October is National Cybersecurity Awareness Month. The initiative by the Department of Homeland Security and the National Cyber Security Alliance is a huge collaborative effort spanning both public and private sectors, and a good demonstration of how the industry is coming together to safeguard the digital world.
While businesses in the U.S. and globally are still reeling from the WannaCry and NotPetya ransom attacks and the massive Equifax data breach, scrambling to update their systems to protect themselves, there is another kind of threat looming on the horizon.
The internet is today in the hands of around 3.5 billion people. And there are around 6.5 billion connected devices in use worldwide — a figure that is projected to hit 27.1 billion by 2021. What’s more, as consumers, we’re more connected today than ever: the average internet user today owns 3.64 connected devices, uses 26.7 apps and has an online presence across seven different platforms.
The ubiquitous global connectivity enabled by mobile applications and the internet of things opens up great possibilities for personal and organizational growth, from smart city advancements to transforming how industries produce goods. The industrial IoT has seen significant advancement in recent years. For example, by connecting assets in a factory, organizations can have better insight into the health of their machinery and predict any major problems with their hardware before it happens, allowing them to stay one step ahead of their systems and keep costly outages to a minimum.
Yet, IoT also exposes us to more security vulnerabilities that can cause financial loss, endanger personal and public safety, and cause varying degrees of damage to business and reputation. After all, anything that is connected to the internet is a potential attack surface for cybercriminals. For example, distributed denial-of-service (DDoS) attacks are getting better at exposing vulnerabilities in networks and infecting IP-enabled devices to rapidly form a botnet army of infected devices which grind the network to a standstill. Simply put, the more devices there are connected to a network, the bigger the potential botnet army of DDoS attacks.
Furthermore, without adequate security, innocuous items that generally pose no threat can be transformed into something far more sinister. For example, traffic lights that tell cars and pedestrians to cross at the same time, or railway tracks that change to put a commuter train on a collision course.
As the number of connected devices continues to grow and both public and private sector organizations embrace IoT, IT decision-makers must pause and think about how they can work together to create an end-to-end infrastructure that can deal with the influx of new devices and the inevitably rapid spread of cyberattacks in our increasingly connected world.
First, security must be built within IoT systems and the rest of the IT estate from the ground up, instead of retrofitting piecemeal security products as new threats emerge. Second, organizations need to adopt an adaptive security model, continuously monitoring their ecosystem of IoT applications to spot threats before attacks happen. Adaptive security means shifting from an “incident response” mindset to a “continuous response” mindset. Typically, there are four stages in an adaptive security lifecycle: preventative, detective, retrospective and predictive.
- Preventative security is the first layer of defense. This includes things like firewalls, which are designed to block attackers and their attack before it affects the business. Most organizations have this in place already, but there is definitely a need for a mindset change. Rather than seeing preventative security as a way to block attackers completely from getting in, organizations should see it as a barrier that makes it more difficult for them to get through, giving the IT team more time to disable an attack in process.
- Detective security detects the attacks that have already made it through the system. The goal of this layer is to reduce the amount of time that attackers spend within the system, limiting the subsequent damage. This layer is critical, as many organizations have accepted that attackers will, at some point, encounter a gap in their defenses.
- Retrospective security is an intelligent layer that turns past attacks into future protection, similar to how a vaccine protects us against diseases. By analyzing the vulnerabilities exposed in a previous breach and using forensic and root cause analysis, it recommends new preventative measures for any similar incidents in the future.
- Predictive security plugs into the external network of threats, periodically monitoring external hacker activity underground to proactively anticipate new attack types. This is fed back to the preventative layer, putting new protections in place against evolving threats as they’re discovered.
For organizations to protect themselves, they need to get this mix right; all four of the elements improve security individually, but together they form a comprehensive, constant protection for organizations at every stage in the lifecycle of a security threat. With billions of consumer and business IoT applications exchanging billions of data points every second, IT decision-makers need to map the end-to-end journey of their data, and the threats lurking behind every corner.
At the start of this year’s National Cybersecurity Awareness Month, Assistant Director Scott Smith of the FBI’s Cyber Division said, “The FBI and our partners are working hard to stop these threats at the source, but everyone has to play a role.” Organizations that work with their peers and security specialists to secure their IoT ecosystem and network will be rewarded in the long run. There’s no one-size-fits-all approach to securing IoT worldwide; it will take a considered, collaborative effort to safeguard the super-connected world today and tomorrow.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.