Is cyber security an afterthought in the IoT infrastructure?

The internet of things (IoT) has been constantly expanding to encompass an increasing number of connected objects such as smart refrigerators, virtual assistants built into speakers, and driverless cars. IoT has been impacting businesses in unprecedented ways by increasing the productivity of operations. According to Gartner, the number of connected things will reach 20.4 billion by 2020. Vulnerabilities in IoTAt the same time, the ubiquity of these devices has caused a surge in security threats due to a large attack surface. Attackers have exploited IoT devices with vulnerabilities to steal data and use them as remote bots to carry out distributed attacks. A famous example is the Mirai, a malware that attacked IoT devices running Linux, to form a botnet DDoS attack. Yet another example is the case of implantable medical devices like pacemakers which were found vulnerable to cyber-attacks.  Although operational technology (OT) systems are generally considered safer when compared to IT. The ever-increasing convergence of physical and digital objects under the IoT umbrella is raising security concerns for industries that have been using closed OT systems for a long time. The question is whether security is merely an afterthought in the design process of IoT devices. A 2015 study by HPE revealed that up to 70 percent of IoT devices are vulnerable to attacks due to vulnerability flaws in their software, and used unencrypted software to transmit information. Security as an intrinsic part of the IoT “Cybersecurity in the IT world and OT world are two different things, and in the IT world, security can be an afterthought. For example, you can buy a PC from an open market and later on you can decide to put the security software to protect your device. Therefore, at the manufacturing stage itself, you should take care of the security itself. Once, they are distributed without proper security in place, it can be a problem. People have to think of security as an intrinsic part of the development cycle than post, which has been a classical case,” says Shrikant Shitole, senior director and country head, FireEye India.Many organizations are in the dark about the exact number of unsecured devices which are connected to their networks, cyber-security experts warn. According to them, to solve the cybersecurity crisis in the IoT era, an organization must take an in-depth approach, involving multiple layers of security throughout the enterprise network and having clear visibility and monitoring of all connected devices. “When it comes to IoT, it is very important to have the assessment of the situation. For example, when you are rolling out an app with an IoT device communicating back to your servers. So, you have to look at it holistically because you do not know what loopholes you have left. Once you understand the assessment, then you can start plugging the security holes which includes reloading patches on the operating system, applications or any communication channel which is left open. There is always a risk of a breach; but more important is that you put all mechanisms in place from protection as well as detection perspective,” says Shitole.Cybersecurity approach for IoT According to cybersecurity experts, security by design has to be a priority in IoT devices. Not only is the design of IoT infrastructure critical, but it must also include regular patch updating and continuous monitoring of IoT devices. The experts say that in order to tackle the challenges posed by IoT vulnerabilities, original equipment manufacturers (OEMs) and IT professionals should collaborate on a well-defined security strategy and understand IoT vulnerabilities from the perspective of attackers.“IoT is going to be the next biggest challenge for the companies. While it gives a lot of advantage, it also brings in unmanageability because you have a huge number of devices on it. Generally, we see that security is an afterthought and is not limited to IoT only. So, it is required that there is a good amount of planning within the corporates by clearly articulating how they are going to manage security,” says Sivarama Krishnan, cybersecurity leader at PwC India.