Every month there seems to be a new device that is changing the way we travel, communicate, do business, and live our personal lives. The transformation promises efficiency and ease of use, it promises better results. These devices are IoT devices, or Internet of Things, which are physical devices with sensors that collect, analyze, and transmit data in real time without human intervention.
IoT devices are more common than you think, they are installed in thermostats, home appliances, smoke alarms, cars, and Apple Watches.
Even lightbulbs can be hacked. In 2016, several unpatched vulnerabilities were found in Osram Lightify lightbulbs. Most worrying were the Wi-Fi passwords stored in the Osram app, which would give cybercriminals the ability to access home networks and any devices connected to the Wi-Fi.
With instant data collection, businesses can deliver better value to their customers and focus on services that meet their consumers’ needs. IoT devices have optimized processes in the healthcare industry, in the transport sector and in the development of smart cities. One critical infrastructure sector that has begun to rely heavily on IoT and Industrial IoT (IIoT) devices is the commercial facilities sector.
According to The McKinsey Global Institute, there is every second 127 new devices connected into the internet. The commercial equipment sector needs to improve its risk assessment to deal with the number of IoT device-related threats.
The Commercial Facilities Sector is made up of eight subsectors, with the main industries within the sector being retail, entertainment and media, lodging and public gatherings. This sector relies on IoT devices to run its facilities by optimizing industrial control systems and interactions with customers. With so many devices to manage and secure, the security risks and potential cyberattacks could impact the physical and digital environments of commercial facilities.
The commercial real estate sector is largely a private industry with little interaction with the federal government. Currently, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is working with the Commercial Facilities Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to assess sector-wide cybersecurity risks and coordinate enhanced security measures and resources.
Cyber criminals do not hack IoT devices to compromise a single device, but rather use a device’s access to the network to hack other connected tools and devices. In terms of commercial establishments, this could mean hacking a consumer’s IoT device to tamper with a control system on the same network or to confiscate sensitive data.
IoTs are a lucrative destination
By 2025, IoT devices could be a economic impact from $ 3.9 trillion to $ 11.1 trillion. This will affect industries across the board, including retail, public venues, manufacturers, and personal technology. Cyber threats will evolve at the pace of the industry, which is why commercial institutions need to help protect their IoT systems.
Any device can pose a potential security risk, and a compromised device could create a domino effect with consequences. A compromised IoT device puts consumer and business information at risk. The facility management controls can be manipulated without authorized access and endanger consumers and employees.
Since the device forwards data via a Bluetooth connection or via Wi-Fi, a cybercriminal can Get access to an entire network of devices and information. This vulnerability, with its advanced connectivity, elevated endpoints, and uncontrolled attack surface, only exacerbates existing security risks in the supply chain.
In 2017, a ransomware called “WannaCry” was used to attack thousands of computers and IoT devices around the world. Computer systems in over 100 countries have been compromised and the attack caused over $ 4 billion in losses, and most of the victims affected said their files were never returned after the ransom was paid.
According to the United States General Accounting Office (GAO) Common threats to IoT devices are Denial-of-Service, Malware and Structured Query Language Injection (SQLi). As newer IoT devices hit the market with greater interconnectivity, speed and access to 5G networks, better security solutions need to be developed to protect the end device users as the market evolves.
Device vulnerabilities and security risks
Most IoT devices are mass-produced tools whose security features and weaknesses are well known, making it easier for threat actors to break into and tamper with the devices. Similar to the health sector, facilities will use IoT devices with different security weaknesses and strengths. This makes it difficult for security teams to implement a coherent security strategy that can be applied across the board.
Despite the efficiency that IoT devices provide, these tools are the weakest link in the supply chain. The millions of devices created with no security measures built into the hardware and software are increasingly a headache for overwhelmed security teams. IoT devices receive fewer software updates and cannot save antivirus software. An IoT device remains more or less the same throughout its entire life cycle.
Incorrectly calculated algorithms and faulty equipment endanger the functionality of these commercial facilities. When a cybercriminal manipulates an IoT device so that it overheats or explodes, it poses a great physical risk to the staff, equipment and consumers of the facility. Hacked IoT devices can destroy cyber and physical damage.
Security teams need to upgrade their risk management programs to support IoT devices. Retrofitting a safety program on the device is not a practicable solution in the long term for two reasons. The first is that IoT devices can become obsolete at the current rate of rapid innovation and teams will have to keep upgrading as newer devices become available. This would be a redundant waste of resources and time for the facility’s security teams.
The second reason is that existing risk management platforms such as governance, risk and compliance (GRC) platforms cannot adapt to the IoT implementation.
Legacy GRC tools encourage an isolated approach to risk management that can’t accommodate the networking of IoT devices. GRC solutions do not have the flexibility to grow with technological advances in companies. With so many endpoints to be assessed along with malware, phishing attacks, and other security threats, the Integrated Risk Management (IRM) approach provides security teams with continuous insights from their security program.
Strengthen your security strategy
To improve the cybersecurity of IoT devices and the facilities that use them, manufacturers, regulators and IoT users can take steps to strengthen the overall cybersecurity position and ensure business continuity.
Manufacturers should consider the standards and compliance requirements for IoT security created by the National Institute of Standards and Technology (NIST). While the guide is intended for federal IoT ecosystems, it can be a building block for manufacturers to consider. Together with the NIST Cybersecurity Framework (CSF), the Internet of Things Cyber Security Improvement Act 2020 creates security standards, vulnerability assessments and IoT guidelines for government networks and government contractors.
While most of the legislation focuses on federal systems, increased regulation is a step in the right direction and provides incentives for manufacturers to innovate in a safety-oriented manner. Creating secure IoT devices is the first necessary step to enable a secure IoT environment.
The dependency on IoT devices will not suddenly stop, especially in commercial systems. the NIST CSF Implementation Guide for commercial establishments, consider the IoT environment as an integral part rather than an add-on. Commercial entities should have access to a single, comprehensive guide that includes IoT security standards to ensure regulatory compliance and avoid security loopholes.
As mentioned earlier, security teams need to consider an IRM solution. An integrated approach promotes cyber risk awareness at all levels and units. Risk management and compliance are part of the business objectives. Because IoT devices connect all units of a business, including operational technology (OT) and information technology (IT), an IRM platform can monitor secure businesses across the board.
The decentralized approach promoted by GRC programs is simply too simple and rigid for the complex intertwining of business, innovation and security risk.
With an IRM security strategy, commercial establishments will do the job a more proactive approach to cybersecurity. Continuous internal audits and vulnerability assessments are necessary to ensure that all endpoints across the supply chain are secure and up to date. A holistic IRM approach will relieve security teams by integrating cyber risk awareness into customer-facing units, C-suite and industrial controls.
There is a Number of smaller steps that endpoint users and businesses can adopt. The first is to change the default username and password associated with the device. Multi-factor authentication for all devices should be mandatory and the devices should be used on secure internet networks. Companies also need to remove all broken software programs and disable profiles of former employees as these can be points of attack for cyber criminals as they are often overlooked.
To move forward safely in the commercial equipment sector, businesses, consumers and manufacturers need to be aware of the risks associated with IoT devices. As commercial institutions continue to roll out IoT tools in their businesses, the supply chain needs to become more secure. Each party has a responsibility to implement better security practices to strengthen the overall cybersecurity position of the sector. With NIST frameworks in place, healthy cyber practices, and an IRM approach, the commercial facility industry has a greater chance of withstanding IoT device-related threats.
To learn more about how cybersecurity frameworks can lead to a competitive advantage, visit our webinar Three reasons you need a cybersecurity framework. To see how CyberStrong can be an effective IRM tool for your business, contact us.