In 2023, connections are the name of the game. The internet has brought people together in a way we have never seen before. But what if just connecting people is not enough? What if we want to go a step further and link machines and other devices together? The Internet of Things (IoT) is here to do just that.
The IoT is one of the most exciting technologies to emerge in the last few years. What makes the IoT so exciting is its potential to simplify our daily lives and change how we do business. The IoT is all about connections—devices working together seamlessly with little human interaction. Of course, most people know what the IoT is by now, but how does it work?
An IoT network is made up of smart devices, each containing an embedded system. These devices collect information from the environment they are in and share it with the other devices in the network. Next, the information is processed, and the network algorithm may have the devices perform an action automatically or share the information with the user. IoT networks also allow a user to interact directly and affect the system. An example of IoT systems used today is smart homes, wherein just about all functions communicate with each other automatically and can be controlled by the user remotely.
What you may not know is that the IoT is not a new concept. The concept and term were first described in a speech by Peter T. Lewis in 1985: “The Internet of Things, or IoT, is the integration of people, processes, and technology with connectable devices and sensors to enable remote monitoring, status, manipulation, and evaluation of trends of such devices.”
Of course, the IoT is not perfect—nothing is. Like all technology, it also puts users at risk. So, here are a few IoT security risks that organizations need to address:
Botnets and DDoS attacks
Botnets are a network of interconnected devices infected with malware that can be controlled by malicious entities. If a threat actor gains access to one point in the IoT network, they may be able to infect the entire network. They can then use the network’s resources to create a system of botnets and mobilize it to carry out a DDoS attack on the victim’s network.
A ransomware attack on an IoT system involves taking control of a particular device or the entire system itself to disrupt its operations. It is similar to a traditional ransomware attack that locks you out of your device for a ransom as opposed to encrypting your data, effectively holding your device hostage rather than just your data.
For example, the Colonial Pipeline ransomware attack was carried out in May 2021 against an oil pipeline that moves gasoline to the southeastern United States. First, the attackers gained access to the pipeline’s IT network and stole 100GB of data. They then proceeded to infect the network with ransomware that affected the accounting and billing systems, which were the primary targets. The operational technology (OT) system that controls the movement of oil was not affected. Despite this, Colonial Pipeline had to halt operations to keep the ransomware from spreading, causing fuel shortages across the US.
In this case, the attackers were able to put a stop to operations by only affecting the IT network. However, experts say that attackers now have the ability to directly enter and manipulate an organization’s OT network.
With more businesses adopting the IoT and with smart homes becoming increasingly popular, focusing on cybersecurity alone is not nearly enough. It is also important to ensure the physical security of these devices. Most of these devices are generally quite small and easily accessible and could be tampered with or stolen.
Once stolen, these devices may be taken to another location where they can be disassembled and probed for any data. These stolen devices might also be used to breach the IoT systems to which they are connected. Moreover, a hacker could plant a bug in a device without even having to move it. These issues highlight how important physical security is and why companies need to take steps to ensure the physical safety of their device network.
A lack of IoT-specific security standards
There are several standards for cybersecurity today, and in a lot of cases, companies are even required by law to comply with some of these standards. Unfortunately, no such international standards exist for the IoT. All we have are best practices and recommendations. While steps are being taken to strengthen IoT security, we have yet to see a framework of recognized, international standards for IoT security
Encryption is more of a challenge than a risk. Here is why: The IoT is still a relatively new technology, and we are still figuring out how to effectively secure it. The IoT boom of the 2010s saw organizations adopt the IoT en masse in a relatively short amount of time. Additionally, most IoT systems contain small devices that simply do not have the processing power to run standard encryption algorithms. This means that we need to create new algorithms that are equally effective and can run on even the simplest device.
There is no doubt that the IoT is the way of the future, but like every new technology, it has its caveats. Because the IoT is still in the early stages of its life cycle, developers are still learning the ropes when it comes to its security. With some systems containing hundreds or even thousands of devices, the stakes are high, and the margin for error grows ever smaller. The good news is that steps are being taken by regulatory bodies to vastly improve data privacy, not only where the IoT is concerned, but across the board.