The Internet of things (IoT) has had many solutions delivered to the enterprise landscape. From wearables, cars, drones, and CCTV cameras, down to the simplest business tools such as videoconferencing, a new era of speed and data accessibility has forever changed the way organisations do business. And with new developments in the technology this year onwards, IoT is just getting started.
However, malicious actors have also seen the IoT ecosystem as a playground for nefarious activities. As more and more businesses adopt IoT to solve their enterprise woes, cyber criminals lurk in the shadows, waiting to strike at any sign of a security flaw.
How then can organisations raise their IoT security efforts in light of growing threats? Dr. Solahuddin Bin Shamsuddin, CTO of CyberSecurity Malaysia, attempted to shed some light on the matter, during his keynote “The Internet of Things— A New Playground for Threat Actors,” part of the IT Security Frontiers 2022 online conference organised by Jicara Media.
According to Dr. Shamsuddin, the pandemic was a major catalyst in the evolution of digital technology and the consequent sophistication of cyberthreats.
“New technologies are constantly being introduced, while the old technologies are being upgraded to suit today’s requirements during the pandemic environment. The world is evolving and adopting innovative technologies, such as cloud computing, IoT, blockchain, big data, AI, and machine learning. In these challenging times, people are becoming highly dependent on the internet, digital technology, and especially digital devices for their day-to-day activities— whether for personal, business, or work purposes,” he said.
“Most of the users (of these technologies) are not aware that the available information and their privacy are being leaked, exposed, stolen, (and) even shared and distributed online. Although there is greater interest among the public regarding cybersecurity, the focus is related to the conduct of eCommerce and social media,” the CTO added.
The troubles so far
Among Dr. Shamsuddin’s list of concerns is that many users of digital technologies do not take safety precautions seriously, especially when it comes to data protection.
“(People) need to take note that data has been collected everywhere and every day from compromised devices. This is due to the digital environment today that is getting riskier and more complicated. The massive shift online has only exacerbated cybersecurity concerns. Cyber criminals are more active, bolder, and more sophisticated. They have come up with new, effective, and advanced methods to prey on the victims for their own personal gain,” he said.
IoT, for one, is among the enterprise technologies expected to increase in uptake within the foreseeable future. According to Statista, there are 13.8 million active IoT devices in the world in 2021. By 2030, that number is projected to grow to 24.1 million active IoT devices.
“Although IoT devices bring a lot of benefits and conveniences to the users, they also have weaknesses and vulnerabilities. These smart devices are prone to be hijacked and infected with DDoS attacks. Once this happens, the infected devices can impact other devices that are connected through the network. Thus, they are prone to hacking, hijacking, data breaches, and privacy issues as well,” Dr. Shamsuddin noted.
The cybersecurity expert also shared a use case of the IoT ecosystem in the healthcare sector.
“IoT medical devices collect data about the patient’s conditions, using sensors attached to the patient. An IoT medical device could be a temperature sensor, blood pressure sensor, pulse oximeter, or other similar micro sensors. The data is then sent to the cloud via a network gateway, and will be used for further monitoring and analytics. This data can be displayed on desktops, smartphones, or even smartwatches, and can be monitored by patients and clinicians, even when the patient is at home. Any alert triggered will inform the patient, guardian, and even the doctor, so in many emergencies, the patient can be treated at any suitable medical facility as soon as possible,” Dr. Shamsuddin said.
“Imagine the scenario where a hacker uses IoT to change your medicine prescription, or hijacks your pacemaker, or if a store automatically ships a product that you are allergic to, or a product that is already expired. As a result, safety is ultimately in the hands of the consumer to verify,” he added.
The security problem, Dr. Shamsuddin highlighted, dates back to the conceptualisation of most IoT devices.
“One of the reasons that allowed (these cyberthreats) to occur is because the manufacturer does not set the security functionality as a priority when creating or designing the IoT device. Hence, it does not have built-in security, leaving it vulnerable to attacks. IoT devices are always connected online. Thus, they are vulnerable to vicious cyberattacks. Attacks on IoT devices can impact the devices themselves and everything else on a connected network,” he said.
Therefore, if IoT security is not tightened, cyberattacks would have catastrophic consequences in these four enterprise areas, the CTO explained:
- Sensitive media scrutiny
- Public relations
- Lost intellectual property/asset
- Detection and escalation
- Lost business/contract
- Response costs
- Competitive disadvantage
- Insurance premium cost
- Diversion of employees from strategic initiatives to work on damage control
- Cybersecurity improvement
- Operational disruption
- Independent audits
- Regulatory fines
- Restriction on information sharing
- Implementation of comprehensive security solutions
Despite the daunting task of securing IoT devices, it is not altogether impossible, Dr. Shamsuddin stressed. To begin with, updates for firmware should be installed as soon as possible, and always change preinstalled passwords.
“This means that passwords must be complicated enough to crack, using both capital and lowercase letters, numbers, and symbols. If possible, more than six characters,” he said.
Dr. Shamsuddin also advised to reboot a device as soon as it begins to act strangely, and to review and choose security solutions that help to protect IoT ecosystems.
Other common cybersecurity measures for IoT devices are as follows:
- Comprehensive Security Awareness Training
- Appointing an IoT administrator
- Implementation of deference-in-depth
- Network segmentation
- Implementation of strict password hygiene controls
- Implementation of regular backup, patching, and updates
- Encrypting the networks being used by their IoT devices for transmitting data
In conclusion, Dr. Shamsuddin reiterated that while IoT offers various benefits and opportunities, its vulnerabilities must enjoin everyone— users and manufacturers alike, to constantly seek methods to improve security.
“We need to continuously increase and strengthen our cybersecurity manpower and functional skills. We also need to ensure a secure, resilient, and trusted cyber environment in order to sustain progression and prosperity. In this regard, a more innovative, proactive, and adaptive security approach is required to address such situations. Adaptive cybersecurity encompasses predictive, detective, responsive, and corrective capabilities,” he said.