Given the permeating nature of IoT and Industrial IoT devices in our daily lives, from smart homes to smart cities, one cannot escape the growing cybersecurity risks associated with these devices. It might leave CISOs with a lot of questions about how this newer, growing attack vector could impact their business. We hope to answer a few of those questions here.
Have regulatory bodies done anything for IoT Security?
Yes. In fact, the risk is growing so much that NIST released its draft security feature recommendations for IoT Devices on August 1st. The draft report identifies cybersecurity features that can make IoT devices minimally securable. Even though the report’s tagline is A Starting Point for IoT Device Manufacturers, its recommendations are useful to all consumers.
Do criminals really care about IoT?
The viability of IoT devices leveraged by global threat actor groups for criminal gains and other nefarious reasons is only starting to be recognized. In our research paper, “The Internet of Things in the Cybercrime Underground,” we detail what products and services are being pedaled in Russian, Portuguese, English, Arabic, and Spanish underground communities. While the current market for compromised IoT infrastructure is low we do expect it to grow significantly in the coming months and years. Unfortunately, as the cybercriminal market grows so does the risk.
What about IIoT?
As you might expect, these risks don’t stop with consumer-grade IoT devices. The Government Accountability Office (GAO) recently released a report that raises concerns about power grid vulnerabilities. It notes the growing convergence of IT and OT in relation to the use of IoT devices throughout plants and utilities. One impact of this convergence hits when compromised IoT devices could be leveraged to take out power plants. These systemic and technical vulnerabilities could lead to cascading effects if not addressed soon. As we move toward hyperconnected homes and cities, power and communication infrastructure becomes more and more critical.
As we have collectively adopted a shared responsibility model in cloud security, we must do the same for IoT and Industrial IoT at a global scale. This will take partnership from governments, academia, manufacturers, standards bodies, and the cybersecurity industry to make any difference. I can confidently say we at Trend Micro are doing everything we can to partner at each level to do our part in making this security a reality.
Is IoT risk being properly addressed in your enterprise risk strategy? Share your plans or concerns.