How IoT insecurity impacts global organizations

As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them.

Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18).

In the meantime, we had some questions for him:

Global organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?

The use of IoT is increasingly widespread, from home IoT, office IoT to factory IoT, and the use of automation equipment is increasing. Therefore, the most realistic and worst case for IoT is to affect critical infrastructure equipment, such as industrial control systems (ICS), by attacking IIoT devices.

Hackers can affect the operation of ICSes by attacking IIoT, resulting in large-scale damage. Furthermore, protecting medical IoT devices is also important. Hacked pacemakers, insulin pumps, etc. can affect human lives directly.

What are the main challenges when it comes to vulnerability research of IoT devices?

Expanding from IoT devices to IoT systems. The main challenge is that IoT systems consist of various components. Most components have different software/firmware, hardware, etc. The discovery of vulnerabilities in IoT devices requires expertise in many fields – researchers need to know a lot about chips, applications, communication protocols, network protocols, operation systems, cloud services, and so on.

What advice would you give to an enterprise CISO that wants to make sure the connected devices in use in the organization are as secure as possible?

To start, CISOs should check whether the vendors of the products they plan to use care about product security. How do they deal with vulnerabilities? Do they have a PSIRT? Do they have a point of contact for vulnerability reports? And so on.

Once they settle on a product to use, they should make sure that best practices – e.g., safely configuring the device, applying security updates in a timely manner – are part of the internal processes. They should also check the security of the services the devices use, e.g., network services used by an IP camera. Finally, network defenses should be structured to effectively control the access rights of the various networked devices in the environment.

How do you expect the security of IoT devices to evolve in the near future?

As we move forward, governments will attempt to create security baselines with regulations and certifications (labelling schemes). New security standards for various sectors (automotive, aviation – to name a few) will also be created.

As IoT products use similar network security protocols or hardware components, IoT security will no longer be a unilateral effort by the manufacturers. In the future, manufacturers, suppliers of parts, security organizations and governments will cooperate more closely, and even achieve mutual defense alliances to ensure effective and immediate protection.