Smart Cities Under Attack Why it Pays to Think Twice About IoT Security

The Internet of Things is transforming businesses across the planet. It has the power to make them safer, more efficient, productive, environmentally friendly, and agile. But there’s a real danger that these new systems could be used not just to infiltrate corporate networks, or hijacked to participate in botnets, but also to cause widespread panic and endanger lives across new smart city environments. A new paper published at Black Hat has painted exactly that scenario. Unfortunately, it’s not the first.

To mitigate the threats posed by our new IoT-powered world, we need to take action at every layer of this complex ecosystem. That means driving manufacturers to develop more secure devices, organisations to implement and configure them more securely, and the security industry to step up with practical solutions to keep systems safe going forward.

Already those in the know are expressing concerns about an IoT market that’s expanding fast but driven by commercial and functionality demands rather than security. A new Tripwire poll of security professionals at Black Hat found 60% are more concerned about IoT security this year compared to 2017. They claimed to be most concerned about exposure of personal data, botnets, and network compromise.

They certainly have cause to be concerned. With an estimated 20.4 billion things set to be in use by 2020, and over seven billion specifically for use in businesses, the size of the corporate attack surface is growing rapidly. As the Mirai attacks of 2016 showed us, many devices can be conscripted into botnets simply by trying known and factory default username and log-in combinations. But as those security pros warned, exposed endpoints could also be hijacked as a useful stepping stone into corporate networks. The issue is that many IoT devices are left unprotected and unpatched, despite being always-on and connected to the public internet. Many IT departments don’t even know they exist if they’ve been purchased by other enterprise groups.

It starts with manufacturers getting serious about security. The truth is that IT buyers are increasingly wary of purchasing IoT devices because they can’t be trusted. That means there’s a huge opportunity for device makers to differentiate by investing more in security. A new BSI kitemark for IoT will help drive these investments in the UK by making it easier for buyers to spot trustworthy products. Hopefully the initiative will spread across Europe.

Buying more secure products is one thing, but organisations must also do their bit by ensuring they are implemented in secure systems. Leaving them exposed to the public internet is just asking for trouble. With increasingly limited in-house resources, this is where IT security managers could seek the advice of third-party experts, MSSPs and trusted vendor partners.

Fortunately, IT security vendors are catching up to the growing threat. IT managers should look for automated, centralized solutions which can enforce the full gamut of security controls right down to the IoT device level. Combine these with best practice security including regular pen testing and app scanning, strong password enforcement, regular patching of devices and network segmentation.