Recently, I’ve been presenting a series of presentations and articles surrounding the theme “Your IoT Devices May be Weaponized,” with the primary focus on cybersecurity awareness, simple steps to implement a basic level of security and how to select the right Internet of Things (IoT) devices. My presentations are based upon the work the SMRP Government Relations’ cybersecurity subcommittee has done since 2015. This even includes live demonstrations of how accessible systems are through vulnerability search engines.
As October is National Cybersecurity Awareness Month, we will cover some of the basics that will help you protect your systems. Why is this important? At this point in time, there are few rules or legislation to protect commercial and industrial entities – owners need to be aware and take steps to protect their own systems.
There are close to 20 billion IoT devices of all types in operation today. A majority of them are vulnerable to attack, or, per Cisco, may already be infected or have malicious software making them part of botnets. Botnets are collections of infected devices that are used in malicious attacks, ranging from denial of service to blunt force assaults on firewalls with the intention to enter into a system and gather information for any number of reasons. While many are financially motivated, there are others that are opportunistic, based on terrorism, or the result of disgruntled employees or contractors, with some being errors by employees or contractors. The result can impact your company, or your systems could be used to attack other individuals, groups or companies.
There are other cybersecurity concerns surrounding connected devices including open ports and devices that have no security installed. Many of these issues can be addressed with a few basic steps when combined with security steps and strategies that your company may have in place. These include:
- Use security software
- Have a strategy for how you will use IoT devices and where you need them. Implementing IoT for the sake of IoT can result in additional cyber-weakness with little benefit to balance the risk
- Be wary of vendors who try to convince you to bypass cybersecurity protocols in your business for the purpose of demonstration
- When contacting an IoT provider, know if there is security installed, whether updates will occur and when, what happens when the provider stops supporting the system and what are the provider’s rules for informing you when there is a breach
- Awareness and protection surrounding phishing emails and malicious websites
- Ensure open ports are closed
- Use back-ups and remember resilience is the key. It’s not if, but when your systems may be exploited
- Change default logins and passwords with the devices and remove the defaults
The last item – changing default logins – is one that many are guilty of, with the ease of plug-and-play devices it becomes even more important to realize that this needs to happen. There are existing search engines that are used to search for open systems that can be exploited and will provide links to manuals, IP addresses and default logins and passwords.
For more information on SMRP’s cybersecurity committee’s work, including more steps to protect yourself, go to https://www.smrp.org/Government-Relations/Issues/Cybersecurity-and-Critical-Infrastructure