The growth of IoT has spurred a rush to deploy billions of devices worldwide. Companies across key industries have amassed vast fleets of connected devices, creating gaps in security. Today, IoT security is overlooked in many areas. For example, a sizable percentage of devices share the userID and password of “admin/admin” because their default settings are never changed.
The reason security has become an afterthought is that most devices are invisible to organizations. Hospitals, casinos, airports, cities, etc. simply have no way of seeing every device on their networks. As a result, security threats are on the rise. More than 1.5 billion attacks have occurred against IoT devices in the first half of 2021, roughly double the previous year.
The cost of a breach for highly regulated industries such as healthcare, utilities, logistics, etc. can be devastating. That’s why organizations operating in these areas need robust device management and security controls to ensure they prevent breaches before they happen. The failure to do so can result in compliance issues and millions of dollars in fines.
Fact: you can’t secure what you can’t see. Here are five critical industries suffering from blind spots in security.
Arguably, the most critical industry dependent on IoT devices is healthcare. Hospitals, clinics, and vaccine delivery entities are frequently targeted, and the motive is not always monetary. In some cases, it appears to be sabotage. A recent Ponemon Institute study noted that nearly a quarter of hospital data breaches originated from a medical or IoT device. Ransomware attempts on hospitals doubled in 2021, threatening hospital revenue and their ability to care for patients.
CISA, the Cybersecurity and Infrastructure Security Agency, formed a COVID Task Force in 2020 to evaluate threats to patient care and function of healthcare and vaccine entities. The Task Force found a wide variety of threats to patient care and survival stemming from attacks that exploit unguarded IoT attack surfaces in hospitals. These include medical devices, as well as security cameras and access controls to physically protect healthcare facilities.
The Internet of Medical Things is more brittle than we expect, Before the pandemic, notably, 85% of hospitals in the U.S. lacked a single security person on staff.” Josh Corman, chief strategist of the CISA Task Force
Energy and utilities
Utilities are a favorite target of nation-state-sponsored attackers. Globally, utilities reported 1.37 billion IoT devices in deployment by the end of 2020. The energy industry as a whole encompasses critical infrastructure such as smart meters, security cameras and temperature/fire/chemical leak controls frequently targeted by bad actors.
There are numerous cases of utilities sabotage, and of ransom attackers hijacking operational technology. Around the world, energy and utility companies have taken steps to protect water supplies, power grids, refineries, and pipelines. But more can be done.
The motives for attacks on manufacturers range from extortion and disruption to terrorism. Targets include industrial control systems (ICS) such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and human machine interfaces (HMI).
Attackers sometimes attempt to take direct control of PLCs that run factory equipment, rather than accounting or customer records. Attackers have seized control of PLCs that used hardcoded passwords, and then successfully destroyed the expensive machinery they controlled.
Cities rely on 1.1 billion IoT devices for physical security, operating critical infrastructure from traffic control systems, streetlights, subways, emergency response systems and more. Any breach or failure in these devices could pose a threat to citizens. You see it in the movies: brilliant hackers control the traffic lights across a city, with perfect timing, to guide an armored vehicle into a trap. Then there’s real life; for instance, when a hacker in Romania took control of Washington DCs outside video cameras days before the Trump inauguration.
Cities are also being hit by ransomware; New Orleans and Knoxville, TN are a case in point. To prevent this type of security threat, cities dependent on IoT require 24/7 device management and security to protect public services and assets.
Supply chain & logistics
Transportation system OT security has lagged behind that of other industries, despite the high stakes in freight, rail, and maritime shipping where fleet, vessel and traffic management systems are critical. Shipping firm Maersk was unintended collateral damage in 2017 of the Not Petya attack against Ukraine’s government. Maersk was paralyzed worldwide and was barely able to move containers and ships for two weeks.
On roadways, traffic signalling systems containing road sensors and LIDAR are IoT-linked, as are self-driving vehicles. Railways depend on IoT for traffic planning, power supply, maintenance, and station control systems. If IoT security begins with device visibility, there’s work to do. Full device visibility is often lacking at large and medium-sized organizations.
Time for IoT security to catch up
The fast-growing attack surface of IoT device fleets in critical industries is a magnet for attackers. The more intelligent and ubiquitous connected devices become, the greater the potential damage. Successful attacks impose immense costs and getting IoTs back online with the assurance they are no longer corrupted is crucial to compliance and business survival.
A major wave of device retrofits or replacements for security purposes seems inevitable. Device management at scale is ready now and can automate security measures like password rotation. Our critical industries and our safety depend on pushing security advances, getting complete visibility of our IoTs, and using automation to tightly manage devices at fleet scale.