Contributed by Muhammad Yahya Patel, Security Engineer and Office of the CTO, Check Point Software.
Internet-connected devices are all around us, in our homes and businesses. Smart cities already exist and continue to be a key talking point amongst many governments. This infrastructure, technology, and automation brings connectivity and efficiency to many aspects of daily life.
But there’s two sides to a coin, right? The other side of IoT can be quite dark. Think about the darkness that surrounds an attack on critical infrastructure, medical environments, manufacturing, business operations or your home environment.
IoT as a security risk
IoT devices should be a concern for organisations, governments and let’s not forget, individuals. The purpose of these devices is to provide connectivity and accessibility to services. Security is not at the forefront of building these devices and that’s why there is an inherent risk from the get-go in terms of deployment of these devices.
The security of IoT devices in our homes, and organisations calls for careful consideration when you reflect on the risk component.
Here are my top 5 considerations when it comes to IoT
- Unmanaged devices on the network. How do you protect something you can’t see? If you can’t see it, how do you know what it’s doing on the network. Is it normal or abnormal?
- Software bugs. Does the device manufacturer provide software updates? What risks are posed by any vulnerabilities on these devices?
- Network security. Lateral movement from an IoT device? If a device is compromised, how is the network segmented to isolate the device?
- Device policies. Common default passwords or lack of security admin features? What’s your policy to keep these devices protected?
- Physical security. Are these devices accessible physically or through software in close proximity? What measures have been taken to protect the device? Does it hold sensitive data?
These are some of the things that come to my mind when I think about what should we be thinking and talking about in relation to securing IoT devices.
IoT is becoming a top concern for governments worldwide and in 2021 the UK Government announced the Product Security and Telecommunications Infrastructure Bill, which is currently making its way through the UK Parliament.
The bill is welcomed by the security community, as it will give powers to mandate security requirements for smart devices. “Consumer connectable products” is how the government has described the products under this bill. A whole range of devices from connected appliances to automation devices, smartphones and many more are addressed within the bill. The full list of devices and details about the bill can be viewed here.
Consumer IoT products
Consumer IoT products are used in many enterprises. Therefore, the bill will benefit businesses. We know IoT products can be an entry point for an attacker to steal information and perform further attacks on the network.
As we adopt more technology in businesses and our homes at a faster pace than ever before, the challenge remains the same and we need to play our part to make sure we aren’t leaving the door open for attackers to make their way in.