Inspired by this great article on Hacker News, we decided to bust some common security myths specific to the field of connected devices. Even as we see awareness for cybersecurity increase, IoT/IIoT/OT security remains a blind spot in many organizations.
Myth #1: IoT security is too expensive for my organization
Fact: My organization will save money through IoT security
In the past, security investments have often been considered a burdensome growth inhibitor. However, as cyberthreats and regulatory requirements are both on an exponential rise, “information security is increasingly being viewed as (a) strategic business enabler for the enterprise,” according to Dark Reading. Swisscom, the leading Swiss telecom provider, is a great example for how investing into automated IoT security pays off significantly: Swisscom automatically checks new software for its IoT products for potential security risks and compliance violations before the release – and saves USD 400.000 per avoided faulty software rollout! On the other hand, companies that take IoT security lightheartedly might find themselves at the center of a ransomware attack, with ransom demands easily amounting to millions.
Myth #2: We have already checked our IoT devices – everything is OK
Fact: IoT security is not a status, but an ongoing process
With an ever-evolving threat landscape, there is no such thing as definite cyber security. On the contrary, security is an ongoing process, and organizations must constantly be on the lookout for new vulnerabilities. The same is true for IoT security, as cybercriminals are constantly leveraging new vulnerabilities for their attacks. This is where automated security & compliance services come into play. The IoT Inspector Monitor scans your IoT/OT firmware’s digital twins for new vulnerabilities and compliance violations. This service works fully automated and in case of a new vulnerability, you will receive an alert that empowers your SOC (Security Operations Center) or PSIRT (Product Security Incident Response Team) to evaluate the vulnerability and take action almost in real-time.
Myth #3: My suppliers are responsible for the security of my IoT devices
Fact: 92% of IoT devices are vulnerable, and unclear supply chains are a major risk factor
92% of the firmware we have analyzed during the last years contained security vulnerabilities. Big brands are just as affected as lesser-known manufacturers. Almost all vendors rely on third party components (licensed or open source), and they integrate them often without testing or knowing exactly what other components they might contain. Insecure components may cause widespread damage: In 2021, we uncovered critical vulnerabilities in Realtek chips that affected hundreds of thousands of different devices by more than 65 (!) manufacturers. Regardless of whether you are a vendor or user of IoT devices – we strongly advise keeping track of all components via a thorough software bill of materials (SBOM). An automated firmware analysis with IoT Inspector will provide a detailed list of software and data components.
Myth #4: My company is not at risk
Fact: Every organization is a potential target for cybercriminals
Some organizations still wrongly believe they are an unattractive target for cyber criminals. However, “no company or government agency is safe from cyberattacks in this day and age. That’s why it’s crucial to be prepared for emergencies and proactively address the issue of cybersecurity,” says Sebastian Artz of German IT industry association Bitkom. IoT Inspector’s CEO Jan Wendenburg couldn’t agree more: “Without IoT security, no company, organization, or government agency will survive in the future. Whether it’s critical infrastructure such as energy and water utilities, automotive, aviation, medical devices, network printers and even the vacuum cleaner robot at home – without IoT security, all devices and data can be compromised.”
Myth #5: My IoT devices are not at risk because they don’t hold sensitive data
Fact: Any device can be a hacker’s entry point into your corporate network to access sensitive data
According to Kaspersky, 1.51 billion breaches of IoT devices took place in the first half of 2021 alone – an increase of more than 100% from 639 million breaches in 2020. Not every smart device holds sensitive data (although many of them do). However, every single connected device – if exploited successfully by attackers – can be used to pivot into sensitive networks, maintain persistence within the network, and stage additional attacks on systems that do hold sensitive data.
Myth #6: My connected devices cannot be accessed from the Internet
Fact: Vulnerabilities in other areas may expose a device
Limiting access to IoT/IIoT/OT devices and placing them in restricted networks is a common strategy to mitigate potential risks that affect these devices. However, advancements of digitalization and Industry 4.0 require increased connectivity. A network change designed to allow remote maintenance may suddenly expose a vulnerable device. Additionally, vulnerabilities or misconfigurations in perimeter security may leave devices exposed as well. Following the defense in-depth principle, a system should never rely on other systems for security, but should be resilient itself.