“The Decade of IoT” is upon us—and with that, a potential explosion of security breaches. Chris Francosky, CIO at KORE, an Atlanta-based provider of Internet of Things solutions and worldwide IoT Connectivity-as-a-Service, is focused on what this new vulnerability means for information technology leaders and their organizations.
Francosky spoke with StrategicCIO360 about the risks of IoT, how to prepare for them and why speed is sometimes the enemy of safe.
How has the rise in IoT adoption increased the risk of security breaches?
The Internet of Things is rapidly bringing millions of new devices online—by 2025, there is estimated to be 75 billion connected IoT devices. This is an exciting time for IoT, which has been building momentum over the last 20 years. We’ve worked through a fragmented ecosystem and connectivity challenges to arrive at this very exciting hallmark in time, one that KORE has coined “The Decade of IoT.”
5G is here and many operators have already started deploying 5G standalone core networks offering exciting new capabilities. We have low power wide area networks designed to take the place of the sunsetting 2G and 3G networks for use in lower complexity devices requiring long battery life. And we also have eSIM, which is a revolutionary means of providing connectivity to devices globally, with no traditional limitations of roaming and downloadable profiles that can be switched remotely and in bulk.
We’re going to see tremendous strides in IoT, from “massive IoT” which will power smart cities, precision farming, smart metering and more, to “critical IoT,” which will bring automation, robotics, machine learning and artificial intelligence into manufacturing and healthcare industries.
But caution is going to be the name of the game in this Decade of IoT because IoT does come with inherent risk, and it’s simple—the more devices connected to the internet, the greater risk. Each device is an entry point an attacker can use as a foothold to enterprise networks or use to exfiltrate sensitive data. Additionally, as IoT devices gain more capabilities, the attack surfaces will increase, giving bad actors more ways to compromise these systems.
What are the biggest concerns with security if not addressed in IoT deployment?
Some of the biggest concerns related to cybersecurity attacks include disruption to business operations, exfiltration of personally identifiable information and/or sensitive information and the financial impact of ransomware. Large-scale cybersecurity attacks have very serious short-term and long-term consequences. We’ve witnessed over the last decade, in particular, what happens when an organization has a data breach. It can cause reputational and financial damage to enterprises and in younger organizations, it could even cause collapse.
Let’s say that a healthcare organization has deployed remote patient monitoring solutions and a device is compromised, which leads to an attacker gaining access to thousands of patient data records, including social security numbers. The financial consequences to the organization and the legal ramifications would be crippling, as well as the potential long-term damage to the identities of those affected.
Or another example would be point-of-sale systems being compromised. We’ve seen this countless times, where a network or device is not secured properly, and a large amount of personal data is exposed. Sometimes that’s just an address, other times, it’s credit card information. Advanced tools and expertise allow attackers to work fast, and once inside, they can navigate a network or system quickly to identify sensitive data, oftentimes remaining undetected until the damage is done. Recovery is a much slower, more painful process.
Scaling even further down, just looking at a single IoT deployment where SIM cards are stolen and leveraged for personal use. Data overages are suddenly astronomical for the subscription and the organization is stuck footing the bill for the unauthorized usage.
Why is IoT more prone to attacks?
There are several reasons why IoT is more prone to attacks. The variety of technology components and a lack of standardization are two large drivers. There is a lot of fragmentation within IoT that begins with the device manufacturer to the network infrastructure delivered through mobile network operators and to the cloud. This creates a larger attack surface when compared to traditional web and mobile application architectures.
There isn’t one governing body mandating a unified approach to security for all these disparate components. IoT devices typically have lower-end processing power compared to modern PCs or mobile phones, so they are oftentimes not built with advanced security measures in place (i.e. firewalls, IPS, basic malware detection, etc.).
The IoT stack can become very large and complex quickly, as well. As an organization scales its IoT ecosystem by adding new and different sensors, SIM applets, software and networks, so does the complexity of managing, monitoring and updating security greatly increase.
Unfortunately, security is often treated as an afterthought, or something briefly touched upon by organizations during the design and build phases of an IoT application because there is so much pressure to bring the IoT solution to market as quickly as possible. While comprehensive security measures might delay the release, it’s worth it to do it in the initial phases or else it becomes too difficult and much more expensive to do it later.
What are the weakest points of entry for cybersecurity attacks?
It generally depends on the use case. The most vulnerable point of entry is going to be the one with the most exposure to attackers. For example, if a solution requires that an IoT device uses a public/static IP address, then the network—i.e., internet—is most likely the weakest point of entry. But if a device is physically located in an open access area, like in a utility monitoring solution, then there may be a greater risk of that device being directly tampered with or theft of the SIM card. Depending on the operator network’s routing rules and ACLs, a SIM card could be used to gain direct access to an enterprise or solution provider’s network.
If your organization conducts a threat model for the IoT solution you should be able to identify the weakest points of entry. It is important to also include all the external systems used to support application in the threat model. This would include cloud service provider management portals, device management portals and connectivity management portals. Ideally these systems are behind strong firewalls and enforce two-factor authentication because if they become compromised an attacker could gain full control over your entire deployment of IoT devices.
How can CIOs at companies deploying IoT best protect their systems against such attacks?
At KORE, we recommend the “security by design” methodology when building these applications. As these solutions are being designed, the entire ecosystem needs to be thought through from chip to cloud. The process starts with threat modeling which requires the design and development teams to decompose the application, identify threats in each layer/area and determine the most effective way to mitigate each threat. While this process will increase the cost and time of the IoT project, it’s much less expensive to put in safeguards early rather than fixing security issues after production launch.
All endpoints, gateways, and any data touch points need to be documented, as well as the risks of unauthorized access for each component. Once a threat model has been created alongside the solution design, then a mitigation plan can be created for each element.
Active monitoring of connectivity and device behavior is critical once the solution is deployed. If you have hundreds or thousands of endpoints deployed, managing them holistically is impossible without an intelligent anomaly detection platform that can detect events down to the device level. For instance, if a SIM card is removed by an unauthorized person, your security team should be alerted so the risk is mitigated by deactivating service on the SIM.
One exciting opportunity that’s being introduced to the market is the GSMA IoT SAFE initiative. IoT SAFE stands for IoT SIM Applet for secure end-to-end communication and it’s a new way of establishing chip-to-cloud security. The ability to have a more standardized approach to device-level security will be a gamechanger for IoT.
Standardization around security is something that is still currently developing and oftentimes, the onus of chip-to-cloud security is put on the organization deploying the solution. As previously discussed, there are many opportunities where security vulnerabilities can crop up, due to fragmentation, third-party integration and pressure to launch solutions timely and within budget.
If device manufacturers leverage an IoT SAFE SIM in the device, whether it’s eSIM or a standard SIM card, then chip-level security is offered right off the production floor, which provides numerous efficiency benefits to enterprises and solution providers, while also ensuring the device communicates securely with back-end compute resources in the cloud.