Mitigating IoT Security Risks:

Categorizing and Minimizing Threats to your Business

by Dillon Jensen

JASM Co-Founder

Introduction

The Internet of Things (IoT) has revolutionized the way businesses operate, providing real-time data & analytical insights that enable organizations to make better decisions and improve their operations on many fronts.

However, with the rise of IoT, comes a significant increase in the number of potential threats that businesses need to consider. From customer data breaches to damaged hardware, there is a newly evolved range of risks that could compromise a business’s security and undermine its success.

In this article, we will explore a high level overview of risks in IoT, and provide tips on how businesses can mitigate some of these threats to ensure the safety and security of their operations. We will begin with an explanation on why IoT creates more business risk than other technology adoptions, then we will categorize the types of risk with a few real-world examples & mitigations, and conclude with some takeaways to help you feel confident in your IoT approach.

Let’s get started.

“The S in ‘IoT’ stands for security”

A common joke relating to the mass adoption of IoT (Internet of Things) enabled products, is the following:

“The S in ‘IoT’ stands for security”

Though this saying has been around for several years, and much recent investment has been poured into making IoT solutions more secure, it is still quite relevant even today. But why? Are engineers working on IoT-related projects lazier, or less capable in implementing security measures than engineers working in other segments? Not at all.

One might assume that the stereotype of weak security in IoT / Remote monitoring is because it is a relatively recent innovation when compared to cybersecurity as a whole. Afterall, it takes years (if not decades) of innovation, expensive mistakes & expert discussion to create industry-wide standardizations & common architecture models with reliable security. A prime example of this is the early days of internet security, and the evolution of the SSL/TLS protocol, here is a great article about this. Blaming weak security on the early state of IoT adoption is partly true, but not the whole story.

The core of the IoT security problem lies in the fact that there are simply more technology layers involved than in other domains.

Here is a great high level diagram of an IoT solution:

This is a great high-level diagram, but it is still a simplification, and there are many special considerations hidden within each layer. If your web application seems secure, but the deployed devices’ firmware updates are not, how confident can you be in the security of the complete end-to-end solution?

Adding more capability to your IoT solution adds more value to your business, but it also adds complexity, which exponentially creates opportunity for security vulnerabilities.

There is always a tradeoff to be made, and it is important to consider what level of integration is ideal in terms of risk & reward. If you want your IoT solution to integrate completely with other parts of your business, such as your CRM, just understand that you are extending the scope of your cybersecurity needs, and must consider a whole new avenue of edge-cases because of it.

When designing your IoT / Remote Monitoring solution, remember the following quote:

“A chain is only as strong as its weakest link”

Let’s talk about some of the risks that are directly preventable.

Avoidable Risks

Hindsight is always 2020. The weak link seems obvious in retrospect, but only because you are focusing on it. When your focus is narrow, you are more likely to notice mistakes, but as we saw in the multi-layered diagram above, the scope of an IoT solution is usually anything but narrow.

Many IoT security pitfalls stem from the complexity that is derived from a wide project scope. It is not impossible to build a secure yet complex IoT solution, but when additional constraints are imposed without an associated compromise, mistakes are made.

The root cause of cybersecurity mistakes is often a simple one: lack of resources. The limited resource may include but is not limited to:

