The majority of security professionals expect a major and imminent attack on critical infrastructure in the next several years and blame the largely unsecured Internet of Things (IoT) for the increased risk in the sector, according to a report by IoT security firm Pwnie Express.
Eighty-five percent of security professionals surveyed in an annual report called the “Internet of Evil Things” by the firm think it’s likely we’ll see a significant cyber attack on critical infrastructure happening in the next five years. Moreover, 64 percent of those surveyed in the fourth annual report said they are more concerned than ever before about threats from connected devices, a direct result of the IoT and the number of unsecured new devices coming online every day.
“Now with the invention of the Internet of Things, all new things are being connected and turning into computer,” Pwnie Express CEO Todd DeSisto told Security Ledger in an interview. “The attack surface that was handled by physical security is now being open for cyber attack.”
He cited the WannaCry cyber attack that hit, among other things, healthcare institutions in England and Scotland, affecting not just the usual devices like computers but also MRI scanners and even blood-storage refrigerators. “When you get these new things [on the network,] we’re just not used to the ramifications of those because they don’t look like a traditional IT device,” DeSisto said.
[You might also want to read: Pipeline Attacks highlight Third Party Threat to Critical Infrastructure]
Pwnie Express surveyed more than 500 respondents between Jan. 8 and March 5, 2018 for its latest report. Respondents included global information security professionals with positions ranging from IT management, directors and vice presidents of IT and security, executive management, managers, administrators, consultants, developers, engineers, professors and students.
The fact that security professionals see the IoT as a massive threat is not so surprising, DeSisto said. Neither is that fact that while they recognize the increased risk, most say they still are doing little to mitigate it.
Indeed, one out of three of those surveyed in the report said that their companies are unprepared to detect attacks that target IoT devices or infrastructure. This number is slightly less than what was reported last year, DeSisto said, suggesting that securing the IoT is becoming more, not less complex.
Too many stakeholders
With a lack of centralized infrastructure, the IoT is indeed a very difficult thing to lock down. It represents an entirely new paradigm for traditional security and involves numerous stakeholders, none of whom are currently taking full responsibility for IoT security–nor can they, DeSisto said.
“It’s complex,” he said. “An IoT solution stack is very complicated to put together. Getting something connected [in the IoT] already takes a a lot of work. When you talk about securing it, it’s a shared responsibility–kind of an ecosystem…When things get complicated, when one person doesn’t own all it, that leads to inertia.”
Manufacturers of IoT devices aren’t yet taking proper responsibility for security because they are just trying to get products to market and are more worried about production costs, DeSisto explained. Then the unsecured device enters a sector like healthcare, for example, where there is other infrastructure and regulation involved in implementing security around the device and the data it’s transmitting. “It’s not an easy kind of solution,” DeSisto acknowledged.
Findings from the Internet of Evil Things report reflect public feedback from other security researchers that while IoT adoption is growing, the devices themselves and their connectivity to business, government and critical-infrastructure networks pose an increased and as-yet-unchecked cybersecurity risk that remains daunting to solve.
A report published earlier this year from independent research firm the Ponemon Institute and the Shared Assessments Program—the industry-standard body on third-party risk assurance–found that IoT devices pose what they deemed as a “catastrophic” security risk. Those surveyed also said that organizations are ill-equipped to handle such risk.
IoT weakens security of critical infrastructure
DeSisto described a scenario demonstrating why critical infrastructure is at risk from the lack of security surrounding the IoT, and why it’s difficult to find a simple solution to the problem.
“Let’s say you have an oil refinery that previously relied on physical security, one human-to-machine interface. It was pretty locked down,” he said. “You didn’t have to worry about cybersecurity because you could throw your arums around it. But because [adminstrators want] production of the plant to be better, you add a bunch of sensors to the production facility. Then you take all that data to the cloud.”
While the sensors may help the business run more efficiently and produce more oil, they also expose the infrastructure to greater risk by exposing the core network to risk through the IoT, DeSisto said.
“That greater yield on oil production and everyone is wonderful until a nation state comes along and says we can get in because it’s exposed and not locked down on physical security,” he said.
One bright spot in the report is that small-to-medium-sized organizations might be on their way to showing counterparts in the enterprise sector how to begin to secure the IoT. While DeSisto said it “seems counter-intuitive,” the report found that SMOs are being more vigilant than large enterprises–or those with more than 1,000 employees–in keeping track of IoT devices.
According to those surveyed, 47 percent of organizations with more than 1,000 employees know how many devices are connected to their networks as compared to 62 percent of SMOs. Moreover, SMOs were more likely to make monthly checks of their wireless devices for malicious infection, with 64 percent of those companies doing so versus 55 percent of large organizations.
SMOs also have better knowledge of how many connected devices employees are bringing to work (39 percent to 25 percent) and are more likely to make monthly checks of devices employees bring into the office for malicious infections in the last month (33 percent to 20 percent).
“I think we feel maybe the smaller companies feel like [the problem] is more manageable,” DeSisto said. “The complexity of it, if it’s so overwhelming, you’re less likely to start trying to solve it.”
The way forward for IoT security
But solve it organizations of all sizes must. A good place to start in DeSisto and Pwnie Express’s view is to begin to let security administrators and managers make purchasing decisions when connected devices are brought into a company’s network, he said. Currently, security pros are left out of those decisions two-thirds of the time, according to the report.
DeSisto said that federal regulation also could serve to better secure the IoT, with laws mandating that manufacturers must take some steps for security accountability. However, respondents to the survey had mixed feelings on the matter.
“We found it was almost split,” he said. “Thirty-nine percent thought gov should regulate, 36 percent said no, while the leftover 25 percent are not sure who it should be [who is responsible for accounting for IoT security].”
In the end, it will probably be a combination of stakeholders and actions that help better secure the IoT, and likely a long-term problem that many responsible parties must put their heads together to solve, DeSisto said.
“There are some things corporate should do and some things the government and regulatory bodies could be more proactive at as well,” he said. “It’s a joint responsibility. You need multiple people to go do it. It’s complicated, complex and probably needs to be chipped away at in a variety of different ways.