We look forward to presenting Transform 2022 in person again on July 19th and virtually from July 20th to 28th. Join us for insightful conversations and exciting networking opportunities. Register today!
The growth of the IoT has triggered a rush to deploy billions of devices worldwide. Companies in key industries have amassed vast fleets of connected devices, creating security gaps. Today, IoT security is overlooked in many areas. For example, a significant percentage of devices share the admin/admin user ID and password because their default settings are never changed.
The reason security has become an afterthought is because most devices are invisible to businesses. Hospitals, casinos, airports, cities, etc. simply have no way of seeing every device on their networks. As a result, security threats are increasing. In the first half of 2021, more than 1.5 billion attacks were perpetrated against IoT devices, about twice as many as in the previous year.
For highly regulated industries like healthcare, utilities, logistics, etc., the cost of a breach can be devastating. Because of this, organizations operating in these areas need robust device management and security controls to ensure they prevent security breaches before they happen. Failure to do so can result in compliance issues and millions of dollars in fines.
Fact: You can’t backup what you can’t see. Here are five critical industries suffering from security vulnerabilities.
Well, The most important industry that depends on IoT devices is healthcare. Hospitals, clinics and vaccine delivery facilities are often targeted, and the motive is not always monetary. In some cases it appears to be sabotage. A recent study by the Ponemon Institute found that nearly a quarter of hospital data breaches originated from a medical or IoT device. Ransomware attacks on hospitals doubled in 2021, threatening hospital revenues and their ability to care for patients.
CISA, the Cybersecurity and Infrastructure Security Agency, formed a COVID task force in 2020 to assess threats to patient care and the functioning of health and vaccine facilities. The task force found a variety of threats to patient care and survival stemming from attacks that exploit unguarded IoT attack surfaces in hospitals. This includes medical equipment, as well as surveillance cameras and access controls for the physical protection of healthcare facilities.
“The Internet of Medical Things is more vulnerable than we anticipate,” said Josh Corman, chief strategist for the CISA task force. “Especially before the pandemic, 85% of hospitals in the US were missing a single security guard on staff.”
energy and utilities
Utilities are a popular target for nation-state-backed attackers. Utilities worldwide reported that 1.37 billion IoT devices were deployed by the end of 2020. The energy industry as a whole includes critical infrastructure—like smart meters, security cameras, and temperature/fire/chemical leak controls—that are often the target of attackers.
There are numerous cases of utility sabotage and ransomware hijackers hijacking operational technology. Around the world, energy and utility companies have taken steps to protect water supplies, power grids, refineries and pipelines. But more can be done.
Motives for attacks on manufacturers range from extortion and disruption to terrorism. Targets include industrial control systems (ICS) such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition systems (SCADA), and human-machine interfaces (HMI).
Attackers sometimes try to take direct control of PLCs running factories instead of accounting or customer records. Attackers have taken control of PLCs using hard-coded passwords, then successfully destroyed the expensive machines they controlled.
Cities rely on 1.1 billion IoT devices for physical security and power critical infrastructure of traffic control systems, streetlights, subways, emergency call systems and more. Any breach or failure of these devices could pose a threat to citizens. You see it in the movies: Brilliant hackers control the traffic lights in a city with perfect timing to steer an armored vehicle into a trap. Then there is real life; For example, when a hacker in Romania took control of Washington DC’s video cameras days before Trump’s inauguration.
Cities are also being hit by ransomware; New Orleans and Knoxville, TN are a case in point. To prevent this type of security threat, cities dependent on IoT need 24/7 device management and security to protect public services and assets.
supply chain logistics
OT security of transportation systems lags behind other industries, despite heavy use in freight, rail and ocean shipping – where fleet, vessel and traffic management systems are critical. The Maersk shipping company was an unintended collateral damage of the 2017 NotPetya attack on the Ukrainian government. Maersk was paralyzed worldwide and was barely able to move containers and ships for two weeks.
On roads, traffic signal systems with road sensors and LIDAR are connected to the IoT, as are self-driving vehicles. Railways rely on IoT for traffic planning, power supply, maintenance and station guidance systems. When IoT security begins with device visibility, there’s work to be done. Large and medium-sized companies often lack full device visibility.
Time for IoT security to catch up
The rapidly expanding attack surface of IoT device fleets in critical industries is a magnet for attackers. The smarter and more ubiquitous connected devices become, the greater the potential damage. Successful attacks incur immense costs and bring IoTs back online with the certainty that they are no longer damaged is critical to compliance and business survival.
A large wave of device upgrades or replacements for safety reasons seems inevitable. Device management at scale is now ready and can automate security measures like password rotation. Our critical industries and security depend on driving security advances, gaining full visibility of our IoTs, and leveraging automation to tightly manage fleet-scale devices.
Roy Dagan is CEO of Securithings.
data decision maker
Welcome to the VentureBeat community!
DataDecisionMakers is the place where experts, including technical staff, working with data can share data-related insights and innovations.
If you want to read about innovative ideas and up-to-date information, best practices and the future of data and data technology, visit us at DataDecisionMakers.
You might even consider contributing an article of your own!
Read more from DataDecisionMakers