In the coming years, internet of things (IoT) infrastructure will become unmanageable and impossible to secure effectively, with attackers discovering a growing number of abandoned, network-connected devices and subsequently compromising them. Organizations will find themselves unable to patch, update and operate a range of IoT devices that will be phased out of production by manufacturers who have gone out of business or have discontinued support.
These devices will be forgotten by organizations and abandoned by their manufacturers. They will be left vulnerable and remain embedded in places such as underground pipes, air conditioning ducts and factory assembly lines, yet will continue to connect to networks. Frequent overhauling of IoT estates will result in a combination of new IoT ecosystems coexisting with old and forgotten ones. Not only will these abandoned devices create an ingress point for attackers within a corporate network, they may also pose real hazards to related machinery and critical infrastructure.
The internet of forgotten things (IoFT) will leave a dangerous legacy of connected devices that are unpatched, unprotected and vulnerable to a range of attacks, which will come back to bite organizations. Nation states, organized criminal groups and hackers will take advantage of these devices. They will exploit homogeneous vulnerabilities and use forgotten IoT devices as an entry point into many organizations, causing financial and operational damage.
What is the justification for this threat?
Organizations’ desire for data and analytics, fueled by high speed connectivity, will drive the IoT to grow at a frightening speed. With the growing development of 5G networks, Statista estimates that there will be 75 billion IoT devices installed worldwide by 2025, as devices spread further into offices, homes and factories. A study conducted by the same organization in 2018 found that 90% of senior executives in technology, media, and telecommunications industries said that IoT devices are critical to some or all lines of their business. Ericsson also estimates that over 22 billion IoT devices will require a critical end-to-end security framework over the coming years, but currently devices lack the required security.
With incredibly short production times, heightened consumer demand for new products and high turnover rates of IoT devices, the ability of manufacturers to continue supporting a range of IoT devices will reduce. A report by CSS Cyber Defence stated that there is an alarming number of unsecured or obsolete consumer and industrial IoT devices no longer supported by their manufacturers, however, are still being used. This number is expected to grow as device manufacturers phase out support for devices or go out of business. When IoT manufacturers or retailers go out of business, valuable data will be lost – including confidential or personal information.
Gartner estimates that a quarter of cyber-attacks will involve IoT devices in 2020 and beyond. With vulnerabilities being shared among devices and a lack of devices being updated and patched, it is plausible that an epidemic similar to the Mirai virus – where attackers turned exploitable IoT devices into botnets – may soon impact devices that are currently embedded within organizations but have lost manufacturer support. As IoT estates grow and organizations become more dependent upon their efficacy to operate, the number of opportunities attackers will have to exploit organizations will amplify.
Many Western governments and regulators, such as those in the U.S., Germany and the U.K. are beginning to introduce security guidelines for IoT manufacturers. However, the lack of uniformity between these international guidelines will continue to be a problem for organizations. In addition, chip manufacturers across South East Asia and China, with vastly different or non-existent IoT regulations, continue to be critical component manufacturers for IoT devices made and used across the US and Europe.
The widespread proliferation of the IoT across a growing number of industry and consumer markets means that, if inappropriately managed, it will fast become a major security concern and risk to organizations. IoT hardware researchers are currently struggling to protect IoT devices, as they are built into a range of proprietary operating systems with differing communication protocols. This makes it incredibly difficult to develop monitoring and defensive countermeasures that run across an entire estate of devices. A report from Gemalto showed that 48% of surveyed organizations are unable to detect breaches of IoT devices. The IoFT will exacerbate this already alarming risk.
With the number of IoT devices growing both in the workplace and homes, combined with an unmanageable supply chain, the threat of forgotten, unpatched and unsupported devices coming back to bite organizations cannot be ignored.
How should your organization prepare?
Extreme weather events, coupled with environmental activism, should prompt a fundamental re-examination of and re-investment in organizational resilience. It is critical that organizations risk assess their physical infrastructure and decide whether to relocate, harden it or transfer risk to cloud service providers.
In the short term, organizations should conduct a discovery exercise to create an IoT asset inventory and run an active decommissioning or reactivation program for discovered IoT devices.
In the long term, create micro-segmentation architecture for IoT devices. Additionally, incorporate IoT into the IT sourcing strategy, ensuring that rigorous procurement procedures are included. Finally, insure that IoT devices do not create operational dependencies.
About the author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security, digitalization and the emerging security threat landscape across both the corporate and personal environments.
Shiv has over 8 years experience working on Internet of Things and an avid user of Drones