List: AT&T, Telefonica, Symantec, Bitdefender and Spiceworks show their findings in the most recent IoT security reports of 2016.
The IoT hype has become a reality and with it, security concerns (including privacy and trust) have grown and are now reflected upon real cyber and physical threats.
Every day represents a new record for the number of IoT devices coming online. In 2016, there will be 5.5m devices being connected to the internet on a daily basis, according to Gartner.
By 2020, the IoT black market is set to hit $5bn in value. Yet, global IoT security spending is only expected to reach $840m by then.
CBR collects five major IoT security reports that every C-exec, IT manager and anyone in IT and OT must read.
The CEO’s Guide to Securing the Internet of Things
By: AT&T (link to report, may require registration)
Telco giant AT&T open its CEO report with an alarming statistic: 90% of organisations lack full confidence in their IoT security. This despite 32% of 500 surveyed organisations revealing that they manage more than 5,000 connected devices, and 35% saying they have between a thousand and 4,999.
Building security from the start into IoT devices and their connecting networks is key to protecting a growing IoT infrastructure, the company says. This proactive approach will set the foundation for a strategy that integrates IoT security with existing cybersecurity policies and systems.
When putting a cybersecurity roadmap in place in place, CEOs need to first of all assess the risks that incorporating IoT into their overall profile cater.
An IoT risk assessment should comprise these primary steps: tracking IoT solutions, assess the security vulnerabilities of each IoT element, map out worst-case scenarios, determine whether IoT devices and data can be isolated, and gauge the value of the data from individual IoT devices.
Secondly, AT&T challenges CEOs to think about security beyond information (aka data) and advices to secure both information and connected devices. Many IoT deployments will require real-time analysis and response, which necessitates automated processes that have little or no human involvement.
Next, the guide tells CEOs to align their IoT strategy and security, cementing the notion that IT and business strategies must be tightly integrated and complementary.
Among decision-makers, 65% said their IoT business strategies involve collaboration between IT and business units. 17% said their boards provide IoT oversight at every meeting or quarterly.
The level of board involvement matters, in part, because it impacts the confidence level that a company’s decision-makers have in the security of their organisation’s connected devices.
Lastly, the guide says that is important to identify legal and regularity issues. Beyond information thefts or breaches, the physical and operational parameters of IoT devices can open new types of corporate responsibility and liability.
Scope, scale and risk like never before: Securing the Internet of Things_
By: Telefonica (link to report, may require registration)
Spanish telco Telefonica has also released a report that says that security threats from the IoT are not so different from those in other environments. On the other hand, they have evolved from areas such as industrial security, distributed networks and information security.
For example, threats from identity theft are still a reality, although they now extend to one’s own identification between devices.
On top of this, denial of service (DOS) threats are posed from a cloud perspective while malware has been developed, infecting all kinds of systems.
Managing vulnerabilities and responding to attacks or breaches is something that is possible now because of the relatively limited number and scope of IoT devices, the report shows.
Getting the security, reporting and resolution processes in place for internet connected devices before the first catastrophic attack will be absolutely vital.
Telefonica also highlights that malicious attacks are not the only threat companies need to be worrying about. Businesses need to consider that an attack may not be necessary to force change.
An accident, inadvertent slip or honest mistake could also be catastrophic. While scale and variety could well help prevent significant damage, it is still the case that the pace of development, scale and growth of IoT enables far more potentially damaging outcomes than seen before in more traditional computing environments.
Internet Security Threat Report: The Internet of Things
By: Symantec (link to report, may require registration)
American software security provider Symantec has recently published a large report on internet security overseeing the IoT landscape.
The company says that IoT devices often lack stringent security measures, and some attacks are able to exploit vulnerabilities in the underlying Linux-based operating systems found in several IoT devices and routers.
Many issues stem from how securely vendors implemented mechanisms for authentication and encryption (or not).
"If a device can be hacked, it likely will be," it reads.
In the report, the company says that IoT consortiums and bodies, like the Industrial Internet Consortium or the AllSeen Alliance are still very early in defining standards for this rapidly evolving area.
The report says that manufacturers need to prioritise security and find the right balance between innovation, ease-of-use, and time-to-market constraints. Fundamentally, companies and consumers need to be assured that suppliers are building security into the IoT devices they are buying.
Effective security requires layers of security built into devices and the infrastructure that manages them, including authentication, code signing, and on-device security (such as Embedded Critical System Protection technology).
Analytics, auditing, and alerting are also key to understanding the nature of threats emerging in this area. Finally, strong SSL/TLS encryption technology plays a crucial role in authentication and data protection.
The Internet of Things: Risks in the Connected Home
By: Bitdefender (link to report, may require registration)
Cyber security company Bitdefender opens its report says that it believes the IoT can reach its full potential only if interactions between users, devices, applications and the cloud are authentic and secure.
To put the document together, researchers bought three different smart home products that cost less than $100 and put them to test in a test environment. The company testes a Lifx Bulb, the LinkHub and WeMo Switch.
It found that in the WeMo Switch, the biggest issue are vulnerable protocols. Using the decryption code from the application, researchers managed to reverse engineer the password. They gained access to the
device and were able to perform various tasks
With the Lifz Bulb, the biggest issue was insufficient authorisation and authentication. The smart bulb carries a design vulnerability that allows hackers to intercept credentials of the user’s Wi-Fi network.
As for the LinkHub, the company discovered that a lack of transport encryption when configuring thought hotspot is the device’s begging vulnerability. Sending data in clear text, with no encryption, is a rookie mistake, the report says.
Bitdefender says that the IoT opens a completely new dimension to security, it is where the Internet meets the physical world. If projections of a hyper connected world become reality and manufacturers don’t bake security into their products, consequences can become life-threatening.
To prevent this, IoT security needs an integrated home cybersecurity approach. That means shifting from device-oriented security to a solution able to protect an unlimited number of gadgets by intercepting attacks at their core: the network.
2016 IoT Trends: The Devices have Landed – Defending against Alien Tech: IoT Security and Privacy Concerns
By: Spiceworks (link to report, may require registration)
Provider of a network for communications between IT professionals that together accumulate $600bn in buying and managing IT technology products and services, Spiceworks has conducted a survey of 440 IT pros in North America and EMEA, and found that security is today the number one concern when it comes to keeping users connected.
In 2014 (when the last report was published), the top concern was insufficient bandwidth. The shift towards security is also shown with nearly 90% of IT pros say IoT poses security and privacy issues that need to be addressed.
Topping that list of security concerns is the fact that IoT devices create more entry points into the network (84%).
About three-quarters of IT pros are also worried that IoT manufacturers aren’t implementing sufficient security measures.
Those surveyed also worried that IoT manufacturers are not putting proper security measures in place (70%).
The report says that unpatched IoT devices may be actively creating security gaps and being used as a backdoor to company networks. For instance, they may be built on older OSs with known security issues or use easily exploitable default passwords.
Fifty-three percent of those surveyed, said that wearable devices are the most likely IoT application to be source of a security threat or breach (followed by video equipment, physical security, appliances, sensors, controllers and electronic peripherals).
The paper concludes by revealing that IT pros are already planning to fight back against new threats this year with more advanced security solutions like intrusion detection systems (IDS), penetration testing, and advanced threat protection.