Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/10/2020
11:40 AM
Connect Directly
Twitter
RSS
E-Mail

6 Factors That Raise the Stakes for IoT Security

Developments that exacerbate the risk and complicate making Internet of Things devices more secure.
2 of 7

The Drum Beat of Digital Transformation

The ubiquity of connectivity from IoT is a major pillar of digital transformation, for which enterprises are pouring billions of dollars in 2020 and beyond. In fact, IDC analysts are predicting $7.4 billion in spending over the next three years. Embedding IoT into industrial applications, into the supply chain via things like transport and product tracking, and into facilities through smart buildings, are at the spear tip of most early digital transformation investments.  

This is going to create tons of new business opportunities, but at the same time embedding IoT into the most critical of physical infrastructure for business raises the stakes considerably for IoT security. This is not a new tech that can be turned on or off at will. It's part of the fabric of factories, facilities, and supply chains that businesses can't live without. What's more, it's tied to machinery that can cause serious injury or death in the event of malfunction or sabotage. 

Image Source: Adobe (Pugun & Photo Studio)

The Drum Beat of Digital Transformation

The ubiquity of connectivity from IoT is a major pillar of digital transformation, for which enterprises are pouring billions of dollars in 2020 and beyond. In fact, IDC analysts are predicting $7.4 billion in spending over the next three years. Embedding IoT into industrial applications, into the supply chain via things like transport and product tracking, and into facilities through smart buildings, are at the spear tip of most early digital transformation investments.

This is going to create tons of new business opportunities, but at the same time embedding IoT into the most critical of physical infrastructure for business raises the stakes considerably for IoT security. This is not a new tech that can be turned on or off at will. It's part of the fabric of factories, facilities, and supply chains that businesses can't live without. What's more, it's tied to machinery that can cause serious injury or death in the event of malfunction or sabotage.

Image Source: Adobe (Pugun & Photo Studio)

2 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DavidS950U01
50%
50%
DavidS950U01,
User Rank: Apprentice
3/2/2020 | 1:08:42 AM
Question about IoT and smart communities; government duty to regulate and protect.
The article names deployments that could be attcked, such as factories, hospitals or body-connected IoT devices, and facilities. I am curious about the negative potentials presented in the smart communities scenarios. What are the dangers? Paralysis of IoT-dependent traffic control and surveillance, for example? And if not paralysis, what about misdirection (a la Stuxnet)?

Next: it's nice that government regulations will role out in 2020--but where? In this country? With the vaunted repeal of 1200 (and counting) "job-killing" regulations that were originally created to protect public health and safety, exactly which competent agency employees remain to do the regulating? (Think State Department, EPA, CDC, etc.) I think it prudent to write to our elected representatives and make the case for, let's say, following the European example.
lancop
100%
0%
lancop,
User Rank: Moderator
3/1/2020 | 12:38:10 PM
IoT Security will join Windows 7 as the latest additions to growing security vulnerabilities
You have brought up some excellent points in your article, and as I was just contemplating an Arduino-based IoT project my thoughts immediately turned directly to security concerns. An IoT device sitting right in the middle of several renewable energy generators and their live loads has the potential of becoming a very dangerous single point of failure should it get hacked by malicious threat actors. So, obviously my IoT technological considerations also have to include proactive security measures to shield the final product from 3rd party tampering.

The proliferation of IoT devices in all environments, both consumer & commercial, means that network administrators now have a whole new class of poorly managed, network-connected devices that also communicate to service provider servers that are in an unknown state of security preparedness. Service providers that will be creating & abandoning products on whatever timescales are necessary for them to remain profitable. Not a defensible battlefield where a CSO & Security Team have much of a chance against multiple, globalized attackers with the tactical advantage of needing only to suss out a single vulnerable device to gain a foothold inside the network.

Meanwhile, Microsoft recently abandoned millions & millions of Windows 7 devices that will no longer receive security patches despite the fact that they are still deployed & fully operational. Some are in ATM machines, some are in industrial control systems, many are in retail POS stems, small businesses and residences. Many simply cannot be in-place upgraded, and many are too important to be retired or replaced. And, for others, they simply cannot afford to buy all new computers & software and, perhaps, update legacy software and re-train their technical support staff. So, yet another massive security vulnerability that is brewing right under our noses but going largely unaddressed.

My takeaway from all of this is: information technology will forever be essentially insecure if connected to the internet. Billions of devices will be just a hack away from opening the city gates and letting the invading hordes pour in to wreak havoc & seize the treasure stored within. It is essentially an indefensible position on a low hill in a hotly contested forever war with ever more adversaries armed with ever better weaponry. And, always, the enterprise is just a click away from a major security breach...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.