The adoption of IoT is almost ubiquitous. From the home to the car to the office and the factory, IoT now forms a significant percentage of the number of devices connected to our home, cellular and business networks.
In 2022 IoT adoption grew by 18% globally. While homes are now filled with a wide variety of IoT devices that vacuum and mop our floor while we are out, to devices that allow us to view who rings at our front door, to monitor our babysitters, and pets, or to control the thermostat of our homes from a smart phone during the drive there.
IoT also allows us to automate many functions of our homes via spoken instructions to a Smart Speaker to turn on lights, draw curtains, or any number of other mundane tasks once performed by humans. The convenience of these devices is immediately apparent to all of us, especially if we would rather not get up from bed to turn off a light at night.
The security concerns of IoT personal devices
What is less apparent, is the cybersecurity risks of IoT. Especially if these devices are connected to the same unsegmented home network that you use for banking, stock trades, or for work. IoT devices just like your Smart TV needs to be on a separate firewalled network if you don’t want your family photos deleted or held to ransom by a cyber-criminal. Someone who perhaps also encrypts your data, and willingly empties your bank account and retirement investments for you at the same time. Yet most of us are blissfully ignorant of these and many other cybersecurity risks in our lives.
For example, few of us are aware that our smart speaker is listening in and recording our conversations with the doctor, our legal team, or our investment advisor, unless we disable or power it off first? Or that our Amazon smart devices will connect to the best network signal in order to reach the internet, regardless of whether that’s your neighbor’s WiFi or our own. The same is true for a neighbor for whatever he or she chooses to do using your internet connection.
These devices are used in the home and in the workplace as is often a camera doorbell which can be hacked by someone sat in a car on the road outside.
IoT cybersecurity risks in the workplace
Security concerns over IoT remain rife in the workplace too where its growing use has massively increased the cyber attack surface. In hospitals today, 75% of IP connected assets are now unmanaged by hospital IT, and the vast majority of these, are medical and other IoT devices. Perhaps devices that attach to patient on one side and the internet on the other side. This includes everything from diagnostic systems like Xray, CT, PET, and ultrasound, to radiotherapy and chemotherapy systems used to treat patients, and network connected infusion pumps used to deliver drugs to the sick or dying. It includes patient monitoring systems for O2 saturation, pulse, heartbeat, blood pressure and other vitals. And it includes critical hospital building management systems like HVAC, used to manage positive and negative airflow to keep ORs clean and disease free, and COVID patients from infecting everyone else. Plus, there’s the lifts and elevators vital for transporting patients between floors, CCTV cameras to monitor doors and hallways, and electronic door locks to open and close secure parts of the building when a security access card is swiped.
These are just some of many IoT systems all now connected to the hospital network and often managed by a third-party vendor from many miles away via the internet. Hospitals today are full of connected autonomous robots for pharmacy, surgery, drug dispersal, laboratory and bloodwork transportation and analysis. IoT helps to drive up speed and efficiency and at the same time drive down costs. The same is true in other industries. IoT has become ubiquitous and omnipresent, and nearly all of it, is now connected.
IoT is inherently insecure
This is all great till we consider cybersecurity. IoT is inherently insecure. It was never designed to be secure. A simple programmable logic controller (PLC) was designed for simple repetitive tasks like opening and closing an elevator door at the right spot millions of times during its lifespan. It might require some adjusting by a technician periodically as cables stretch but the PLC remains unchanged. Nor were its creators’ business models designed to include support margins for things like the development, testing and release of critical security patches or updates. The result is that a lot of IoT is considered disposable. Use it till it breaks then send it to the landfill.
IoT is largely unregulated, though things are changing slowly, very slowly in fact. IoT was designed to perform simple tasks repetitively. It wasn’t designed to keep cybercriminals out of your network nor was its architecture designed for extensibility or longevity. The result is that even if a security patch or newer operating system is available for a user to install, chances are that the IoT device lacks the system resources to run that update. It simply wasn’t designed for the future as a PC might be.
Few today would consider conducting their internet banking on a Windows 95 PC, yet many of the medical devices that keep our relatives alive in hospitals are running an embedded version of exactly that – Windows XP. IoT represents perhaps the biggest patient safety risk in our hospitals and the greatest cybersecurity risk in our homes. Even our connected cars are not immune from cyber-attack, thanks to their reliance upon more and more connected IoT.
The 2017 WannaCry attack against the NHS, the 2021 Zeppelin attack against some of the New Zealand health system, and the recent attacks against Parisian hospitals all took advantage of the vulnerabilities in medical and other IoT devices.
But these IoT risks are well known. Some 64% of security professionals in healthcare cited insecure medical devices as their biggest security concern in polls. However, most organisations lack visibility of their networks, which means they aren’t aware of exactly what is connected to their networks and the risks at each endpoint. Organisations don’t manage the security of IoT in the same way they manage security risks and patching in IT environments, especially if that environment is Windows based and needs 100+ patches installed every second Tuesday of the month.
IoT deployments are growing in numbers much faster than the growth in IT. That growth is also proliferating outside of the organisation. During the height of COVID, recovering patients were sent home from the hospital as soon as possible to free up beds for others. They were sent home often with various patient monitoring devices which reported back to the hospital or to their local care team. These IoT devices connected over the internet from patient homes, mostly via a VPN, but sometimes not, while adoption of telehealth and telemedicine escalated. This means that the cyber threat surface is bigger now than it was in 2019 and much of that is being driven by IoT.
How to reduce the cybersecurity risks of IoT
Firstly, you can’t secure what you don’t know about, and most organisations have a limited, at best, inventory of the IoT endpoints that connect to their networks. Spreadsheets and asset inventory systems rely on humans and humans are prone to making errors. Network scans only tell you what is connected to the network when the scan is conducted. IoT systems unlike servers and PCs are powered on and off as they are needed, so any point-in-time assessment is just that, conducted at a point in time. Nor do ordinary network scans tell you exactly what are, each of the tens of thousands of devices you may see during a scan.
It’s important to use a solution which can conduct deep network traffic analysis, allowing for accurate device identification, and informed vulnerability risk and threat analysis. Furthermore, use a system that can create a “digital twin” of discovered devices to enable real-time packet-level analysis of device behavior without operational disruption or physically interacting with the devices.
Not all IoT devices pose a security risk to the network, but those that do need to be addressed and where possible remediated. Owners have several options, remove a risk by decommissioning a device, (but this may prove to be very expensive), remediate a risk via patching if possible to remove said risks, (assuming a patch is available of course), accept a risk temporarily and plan for a replacement as soon as possible, (in other words punt or gamble on the risk and hope that you don’t get caught), transfer that risk via risk insurance or third party management, or adopt compensating security controls to mitigate that risk factor.
Some IoT devices like medical devices can be very expensive – £30m for a new CT scanner for example. Most have an expected lifespan measured best in decades rather than years and large CapEx outlays are consequently amortized over decades on hospital books. This means throwing out a perfectly working £30m asset simply because its insecure, is not usually an option, especially for cash strapped health systems like the NHS. This means that Trusts and other organisations need to find a different way of managing risk in the form of compensating security controls.
In most cases this means locking down risky devices following the principles of ‘Zero Trust’ by using software defined networking (SDN) tools and network access controls (NAC) most of which are already owned and implemented by trusts. The difficulty with these tools is you first need to create and validate an accurate network communication profile for each device. Multiply that by possibly 130,000 risky devices across, for example a typical hospital trust or manufacturing plant, and you may need a small army to create those profiles manually.
Some cybersecurity solutions can automate this process for you however automation and orchestration shouldn’t stop there. Systems must be able to report anomalous activity to security operations tools in the SOC (Security Operations Centre) for SIEM (Security Information and Event Management) and other alerting. Given the speed at which cyber-attacks take place today speed is of the essence. So is automation. The minute a decision needs to be reviewed by a Human, that introduces delay, by which time malware could have spread across much of the network impacting hundreds of systems rather than just a few. Nor do security teams have the resources to manage every alert, meaning they could miss one, and that introduces risk.
Security, just like driving a race car, requires excellent visibility and lightening reactions. With so many IoT connected devices today, you need to know where your assets are and what risk each of them poses. It’s perhaps not unlike the days of 1980s rallycross where spectators line the track, and you are never quite sure who will run across the track or step out at the wrong time to take a photograph. With more and more IoT assets connecting to our network the chances of a disaster increase every single day. That’s why we need to get in front of rising risks using automated tools as soon as possible. Failing that we are each sure to make the headlines.
About the Author
Richard Staynings grew up in the UK and is now an internationally renowned expert in the field of healthcare cybersecurity. He has presented at security conferences across the world and has served on various government Committees of Inquiry into some of the largest healthcare breaches. He serves as Chief Security Strategist for Cylera, pioneers in IoT and IoMT (Medical IoT) cybersecurity with offices in Cheltenham, Madrid and New York, and teaches post graduate courses in cybersecurity and health informatics at University College Denver. Follow Richard on Linkedin or at Cylera.
Featured image: ©Maksim Shmeljov