Securely Integrating the Internet of Things

Mar 8, 2016 10:00:00 AM |

Wesley McGrew

Social Share:

IoT.jpgLast week, members of the security industry gathered for the annual RSA Conference to discuss the latest topics in information security, from the Apple vs. FBI encryption debate to the latest innovations in security software. Perhaps one of the hottest topics at RSA this year surrounded the risks posed by devices that make up the ‘Internet of Things.’ From automated manufacturing processes to industrial control systems, all the way down to the appliances in an office breakroom, IoT technologies are changing the way businesses are operating, making systems more efficient, and allowing for greater productivity among organizations. However, with the enormous benefits of IoT come enormous security risks. 

Matter of When, Not If

In his speech at RSA last week, the U.S. National Security Agency chief said it best, that it is a “matter of when, not if” a foreign nation-state attempts to launch a cyber-attack on U.S. critical infrastructure, making mention of the Ukraine’s power grid hack in December. The blackout affected an estimated 225,000 customers. With more devices connected to the network today, from power grids to fitness bands, the stakes are higher than ever before.

As I discussed in my February blog series, Gartner estimates 21 billion devices will be connected by the year 2020. For corporations, each of these new devices creates additional opportunities for hackers to gain access to your networks. Our penetration testers are revealing vulnerabilities in IoT technologies integrated into organizations. Within days of beginning a penetration test on one Fortune 500 customer company, we were able to control their physical security systems, doors, climate control and more.

IoT Opens Up a New World for Hackers

Now, not only is your data being attacked, but also control of your HVAC systems, manufacturing equipment, security systems, and any other ‘thing’ connected to the internet within your organization. In many cases, IT staff in an organization are not are not completely aware of the network connectivity and feature sets of the devices that have been placed on their networks. IoT companies are in a race to get their product to market. Therefore, security often takes a back seat to functionality. With this mind set, vulnerabilities are overlooked.

The Best Defense is a Good Offense

So, what’s the answer? How can you leverage IoT technologies for the value it brings to your organization without allowing hackers access to your system? Avoiding the adoption of new technology is not a feasible long-term answer. Rather, proceeding with caution and understanding security risk and vulnerabilities associated with these technologies is necessary.

Do your homework. Understand the vulnerabilities in the IoT technologies you are integrating. Their vulnerabilities become your vulnerabilities. Routinely check for vendor updates and publicly published security advisories in the devices you use.

Conduct regular penetration testing. Know your vulnerabilities. Regular penetration testing will  to identify functionality and security weaknesses in new IoT devices on your network.  

Use a layered defense. Attackers will leave no stone unturned. They will take advantage of the increase in end points and increase surface area. Therefore, layers of protection are vital. Use firewalls and other forms of access control to prevent attackers from gaining easy access to devices.

In the coming years, as the attack surface grows, hackers will treat IoT devices as a target more often, and you will be the target of an attack. At HORNE Cyber, we believe the best defense is a good offense. Take time to understand where vulnerabilities exist in your system through proper evaluation of IoT technologies and advanced penetration testing.

I welcome your questions and comments below.


For weekly insights into cybersecurity, please sign up here:

Subscribe to HORNE Cyber Blog



Wesley serves as the director of cyber operations for HORNE Cyber. Known for his work in offensive information security and cyber operations, Wesley specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.

Find me on: