Addressing cybersecurity risks in the age of IoT transformation
By Hervé Tardy
Cybersecurity is a continuous journey; just as standards evolve, so do the methods attackers use to penetrate our defences.
By Hervé Tardy
June 24, 2020 – Companies across a variety of industries are investing in IoT technology and reaping the benefits. Digital connectivity has paved the way for ubiquitous networks that can expand across manufacturing floors, the electrical grid, commercial buildings and other facilities. This interconnectedness brings new opportunities to collect data, gain valuable insights and optimize operations.
Because IoT devices typically include a unique IP address that enables them to communicate and exchange data with other systems, they can also pose cybersecurity challenges for already-taxed IT departments. So let’s take a look at the evolution of both cybersecurity threats and standards in the era of IoT, as well as steps businesses can take to protect their systems.
Great risk, great reward
Cybersecurity is one of the chief worries for IT staffs, a point echoed in a recent RiskIQ survey. The digital threat management firm revealed that 89% of all information security leaders are concerned about the rise of digital threats across web, social and mobile channels. Potential consequences of a data breach include damaged reputation, downtime, loss of sensitive personal or enterprise information, and distributed denial-of-service (DDoS) attacks designed to paralyze major websites. According to a Capgemini study, 20% of organizations that experience a cybersecurity breach report losses of more than $50 million.
As companies add more IoT-enabled devices to the network in an effort to optimize data collection and optimize efficiency, each connection point or smart sensor represents a potential vulnerability to be exploited, as attackers can use the devices’ IP address to tunnel in and steal potentially valuable data.
The risks are real and, as an example, by targeting an overlooked vulnerability in a major retailer’s HVAC unit, attackers were able to access point-of-sale devices and steal 70 million client accounts. With firms like IDC predicting that by 2025 there will be 41.6 billion connected IoT devices generating 79.4 zettabytes of data, the risk will only grow as new intelligent products are introduced.
Despite the increasing cybersecurity risks, the benefits of IoT transformation are too great to dismiss, which is why many businesses continue to forge ahead. When combined with predictive analytics, a connected infrastructure allows personnel to use data generated by the device to predict potential equipment failures, saving considerable maintenance costs in the process while avoiding equipment downtime.
IoT technology allows companies to automate critical processes to yield increased efficiency. In data centres, for example, interconnectivity allows for devices to communicate with one another to initiate processes like graceful shutdown in the event of unplanned power events, such as surges. This can add a significant layer of protection for the infrastructure as well as save time for staff, allowing them to instead focus their attention on projects such as equipment upgrades that bring more value to their businesses.
Ultimately, while the threats that come with enhanced connectivity are great, the right approach to cybersecurity can help mitigate these risks. Much of the responsibility falls on IT staff to implement policies and procure technologies that can deliver a more effective level of security for their businesses. Keeping pace with industry developments to ensure products are compliant with certification standards is a necessity in today’s environment.
One critical development in this approach is the effort by global standards organizations to define processes and methods by which to certify products as secure.
Emerging IoT standards
With the amount of IoT innovation taking place, industry organizations have been working hard on developing standards for testing and certifying products for protection against attacks.
The global safety science organization UL has developed and published a standard, UL 2900-1, for software cybersecurity for network-connectable devices. The standard provides criteria and methods for evaluating and testing for vulnerabilities, software weaknesses and malware, as well as requirements regarding the presence of security risk controls in the architecture and design of a product. Products that receive the UL certification have gone through rigorous testing using the defined criteria and are likely to provide an enhanced level of cybersecurity protection for the user.
Other organizations are working hard to define global standards that can be adopted across industries. The International Electrotechnical Commission (IEC) has released cybersecurity certifications such as ISA/IEC 62443 “Cybersecurity certificate programs” to give companies a framework by which to address and mitigate current and future security vulnerabilities in industrial automation and control systems. This global standard draws on the input and knowledge of security experts to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
Purchasing equipment that has been certified using these standards can give IT staff greater peace of mind, but cybersecurity is a continuous journey; just as standards evolve, so do the methods attackers use to penetrate our defences. Thus, there are some additional layers of protection that businesses should utilize to enhance cybersecurity for the long haul.
Protection from end to end
As your staff weighs the benefits of IoT transformation against possible risks, professionals should strike a balance by taking steps to protect their connected infrastructure. Some measures experts recommend include:
• using a firewall and encrypting information
• conducting routine security assessments
• regularly updating antivirus software and anti-spyware
• using advanced email filtering
• establishing powerful password policies and end-point protection
• offering employees cybersecurity awareness training
IT professionals should look for a combination of industry-standard technologies and custom tools that will allow them to test devices and ensure stability. IT teams can build a complete framework to measure, classify and reduce ongoing risks through:
• customized vulnerability analysis
• malware detection
• static and binary code analysis
• protocol fuzzing
• automatic software testing
• automated static and dynamic testing
Having an end-to-end cybersecurity strategy requires trained people, thorough processes and sophisticated technologies to safeguard equipment amid ongoing advancement. This approach will give companies the right level of control and management over their infrastructure as both IT requirements and cybersecurity demands evolve. By ensuring devices across their network are optimized for protection, businesses will be in the best position to avoid risks and save money into the future.
Hervé Tardy is vice-president and general manager of Eaton’s Distributed Power Infrastructure business unit, where he manages the Americas product roadmap for power solutions, software and connectivity products.
• RiskIQ survey
• Capgemini study (PDF)
• 70 million client accounts
• 41.6 billion connected IoT devices
• UL 2900-1 “Standard for software cybersecurity for network-connectable products, Part 1: General Requirements”
• ISA/IEC 62443 “Cybersecurity certificate programs”