Cybersecurity: How to properly protect IoT devices and the cloud
The Internet of Things offers a great deal of potential for innovative applications and for optimizing a wide range of processes. A well-designed network of IoT devices can reliably automate even complex tasks and thus, for example, allow entire production chains in industry to run largely autonomously. There are also an increasing number of applications relying on networked technology in medical care, future-oriented planning of cities, mobility and, in view of the current pandemic situation, especially in the home office sector. Smart sensors and remotely controllable actuators are already in use in many places. The problem here is that awareness of good cybersecurity in connection with IoT has so far been almost non-existent. In addition, the current Corona crisis is not only acting as a positive accelerator of digital transformation. Cybercriminals are also discovering new, attractive attack points in devices and in the cloud as a result of the crisis.
Potential danger from inadequate IoT security
The Internet of Things is based on the fact that individual devices, sensors and IoT applications can communicate with each other or via the Internet at any time. They collect masses of data required for planned tasks and exchange this often sensitive information. This strong networking is what enables IoT systems to solve complex problems in the first place. However, many devices are still poorly protected or not protected at all against external attacks. Anyone who manages to gain access to a single device on a poorly protected network therefore often also gains free access to the other devices logged on. The consequences can range from annoying (attacker reads sensor data or launches DoS attack on the network) to life-threatening (attacker manipulates medical devices or autonomous machines).
Special case cloud-based threat potential
Keywords digitalization and home office: many companies have deployed new, digital technologies in the wake of the Corona pandemic. In order to integrate their employees in the home office, many remote access projects were almost inevitably implemented - much more extensively and quickly than had been planned in some cases. Whether cloud applications, collaboration and conferencing tools, and remote access technologies such as traditional VPNs or advanced zero-trust access, all of these technologies accelerate effective work in the home office, but at the same time mean new risks for companies and especially for employees working from home. In many cases, employees have simply not been adequately educated about the risks. Cybercriminals have been very quick to seek ways to profit from this situation, especially via phishing campaigns.
The use of cloud services is attractive to attackers for several reasons: they offer easy hosting, are simple to manage, and allow frequent and rapid switching between different payloads. Most importantly, they offer outstanding opportunities to circumvent security technologies, as many of the services (used precisely by cybercriminals) are classified as trusted and whitelisted accordingly. Traditional web security solutions were not designed to monitor cloud services, so they lack context as to whether it is an enterprise or consumer cloud service, for example, and are unable to understand the language of APIs, meaning they lack any insight into usage.
Sensible measures for IoT security
A functional IoT system must be protected against attacks in the same way that computer networks have been implemented for decades.
However, before concrete measures are taken, important questions around the network should be answered:
Who has or needs which access rights for which IoT devices?
What permissions do the individual devices have or require in each case?
How many IoT devices are on the corporate network and how is this inventory managed?
Is the IoT infrastructure operated in a separate network isolated from the corporate network?
What happens if employees' (or an attacker's) private (IoT) devices dial into the corporate network?
If the necessary expertise is lacking in the company, it is worth seeking the help of a security expert with a focus on IoT security and cybersecurity. By the way, this is one of the core competencies at ROBIOTIC - contact us if you need support in this area!
Regular updates against security gaps
Regular updates are one of the most important methods to protect the network, because they do not only bring new functions: In most cases, they contain important patches that close newly discovered security holes. As a rule, the longer a vulnerability is known, the easier it is for attackers to exploit it for their own purposes. Outdated IoT devices and those that generally do not receive updates should therefore be viewed critically and, if possible, replaced with an update-capable alternative.
It is important that not just any user should be able to update the devices. This could give hackers the opportunity to inject their own update with malware into the system. Strict control and restriction of user rights is therefore recommended. Likewise, updates should only be installed from the manufacturer's official source. Counterfeit updates can cause great damage and not only provide an attacker with a backdoor into the company network, but also independently manipulate the function of networked devices with malicious intent.
Raising employee awareness
A decisive factor in establishing effective cybersecurity in companies is making employees aware of this issue: if they are aware of the potential dangers of remote access via the cloud, especially in the home office, one of the most important steps toward greater security has already been taken. Every individual should have internalized how important it is to use cloud-related security solutions and how important it is to adhere to the associated rules in order to recognize and avoid cloud-related threats. Security for the cloud can only come from the cloud itself - involving all devices and people working together within an IoT network.
veröffentlicht am : 2021-01-27 08:00