By some estimates, there are around 10 billion IoT devices operating in the world today. By 2025, there will be more than 25 billion — a huge increase in so-called “attack surfaces” potentially vulnerable to infiltration.
And the main culprit for this explosion in vulnerable targets? There are many, from home Wi-Fi networks in a work-from-home world to a lack of two-factor authentication. But one of the biggest sources of potential weakness has come from the proliferation of connected devices — the so-called Internet of Things.
One example of this newly connected world comes from Impinj, which creates wireless, battery-free RAIN RFID chips that allow producers, distributors and logistics teams to track any kind of consumer product through globe-spanning supply chains. VP of Advanced Technology Megan Brewster explained to Built In that her company’s research and development teams are constantly monitoring the industry and its adjacent threat landscape to ensure they’re always using security best practices.
To dig deeper into the security issues facing IoT networks — and the strategies used against them — check out our interviews with Brewster and Balbix’s CTO, Vinay Sridhara.
Company background: Impinj uses a cheap and battery-free wireless system known as RAIN RFID to track everything from golf balls to apparel to travelers’ luggage. The company says RAIN RFID can plug any item into the internet of things, allowing greater efficiency in inventory management, asset tracking and shipment verification. Brewster said the technology can detect up to 1,000 items per second at a distance of up to 30 feet without necessitating a line-of-sight between an RFID tag and a sensor.
Security issues: Brewster listed data integrity, item authenticity and privacy as common security problems in the RAIN RFID industry. Companies employ a range of mitigation strategies, including specialized algorithms, filters and secure databases as well as encryption, audit trails, access control and shielding.
How has the threat landscape changed since the beginning of the pandemic?
With the pandemic, we saw an increased desire for visibility and automation across many industries including retail, supply chain and logistics, healthcare and more. The threat landscape has remained relatively unchanged, though the increased use of the technology has led to an increase in security planning as more and more items and devices are connected. In addition, there is an increasing desire for RAIN RFID to help with brand protection and loss prevention.
What are the key tools and best practices for engineering and infrastructure teams to keep a typical IoT network secure?
As with all networks, secure password protection is of the utmost importance and using multi-factor authentication delivers an additional layer of security. Encrypted communication using device certificates alongside firewalls protects against malicious actors accessing your IoT devices and data. Use a monitoring system that checks the system’s health and sends alerts if anything is out of the ordinary. Choose products from a trusted source, and keep firmware up to date to maintain an IoT product's security.
“We’ll see more effort put into securing those edge devices and databases where information is processed or stored.”
Looking forward, how do you think the threat landscape will evolve over the next several years for IoT systems?
I expect to see more and more data move into the cloud and toward the cloud, meaning an increasing role for edge devices like RAIN RFID readers. Subsequently, we’ll see more effort put into securing those edge devices and databases where information is processed or stored, and more cryptographic authentication capabilities to protect brands and eliminate counterfeits. We’ll also see loss prevention systems that seamlessly address theft and product diversion.
What are your security teams doing now to anticipate those changes?
We work closely with enterprise customers around the world who rely on our products and capabilities for their mission critical applications. We strive to understand their needs for data integrity and security, and the needs of their customers for privacy and security. We actively participate in standards body workgroups and efforts to establish best practices for RAIN RFID use. And our research and development teams continually evaluate our hardware products and software to prevent security vulnerabilities.
Company background: Balbix’s cybersecurity platform uses specialized artificial intelligence to monitor a system’s risk of breaching across all of a company’s online assets. The company claims to reduce its customers’ cyber risk by 95 percent while boosting security team efficiency tenfold. Its signature platform, dubbed BreachControl, continuously analyzes up to several hundred billion time-varying signals from an enterprise network, prioritizes vulnerabilities and dispatches prioritized tickets complete with context to security teams.
Security issues: While Sridhara acknowledged ransomware as a major issue confronting IoT networks, he identified the speed of attack across rapidly expanding attack surfaces as the major concern in the industry right now. “We have yet to scale cybersecurity to keep up in an ultra-connected world,” he said. “Security professionals are relying on decades-old tools. Compounded by a massive talent gap, cybersecurity has become an almost untamable beast.”
How has the threat landscape changed since the beginning of the pandemic?’
At the beginning of the pandemic, when remote work became the new normal, every company incorporated more digital initiatives into day-to-day functions to ensure that employees could continue working. Networks became dispersed, IT teams were troubleshooting from around the world and the attack surface grew. Now, with remote work becoming permanent for many, those same trends will continue. The addition of personal devices, emerging technologies like IoT on corporate networks and rapid organizationwide cloud adoption during the pandemic have also exponentially increased the attack surfaces.
What are the key tools and best practices for engineering and infrastructure teams to secure a typical IoT network?
The first thing security people need to do is implement an automated network monitoring tool to “watch” their network. Security teams usually aren’t aware of all the IoT devices on their network. By creating an inventory of IoT assets, security teams can see what devices are on it and what those devices are doing. Then they need to understand the security posture of each IoT device to gain insight into potential breach risks. Has the default password been reset? Is data encrypted? Have software vulnerabilities been patched? With so many devices, technology is also needed to prioritize fixing any security issues and bring the organization’s security posture in line with what it deems acceptable risk.
“As cybersecurity and infrastructure are debated at the government level, companies are putting a stronger emphasis on cyber investment.”
Looking forward, how do you think the threat landscape will evolve over the next several years for IoT systems?
As we continue to work remotely, mobile devices will access a lot of company information. Automation will also continue to drive the adoption of IoT devices. As we’ve seen since the pandemic began, these devices have quickly become a higher priority for bad actors. The recent exposure of NSO Group’s Pegasus spyware highlighted how high-profile business executives, government employees and journalists have all been targets of mobile attacks. We’ve seen similar high-profile attacks on operational technology at municipal utilities, like the water utility in Florida, the Colonial Pipeline and JBS’s beef plants.
What are your security teams doing now to anticipate those changes?
I’ve noticed a lot of security leaders are putting a greater emphasis on upskilling their current teams. On top of that, as cybersecurity and infrastructure are debated at the government level, companies are putting a stronger emphasis on cyber investment, giving security teams an adequate budget to help them deploy new and better tools and implement better policy control.