Time
- There is no replacement for quality engineering time. In the fast-paced modern business environment though, leaders often pressure engineering teams for rapid progress, with the intent being a faster time-to-market & cheaper development costs. Though these are noble intentions, in order to make ambitious progress on a short timeline, shortcuts must come from somewhere.
- Make sure any shortcuts come from the product features instead of product security, or your engineering team will be spreading itself too thin.
Budget
- A constrained budget will mean that less engineers are available, the resources those engineers have at their disposal is limited, and more responsibility is placed on each one. This is tricky to navigate, unless the scope of the project fits the budget in some form of reality.
- There are ways to outsource parts of the IoT solution for less upfront cost, such as FCC-certified hardware modules or parts of the software solution that can be licensed or paid on a per-use basis. These options can make each dollar go a bit further, but it is unlikely to fix a project which was doomed from day 1, due to lack of a realistic budget.
- If the budget available does not fit the project, evaluate shortcuts that do not compromise on security, or more likely, change the project scope.
Experience
- Lack of experience within the engineering team can be a large factor in the resulting cybersecurity. Engineers who are great at PCB design & hardware, are unlikely to have relevant experience in web security or cross-compatible user interfaces. Team members need to be based in roles that play to their strengths.
- If your team doesn’t have each base covered from day 1, that’s okay – Don’t be afraid to use external specialists in areas where your team has blindspots. The only mistake to avoid here, is ignorance in assuming that your team can learn as they go without extra guidance or additional development time.
Communication
- Even with a competent engineering team, poor communication can lead to serious design or implementation flaws. Since IoT solutions are spread between many layers from hardware to the cloud, often separate engineers or teams are responsible for a segmented area of the solution, and must communicate in order for all these areas to work together.
- Problems arise when poor communication leads to assumptions about the area of responsibility that is divided between teams. This is not unique to IoT, but it is crucial for consistent communication between the end-user, engineers, and business leaders.

Mistakes based on the constraints listed above are an avoidable risk. Most horror-stories are born from one of these causes, even though sometimes they don’t surface until a few years later.

A more simplistic solution with proper security is better than a full-capability one which compromises on security. Your customer interest might tempt you to start with a shiny full-capability solution (and work on the boring security later), but this is the wrong order of events. Security should be first, additional features should come after.

Shortcuts are not inherently bad. In fact, it often makes a lot of sense to limit scope, outsource parts of the solution, or reduce non-critical features & plan to add more support in future updates. Real trouble only comes when those shortcuts come in the form of cybersecurity, or overall usage testing.

Let’s look at a real-world example.

For context, OEMs who offer connected products often have more than one portal to access their product:

There is a customer-facing portal for viewing real-time dashboards, gaining analytical insights, or setting alerts.
There is an OEM-facing portal, which is used to manage the product fleet & customer base. This portal provides fleet-wide business insights & actions that only the OEM should have access to, such as OTA (Over-the-air) updates, customer support, & viewing internal service metrics.

One way to shorten development time is to combine these portals. Basically, hide the OEM/Admin interface within the customer facing one. This approach can save development time, but it can be dangerous without proper security measures in place.

Sound familiar? This actually happened, with Jacuzzi SmartTubs. Basically, sensitive customer data was exposed to a curious user, who was able to access the hidden OEM interface, without proper credentials.

From a technical perspective (though the details are light), it seems the exposed user data flaw happened due to trust established based on “local” data stored within the client application, which is data that can be manipulated by a malicious user.

A technical mistake, but why was it made? Lack of experience, communication, or time to iron out bugs? We can’t be sure. We can say with relative certainty though, that an experienced web/mobile developer focused specifically on evaluating the security of the hidden OEM features, would almost certainly have noticed this bug before it was released to production.

Protecting against known threats is one thing, but another form of danger lies in threats that are currently unknown. Let’s talk about these unavoidable risks next.

Unavoidable Risks

Here’s the bad news: there is always a level of unavoidable risk in IoT solutions. It is impossible to prove that any software system, (especially an IoT system) is 100% secure, it is only possible to prove that it isn’t. This is not unique to the world of IoT, but an underlying theme in all of cybersecurity.

You might be wondering what makes me sound so pessimistic.

If you’ve ever heard of the learning matrix, the category of unavoidable risk fits precisely into the box usually labeled “You don’t know what you don’t know”:

A great example of “You don’t know what you don’t know” is the concept of a zero-day vulnerability, which is a security weakness that the creators of the targeted software are not yet aware of. The “zero-day” part means that the team responsible for keeping the software secure has had zero days to issue an update to prevent this vulnerability from being exploited. In other words, it is a threat the software team is not aware of, and has therefore not been able to protect against.

The following real-world example for unavoidable risk is certainly overkill, but it should prove my point.

The example is Stuxnet: one of the most infamous & complex cyberattacks of all time. Stuxnet was an extremely dangerous virus aimed at disrupting the Iranian nuclear weapon development program. It compromised a range of computer networks, continually infecting more until it reached the ultimate target: fleets of Siemens PLCs controlling Iranian nuclear centrifuges, destroying them from the inside-out by intentionally spinning them too fast. While this was happening, Stuxnet was reporting false non-alarming data on display interfaces such as HMIs, and simultaneously hiding almost all traces of its existence.

How could a virus accomplish all of this? Stuxnet used an astonishing FOUR zero-day vulnerabilities in a single attack. Usually, all it takes is one zero-day exploit to be very dangerous in a large cyberattack. These exploits were not found by amateur hackers, and they weren’t targeting weak software. Namely, the exploits targeted the Microsoft Windows operating system & SCADA software from Siemens. These are huge software products from multi-billion dollar corporations with thousands of engineers, and a strong reputation to uphold.

If Microsoft can’t guarantee security, who can?

It is unknown how many global cybersecurity experts collaborated to create Stuxnet, but to call Stuxnet simply a virus would be an understatement, it is much more fitting to describe it as a digital weapon.

Which dark-web hacker group is responsible for such a weapon? No organization has ever claimed official responsibility, but it is widely believed to be the result of a top-secret cyber warfare project born from the collaboration of the United States and Israel. That’s right, it was likely Uncle Sam all along.

Fortunately, there is a takeaway in all of this: For unavoidable risk, the only mitigation that your company can consistently provide, is to make the effort far outweigh the reward.

Remember, hackers are people too:

Some hack for fun: Funny story about hacking MySpace
Some hack for profit: Recent Crypto Heist
Some hack for national security: Stuxnet

To deter most opportunistic hackers, make your solution as secure as possible. Do not leave any low-hanging fruit to spark their interest. Stay up-to-date with software patches, don’t rush your engineering team, and consult professional penetration-testers when necessary.

To deter more serious, profit-focused hackers (often in groups), limit the potential damage even if a successful attack were to occur. In other words, ensure the juice just isn’t worth the squeeze. To deter robberies, banks install cameras, hire security guards, and store cash in secure vaults. An ambitious criminal organization might construct an elaborate plan to circumvent these protections in order to steal $10,000,000: but would they still consider that plan if the bank only had $10,000? Unlikely.

If your company is a difficult target with relatively low potential benefits, hackers are likely to move on and seek better ROI elsewhere. In the case of IoT cybersecurity, mitigations may include separation of unrelated systems, limiting scope of customer data, & avoiding functionality with low utility & high malicious potential. All these mitigations can combine to make a potential hack much less appealing, especially considering the effort required.

Finally, if your company is not considered a threat to national security by the United States or other global powers, you are unlikely to be the target of a cutting-edge cyber warfare weapon such as Stuxnet – so don’t lose any sleep over it.

Conclusion

In the world of IoT, paranoia is a good thing, but still you must keep it in check in order to make any progress in your business.

Risk may be inevitable, but choosing a calculated approach can limit potential downsides, while simultaneously taking advantages of IoT such as operational efficiency, increased insight, and peace of mind.

I hope this article has illustrated a high level of the risks in implementing IoT solutions for your business, and given you a little insight on where to begin your discussion on the most practical way to ensure security, while also disincentivizing anyone from attempting to break-in in the first place.

If you’re looking for a secure way to bring your products & systems “online”, without the resources to provide it on your own, reach out to us for a free discussion about upgrading your unique business with remote monitoring.

At JAS monitoring, we offer intuitive monitoring software & lightweight hardware, striving to create the easiest way for OEMs to make the leap to Industry 4.0. Forget risky investment & unpredictable timelines: whether it is simple text alerts or a turnkey white-label monitoring service for your product, we look forward to hearing from you.