Managing vulnerabilities in a digitised world
Today’s digital and physical worlds are on an irreversible collision course. Over the next few years, organisations will be plunged into crisis as ruthless attackers exploit weaknesses in immature technologies and take advantage of an unprepared workforce. At the same time, natural forces will ravage infrastructure.
As new technologies emerge, organisations will need to adapt to the changing norms and values of society. Information security teams will need to consider the suitability of implementing evolving or poorly secured technology within the organisation. Failure to protect against pervasive attacks will leave operations exposed to significant negative financial impacts and damage to brand reputation.
In the coming years, Internet of Things (IoT) infrastructure will become unmanageable and impossible to secure effectively, with attackers discovering a growing number of abandoned, network-connected devices and subsequently compromising them. Organisations will find themselves unable to patch, update and operate a range of IoT devices that will be phased out of production by manufacturers who have gone out of business or have discontinued support.
These devices will be forgotten by organisations and abandoned by their manufacturers. They will be left vulnerable and remain embedded in places such as underground pipes, air conditioning ducts and factory assembly lines, yet will continue to connect to networks. Frequent overhauling of IoT estates will result in a combination of new IoT ecosystems coexisting with old and forgotten ones. Not only will these abandoned devices create an ingress point for attackers within a corporate network, they may also pose real hazards to related machinery and critical infrastructure.
The Internet of Forgotten Things (IoFT), as we call it, will leave a dangerous legacy of connected devices that are unpatched, unprotected and vulnerable to a range of attacks, which will come back to bite organisations. Nation states, organised criminal groups and hackers will take advantage of these devices. They will exploit homogeneous vulnerabilities and use forgotten IoT devices as an entry point into many organisations, causing financial and operational damage.
What is the justification for this threat?
Organisations’ desire for data and analytics, fuelled by high speed connectivity, will drive the IoT to grow at a frightening speed. With the growing development of 5G networks, devices will spread further into offices, homes and factories. Studies have found that 90 per cent of senior executives in technology, media, and telecommunications industries said that IoT devices are critical to some or all lines of their business. Ericsson estimates that more than 22 billion IoT devices will require a critical end-to-end security framework over the coming years, but currently devices lack the required security.
With incredibly short production times, heightened consumer demand for new products and high turnover rates of IoT devices, the ability of manufacturers to continue supporting a range of IoT devices will reduce. A report by CSS Cyber Defence stated that there is an alarming number of unsecured or obsolete consumer and industrial IoT devices no longer supported by their manufacturers, however, are still being used. This number is expected to grow as device manufacturers phase out support for devices or go out of business. When IoT manufacturers or retailers go out of business, valuable data will be lost – including confidential or personal information.
Gartner estimates that a quarter of cyber attacks will involve IoT devices in 2020 and beyond. With vulnerabilities being shared among devices and a lack of devices being updated and patched, it is plausible that an epidemic similar to the Mirai virus – where attackers turned exploitable IoT devices into botnets – may soon impact devices that are currently embedded within organisations but have lost manufacturer support. As IoT estates grow and organisations become more dependent upon their efficacy to operate, the number of opportunities attackers will have to exploit organisations will amplify.
Many Western governments and regulators are beginning to introduce security guidelines for IoT manufacturers. However, the lack of uniformity between these international guidelines will continue to be a problem for organisations. In addition, chip manufacturers across China and Southeast Asia, with vastly different or non-existent IoT regulations, continue to be critical component manufacturers for IoT devices made and used across the US and Europe.
The widespread proliferation of the IoT across a growing number of industry and consumer markets means that, if inappropriately managed, it will fast become a major security concern and risk to organisations. IoT hardware researchers are currently struggling to protect IoT devices, as they are built into a range of proprietary operating systems with differing communication protocols. This makes it incredibly difficult to develop monitoring and defensive countermeasures that run across an entire estate of devices. The IoFT will intensify this already alarming risk.
With the number of devices growing both in the workplace and homes, combined with an unmanageable supply chain, the threat of forgotten, unpatched and unsupported devices coming back to bite organisations cannot be ignored any longer.
How should your business prepare?
With the number of IoT devices within organisations expanding, it will become increasingly important to locate, update and patch them.
In the short term, organisations should conduct a discovery exercise to create an IoT asset inventory and run an active decommissioning or reactivation program for discovered IoT devices. In the long term, create micro-segmentation architecture for IoT devices. Additionally, incorporate IoT into the IT sourcing strategy, ensuring that rigorous procurement procedures are included. Finally, insure that IoT devices do not create operational dependencies.
Security starts at the top
As man-made, natural, accidental and malicious attacks intensify, organisations of all sizes will need to secure their physical and digital properties or face destruction. Technical infrastructure must be hardened and protected against new and traditional attacks, or strategic decisions must be made to transfer risk away from the organisation.
The requirement to maintain, improve and harden infrastructure to withstand the threats posed by people, technology and the elements has become an operational necessity. Abandoned, unsupported and forgotten assets will increasingly pose a hidden risk to organisations. While new architectural approaches may seem tempting, failure to maintain oversight of these new network ecosystems will prove disastrous.
In the face of rising, global security threats, organisations must make systematic and wide-ranging commitments to ensure that practical plans are in place to acclimate to major changes soon. Employees at all levels of the organisation will need to be involved, from board members to managers in non-technical roles. Enterprises with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses.
Organisations can no longer afford to ignore cyber security and must build both a strategy and a workforce that can not only protect against attacks, but also thrive in today’s digital era. This is not something that will be a quick fix; when it comes to investing in security, the return has historically been hard to quantify and as workforces become more diverse, new and old habits create a multitude of challenges. But with the right approach, achieving a successful strategy is possible – and will give businesses a competitive advantage.
Above all, organisations rely on trust – and in the digital world, innovative technologies can be misused to erode that trust, and digitally naïve employees can be exploited, endangering the relationships between organisations and their key stakeholders. To remain steadfast, organisations will need to improve operational transparency, update business continuity plans and overhaul or evolve technical security controls to consider the range of disruptive technological and human threats. Careful protection of the brand will remain high on the corporate agenda, with information security playing a key role in ensuring that the reputations of organisations are maintained.
Written by Steve Durbin, managing director of the Information Security Forum.