure of home network devices to attack, which may in turn represent access points for hackers looking to gain access to enterprise networks. Clearly, enterprises will need to think through their security with these IoT devices representing a weak point in the enterprise security chain.
Stuart stresses the point that during the global Covid-19 pandemic, a lot more emphasis has been placed on both remote working and greater industrial automation. His concern is that while mobile operator networks are still open to denial of service attacks over signalling channels, there is a real risk that critical services may be interrupted.
IoT security should be at the forefront of the CIO agenda as the pandemic progresses and we may well be at the point where organisations need a fundamental rethink with reduced workforces, new working practices and increased threats. More forward-thinking organisations are seeing the new status quo as a catalyst to embrace digital transformation with IoT playing a key role.
Stuart is of the opinion that Covid-19 has placed extraordinary strain on industry professionals to accelerate digital transformation projects and it is fully possible that this may result in hastily configured solutions without some of the IoT security vulnerabilities being properly considered and addressed. Security is an essential part of any solution. He is concerned that even cybersecurity professionals with extensive IP and device backgrounds seldom understand the four attack vectors of SS7, Diameter, SIP and GTP-C that can be used to cause significant breaches of privacy, interception of data or even denial of service on mobile infrastructure unless mobile operators are fully protected.
Naturally, IoT security needs to be firmly in the spotlight to support enterprises through the challenges of the pandemic and as a key enabler for future initiatives.