We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!
The growth of IoT has spurred a rush to deploy billions of devices worldwide. Companies in key industries have amassed vast fleets of connected devices, creating gaps in security. Today, IoT security is overlooked in many areas. For example, a large percentage of devices share the “admin/admin” user ID and password because their default settings are never changed.
The reason security has become an afterthought is that most devices are invisible to organizations. Hospitals, casinos, airports, cities, etc. simply have no way of seeing all the devices on their networks. As a result, security threats are on the rise. More than 1.5 billion attacks took place against IoT devices in the first half of 2021, roughly double the previous year.
The cost of a breach to highly regulated industries such as healthcare, utilities, logistics, etc. can be devastating. That’s why organizations operating in these areas need robust device management and security controls to ensure they prevent breaches before they happen. Failure to do so can result in compliance issues and millions of dollars in fines.
Fact: You can’t secure what you can’t see. Here are five critical industries suffering from safety blind spots.
Arguably, the most critical industry dependent on IoT devices is healthcare. Hospitals, clinics and vaccine distribution organizations are frequently targeted, and the motive is not always monetary. In some cases, this appears to be sabotage. A recent study by the Ponemon Institute noted that almost a quarter of hospital data breaches originated from a medical or IoT device. Ransomware attempts against hospitals doubled in 2021, threatening hospital revenues and their ability to care for patients.
CISA, the Cybersecurity and Infrastructure Security Agency, formed a COVID Task Force in 2020 to assess threats to patient care and the operation of healthcare and immunization entities. The task force uncovered a wide variety of threats to patient care and survival resulting from attacks that exploit unprotected IoT attack surfaces in hospitals. These include medical devices, as well as security cameras and access controls to physically protect healthcare facilities.
“The Internet of Medical Things is more fragile than expected,” said Josh Corman, chief strategist of the CISA task force. “Prior to the pandemic, in particular, 85% of hospitals in the United States lacked a single security guard on staff.”
Energy and Utilities
Public services are a favorite target of attackers sponsored by nation states. Globally, utilities reported 1.37 billion IoT devices in deployment by the end of 2020. The energy industry as a whole encompasses critical infrastructure – such as smart meters, security cameras and temperature/fire/chemical leak checks – frequently targeted by bad actors.
There are many cases of utility sabotage and ransomware attackers hijacking operational technology. Around the world, energy and utility companies have taken action to protect water supplies, power grids, refineries and pipelines. But we can do more.
Motives for attacks on manufacturers range from extortion and disruption to terrorism. Targets include industrial control systems (ICS) such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and human-interfaces. machine (HMI).
Attackers sometimes attempt to take direct control of the PLCs that run plant equipment, rather than accounting or customer records. Attackers took control of automatons using hard-coded passwords and then succeeded in destroying the expensive machines they controlled.
Cities rely on 1.1 billion IoT devices for physical security, operation of critical infrastructure from traffic control systems, streetlights, subways, emergency response systems, etc Any breach or failure of these devices could pose a threat to citizens. You see it in the movies: brilliant hackers control traffic lights through a city, with perfect timing, to guide an armored vehicle into a trap. Then there is real life; for example, when a hacker in Romania took over Washington DC’s outdoor video cameras days before Trump’s inauguration.
Cities are also affected by ransomware; New Orleans and Knoxville, TN are a good example. To prevent this kind of security threat, IoT-dependent cities need 24/7 device management and security to protect public services and assets.
Supply chain and logistics
The security of the OT transportation system lags behind other industries, despite the high stakes in freight, rail, and shipping, where fleet, vessel, and traffic management systems are critical. The Maersk shipping company was unintended collateral damage in 2017 from the NotPetya attack on the Ukrainian government. Maersk was grounded worldwide and barely able to move containers and ships for two weeks.
On the roads, traffic signal systems containing road sensors and LIDAR are linked to the IoT, as are autonomous vehicles. Railways depend on IoT for traffic planning, power supply, maintenance and station control systems. If IoT security starts with device visibility, there is work to be done. Full device visibility is often lacking in large and midsize businesses.
It’s time for IoT security to catch up
The rapidly growing attack surface of IoT device fleets in critical industries is a magnet for attackers. The smarter and more ubiquitous connected devices become, the greater the potential damage. Successful Attacks Impose Huge Costs and Bring IoT Back Online with the assurance that they are no longer corrupt is crucial for compliance and business survival.
A major wave of modernization or replacement of devices for security purposes seems inevitable. Large-scale device management is now ready and can automate security measures like password rotation. Our critical industries and our security depend on advances in security, gaining full visibility into our IoTs, and using automation to tightly manage devices across the fleet.
Roy Dagan is CEO of Securithings.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Learn more about DataDecisionMakers