Every month there seems to be a new device that changes the way we travel, communicate, conduct business, and live our personal lives. The transformation promises efficiency and ease for the user. It promises better outcomes. These devices are IoT devices, or the Internet of Things, which are physical devices with sensors that collect, analyze, and transmit data in real-time without human intervention.
IoT devices are more prevalent than you realize; they’re installed in thermostats, home appliances, smoke alarms, cars, and Apple Watches.
Even light bulbs can be hacked. In 2016, multiple unpatched vulnerabilities were found in Osram Lightify lightbulbs. The most concerning was the Osram app stored Wi-Fi passwords which would give cybercriminals the ability to access home networks and access all devices connected to the Wi-Fi.
With immediate data collection, companies can foster a better value for their customers and hone in on services that meet their consumer’s needs. IoT devices have streamlined processes in the healthcare industry, the transportation sector, and the development of smart cities. One critical infrastructure sector that has begun to rely heavily on IoT and industrial IoT (IIoT) devices is the commercial facilities sector.
According to The McKinsey Global Institute, every second, there are 127 new devices connected to the internet. The commercial facilities sector needs to advance its view of risk to contend with the number of threats associated with IoT devices.
The commercial facilities sector consists of eight subsectors. The major industries within the sector are retail, entertainment and media, lodging, and public assembly. This sector relies on IoT devices to run its facilities by streamlining industrial control systems and interactions with customers. With so many devices to manage and secure, the security risks and potential cyberattacks could impact the physical and digital environment of commercial facilities.
The commercial facilities sector is largely a privately owned industry with little federal government interaction. Currently, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) works with the Commercial Facilities Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to assess sector-wide cybersecurity risk and coordinate improved security measures and resources.
Cybercriminals do not hack IoT devices to compromise a single device, but rather, they leverage the access a device has to a network to hack other connected tools and devices. In terms of commercial facilities, this could mean hacking a consumer’s IoT device to manipulate a control system on the same network or to confiscate sensitive data.
According to a McKinsey report, by 2025, IoT devices could have an economic impact of $3.9 trillion to $11.1 trillion. This will affect industries across the board, including retail, public venues, manufacturers, and personal technology. Cyber threats will continue to innovate at the pace of the industry, which is why commercial facilities need to get on board with safeguarding their IoT systems.
Each device can be a potential security risk, and a compromised device could lead to a domino effect of consequences. A compromised IoT device puts consumer and corporate information at risk. Facility management controls can be manipulated without authorized access, and it puts consumers and employees at physical risk.
Since the device relays data through Bluetooth connection or via Wi-Fi, a cybercriminal can gain access to a whole network of devices and information. This vulnerability only worsens existing supply-chain security risks with its expanded connectivity, increased endpoints, and uncontrolled attack surface.
In 2017, ransomware called “WannaCry” was used to attack thousands of computers and IoT devices globally. Computer systems in over 100 countries were compromised, and the attack caused over $4 billion in losses. Most of the victims affected say they never had their files returned after the ransom was paid.
According to The United States General Accounting Office (GAO), the common threats to IoT devices are denial of service, malware, and structured query language injection (SQLi). As newer IoT devices enter the market with greater interconnectivity, speed, and access to 5G networks, there need to be better security solutions that protect endpoint users as the market develops.
Most IoT devices are mass-produced tools. Their security features and weaknesses are widely known, which makes it easier for threat actors to infiltrate and manipulate the devices. Similar to the healthcare sector, facilities will utilize IoT devices with different security weaknesses and strengths. This makes it difficult for security teams to implement a coherent security strategy that can be applied across the board.
Despite the efficiency IoT devices provide, these tools are the weakest link in the supply chain. Created without security measures built into the hardware and software, the millions of devices are a growing headache for overwhelmed security teams. IoT devices receive fewer software updates and are unable to store anti-virus software. An IoT device, more or less, remains the same through its life cycle.
