Research by Housing Technology shows that across the housing sector over 75 per cent of organisations are deploying or planning to deploy IoT projects within the next 24 months. The main drivers for these IoT projects are improving tenant and building safety, better asset management, and more efficient repairs and maintenance.
There are several parts to an IoT system: the installed devices; the infrastructure or communication channels that transfer this data; and the data storage and analysis systems (often in the cloud, via Microsoft Azure or Amazon Web Services).
The ever-expanding attack surface
This spider’s web of connectivity and communications significantly expands what is known as the ‘attack surface’ – the area that cyber attackers can target in their attempts to breach a network, steal information, disrupt operations, build botnets, release ransomware and more.
The results of such an attack can range from disruption and downtime to the loss of large amounts of sensitive data. This could put the organisation in breach of data protection regulations, adding to the cost and impact of an attack. In some cases, such as where IoT devices are used for health or safety monitoring, a cyber-attack could potentially prove fatal. An effective approach to cybersecurity is therefore critical. Here is our recommended cyber-security checklist for IoT systems:
1. Know what you have, where it is, and have full visibility of what’s going on all the time
It’s important to keep track of the IoT devices being connected and disconnected to your network and ensure you have overall visibility and management control so that suspicious alerts and threats aren’t missed. Ensuring that your security technologies can talk to each other and share data on new or potential threats is also key; a disconnected patchwork of point security solutions won’t work for IoT.
2. Determine the size of your attack surface
To do this, you need to determine the sum of vulnerabilities or weak points currently present on your network, both physical and digital. There are three places to look:
Vulnerabilities within connected endpoint devices such as sensors or cameras or in the underlying software and hardware. Attackers can target any outdated components, unpatched software, insecure default settings and under-protected connections to the internet and IoT, among other things.
The underlying infrastructure that connects all your IoT devices and transfers the data traffic; data can be intercepted or the traffic systems overwhelmed in denial-of-service (DoS) attacks.
All the applications and software your organisation relies on. Each application and piece of software carries risk and many web applications and application programming interfaces (APIs) have access to sensitive data that they don’t always adequately protect. A breach can result in identity theft, credit-card fraud and exposure of confidential information.
3. Robust access controls
One set of stolen account credentials can be all it takes to access your IoT network. Such credentials are often scarily easy to come by. Attackers could target employees or residents through ‘phishing’ emails designed to trick them into sharing their login details or buy previously-compromised credentials on the dark web. ‘Brute forcing’ accounts, with many combinations of name and password, may well succeed if the password is easy to crack.
The solution is to have a robust email security solution, effective password policies and to raise employee awareness about basic cyber hygiene. Ensure that only people who need access to certain systems are granted access. In addition, consider introducing multi-factor authentication for accounts and even moving towards zero-trust access policies to really secure your IoT system.
4. Protect data at source, during transit and in storage
Data on the move is often vulnerable, especially if it is unencrypted or if access controls are weak. The same applies to the place where data is stored. Wherever your data is, it needs to be encrypted with strong access controls. The transfer and storage of data needs to be via network security tools such as firewalls, including web application firewalls for cloud storage and network access controls.
5. Secure software applications
Many applications are now API-based. This creates a large new attack surface for cybercriminals as API-based applications offer direct access to all the sensitive data for the application. Having application security in place and making sure it is configured correctly is essential.
Network and web application firewalls will also help to keep the botnets at bay. Botnets are webs of internet-connected devices designed to steal data, compromise networks, send spam, distribute malware and more. The botnets carry malware to access and infect IoT devices and breach the network they are connected to. They also scan applications for weaknesses.
Many botnets are also looking to recruit additional ‘bots’ and your infected IoT devices could be co-opted into a giant botnet and used by attackers to target other devices, often without your knowledge.
6. Don’t forget about physical tampering
Distributed devices installed in accessible places can be tampered with physically and this can also represent a cyber risk. For example, devices installed in publicly-accessible hallways or outside could allow attackers to steal a memory card to read its contents, thereby accessing data and information that might let them access other connected systems.
As housing providers continue to integrate cloud technology into their daily processes, the number of devices connected to the network grows. This increases risk, making monitoring an even more challenging task. Effective cyber-security designed for cloud-based, distributed IoT systems, accompanied by device management systems and employee (and user) education are all vital ingredients of a robust security posture.
Stefan Schachinger is a senior product manager for network security at Barracuda.