Security vs Innovation: The IoT Dilemma from a Business Perspective

In this exclusive guest article, Kieran Hooper-Warren, Director at Iotabl, looks at security implications when innovating via the Internet of Things (IoT).

The Internet of Things (IoT) is perhaps the fastest evolving technological development in recent memory. There are already around 22 billion devices in circulation across the world, with an expected increase of an additional 15 billion by 2025. However, as the number of these devices surges, so do the potential attack surfaces for malicious hackers.

In many ways, this adoption of machine-to-machine (M2M) technology has rapidly accelerated the pace at which companies are able to innovate. Yet, the ability to innovate has been knocked off course by the cybersecurity implications of deploying IoT devices.

Previously, the result of a malicious hack has resulted in breaches and financial or reputational loss. The IoT has simply exacerbated this problem, as these devices now impact the real world. From security cameras, doorbells, air conditioning units, thermostats, TVs, and sensors – the Internet of Things is absolutely everywhere. In just the first six months of 2021, there were over 1.5 billion IoT breaches. It’s a huge a problem that is only going to get worse.

Trusting Innovation

The importance of innovation can never be underestimated. Innovation doesn’t mean adopting the next feature-rich tech product on the market this week. Real innovation is to adopt principles and practices that help to shape a new technological competitive advantage, while still remaining as secure as possible.

A catch-all approach to cybersecurity doesn’t work anymore. Modern IT and IoT systems are now so technologically complex that it’s unrealistic to assume that every asset will need the same security approach. Instead, organisations must weigh up the risk for each use case and implement tailored situation-specific security practices.

Let’s take home security as a simple example:

The lock on your front door serves a purpose because it is designed to lock the door. Window locks provide a similar function in principle. Yet, the bedroom safe containing your life savings has a six-digit pin lock. You wouldn’t put a six-digit pin lock on your front door or your window, and similarly, you wouldn’t put a window lock on your safe. The same principle applies to security in innovation – a layered approach is necessary. Cybersecurity and innovation go hand-in-hand.

The Innovative Risk

Over the past decade, IoT technologies have moved well away from the pilot stage to driving business value and competitive edge through their vital role in digital transformation. The innovation survey by KPMG demonstrates that IoT is the top technology when it comes to opportunity generation. Nearly, 17% of survey respondents stated that IoT is the most significant driver behind their digital business transformation.

IoT is accelerating innovation beyond the technological norm. Just this month, the BBC released an article discussing how the global food supply chain may be at risk from malicious hackers because of farming robots. Benjamin Turner, COO at Agrimetrics, said: “Hacking into one tractor, you can upset a farmer and maybe damage their profitability for a season. Hacking into a fleet of tractors, suddenly, you’ve got the power to affect the yield in whole areas of the country”. This is now a very real possibility in the age of IoT.

Now imagine a scenario where a hacked fleet of devices impacts every single industry where they’re deployed. That scenario took place in 2016 and was known as the Mirai botnet. In September of 2016, the authors of the Mirai malware launched a denial-of-service attack on the website of a reputable security expert. Subsequently, the source code of the malware was released to the world, enabling other cybercriminals to replicate the attack. This resulted in a widespread denial-of-service in multiple industries impacting hundreds of businesses up to the value of $8.6 million (£6.8 million).

This is just one example of how multiple IoT devices can be compromised by a single vulnerability. However, the IoT attacks we now see on a regular basis are far less sophisticated because the security embedded into these devices is often inherently problematic.

Common IoT Security Problems

1. Weak or Default Passwords

Perhaps the most common security issue with IoT devices are weak credentials to access device configuration. A large number of devices will have default or easy-to-guess credentials e.g. the username could be ‘admin’ and the password could be ‘12345’. It doesn’t take much effort – even for a low-level beginner hacker – to gain access to these devices in any given IT infrastructure. Often, these credentials are difficult or impossible to change.

2. Lack of Regular Patches and/or Updates

IoT products are developed with innovation, ease of use, and connectivity at the forefront of the development process. Devices may be deemed secure at the point in time they’re developed, but become vulnerable when hackers and security experts find new vulnerabilities. If the version of the software/firmware is not fixed with an update, the IoT devices gradually become more exposed, and therefore more vulnerable, over time.

3. Lack of Data Protection

Although IoT devices are capable of transmitting communication on an M2M basis, the computational power behind many devices lacks the ability to securely store data. For example, in 2017, security experts from Darktrace revealed that they had discovered an attack on an unnamed casino via a thermostat attached to a fish tank. The attackers were then able to gain access to the network and eventually exploit around 10GB of data. It’s a very simple process for sophisticated hackers.

So, while the rapid adoption of IoT technology is enabling businesses to innovate on an unprecedented scale, it is also presenting unprecedented cybersecurity risk. Organisations are now having to balance gaining a competitive edge through innovation with the security implications of achieving such innovation. Hence, the IoT dilemma is a complex conundrum that will continue to be an issue for CISOs as the number of devices surge.