Miscalculated algorithms and faulty devices put the functioning of these commercial facilities at risk. If a cybercriminal were to rig an IoT device to overheat or explode, it would pose a great physical risk to facility workers, equipment, and consumers. Hacked IoT devices can wreck cyber and physical damage.
Security teams have to retrofit their risk management programs to accommodate IoT devices. Retrofitting a security program to the device is not a viable solution in the long run for two reasons. The first is IoT devices can grow obsolete with the current rate of rapid innovation, and teams will have to repeatedly retrofit as newer devices become available. This would be a redundant waste of resources and time for facility security teams.
The second reason is that existing risk management platforms like governance, risk, and compliance (GRC) platforms cannot adapt to IoT implementation.
Legacy GRC tools promote a siloed approach to risk management that cannot accommodate the interconnectedness of IoT devices. GRC solutions do not have the flexibility to grow as organizations shift with technological advancements. With so many endpoints to assess along with malware, phishing attacks, and other security threats, the integrated risk management (IRM) approach gives security teams the ability to glean insights continuously from their security program.
To improve the cybersecurity of IoT devices and the facilities that use them, there are steps manufacturers, regulatory bodies, and IoT users can take to strengthen the overall cybersecurity posture and ensure business continuity.
Manufacturers should consider the standards and compliance requirements for IoT security created by the National Institute of Standards and Technology (NIST). Although the guide is meant for federal IoT ecosystems, this can be a building block for manufacturers to consider. Along with the NIST Cybersecurity Framework (CSF), the Internet of Things Cybersecurity Improvement Act of 2020 created security standards, vulnerability assessments, and IoT guidelines for government networks and federal contractors.
While most of the legislation is focused on federal systems, enhanced regulation is a step in the right direction and incentivizes manufacturers to innovate with security in mind. Creating secure IoT devices is the necessary first step for enabling a secure IoT environment.
The dependency on IoT devices will not suddenly stop, especially in the commercial facilities sector. The NIST CSF implementation guide for commercial facilities needs to consider the IoT environment as an integral part rather than an add-on. Commercial facilities should have access to a single, comprehensive guide that includes IoT security standards to maintain regulatory compliance and avoid security gaps.
As mentioned earlier, security teams need to consider an IRM solution. An integrated approach fosters cyber risk awareness at all levels and units. Risk management and compliance are incorporated into business objectives. Since IoT devices connect all of an enterprise’s units, including its operational technology (OT) and informational technology (IT), an IRM platform has the capability to monitor secure enterprises across the board.
The decentralized approach promoted by GRC programs is just too simplistic and rigid for the complex entanglement of business, innovation, and security risk.
With an IRM security strategy in place, commercial facilities will take on a more proactive cybersecurity approach. Continual internal audits and vulnerability assessments are necessary to ensure that all endpoints, throughout the supply chain, are secure and up to date. A holistic IRM approach will ease the pressure off of security teams with cyber risk awareness built into customer-facing units, C-suite, and industrial controls.
There are a number of smaller steps that can be taken by endpoint users and enterprises. The first is changing the default username and password associated with the device. MFA for all devices should be mandated and devices should be used on secure internet networks. Companies also need to remove all defunct software programs and deactivate profiles from past employees, as these can be entry points for cybercriminals to exploit since they are often overlooked.
To securely move forward in the commercial facilities sector, companies, consumers, and manufacturers need to be aware of the risks associated with IoT devices. As commercial facilities continue to adopt IoT tools into their enterprises, the supply chain needs to be more secure. Each party has a responsibility to implement better security practices to strengthen the overall cybersecurity posture of the sector. With existing NIST frameworks, healthy cyber practices, and an IRM approach, the commercial facilities industry has a greater chance of withstanding threats associated with IoT devices.
To learn more about how cybersecurity frameworks can lead to a competitive advantage, check out our webinar, Three Reasons You Need a Cybersecurity Framework. To see how CyberStrong can be an effective IRM tool for your organization, contact us.