Internet of Things

Excerpts from “Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives”

Many of the products we purchase today are not just a product. Twenty years ago, if you went into a store and bought a thermostat, you got exactly that: a thermostat. It controlled your heat and/or A/C, and had no ability to do anything else. It wasn’t a concern beyond accurately running your heating or cooling system. Today, a thermostat is not just a thermostat. It’s a computer that happens to be hooked up to temperature sensors and is programmed to control a furnace and air conditioner. Computers can be reprogrammed to do other things. Computers need to be protected from criminals that would try to make them do what the criminal wants rather than what you want. The Internet-connected thermostat, television, security camera, coffee maker, light bulb, juicer, refrigerator, washing machine, and other devices are now all computers. They all have the potential to be attacked, just like your desktop or laptop.

Given the potential damage that these devices can do, the definition of an IoT device is important to understand. Differences of opinion exist on this, so I’m going to focus on the ones that meet the following criteria. For a device to be considered an IoT device, three conditions must be met. An IoT device must:

1. Have a computer as their “brain.” By definition, almost anything with the ability to communicate with other computers is also a computer.
2. Be connected to the Internet. If you hook it up to a networking cable or connect it to a Wi-Fi network, and that network can see external websites like Google.com, then this condition applies.
3. Be capable of receiving data. If a device can only send information and has been set up to be incapable of receiving it, then it cannot be remotely controlled.

So what are some of the ways IoT devices be used against your organization?

1. They can be used as an entry point into your network. Without good network segmentation and good firewall rules, a hacked IoT device can be used as a means for a hacker to probe your network for vulnerabilities.
2. IoT devices may be giving away sensitive data, network passwords, or even your critical intellectual property without you knowing about it. Some of these devices are so poorly designed that they are broadcasting the “keys to your technology kingdom,” such as your Wi-Fi password.

What are my company’s chances of being targeted? According to a new Gartner forecast, 8.4 billion connected things will be in use worldwide this year — an increase of 31 percent from 2016. While consumers will be the largest group of IoT users, representing 63 percent of overall IoT applications in 2017, businesses are expected to employ 3.1 billion connected things this year.

So what steps my company can take to secure our IoT devices?

1. Segregate these devices onto their own section of your network.
2. Avoid IoT devices that collect sensitive data. This list is larger than you may think. Most smart thermostats have motion sensors and know when there are people in your office and there there aren’t. Criminals would like to know that, too.
3. Make sure IoT devices provide a genuine business value before allowing them into your environment. A casino in North America was recently hacked through there IoT-connected fish tank. Do you think they really needed an IoT aquarium?
4. Look for IoT devices that have been made with a cybersecurity framework in mind, such as the IIConsortium (http://www.iiconsortium.org/) or Z-Wave (https://products.z-wavealliance.org/)

© TCE Strategy, 2022