Why We Need to Better Understand IoT So We Can Defend Against It
At the root of any cybersecurity program is its ability to measure enterprise cyberrisk. As such, much of the focus that IoT (Internet of Things) has received is centered around asset/administrative management of these devices. From a national security perspective, this is just the tip of the iceberg when it comes to what risk IoT creates and respective concerns at both organizational and national levels.
Arguably, the biggest issue with IoT is its increasing complexity and integrations into both physical and digital worlds. Yes, IoT has been in the news for many years as a means to facilitate large-scale attacks, such as DDOS campaigns. A good example of this is back in 2016 when Dyn, a DNS resolution services company, was hit with a massive DDOS attack, with many of the attacking nodes being compromised IoT devices. However, as system integrations become more complex so too does the usage of IoT devices in terms of services offered and data collected/generated. So, what possible security fallout exists from IoT, especially in the context of Homeland Security? It varies.
Take for example a web camera that’s turned on and recording the entrance to a supermarket. Sure, some personal data (e.g. recording of license plates, faces, etc.) would be captured but would it rise to the level of national security? Probably not. What if this camera was pointed towards the entrance to a military facility? Context is everything when talking IoT and not just from a data perspective. What if a web camera within an internal network was compromised but in a separate VLAN dedicated to IoT devices and couldn’t talk to the rest of the network? From an organizational perspective, the risk is probably low. What about the same device but in the data center of a government institution and is on the same VLAN as their servers? This is what makes IoT so potentially dangerous to organizations – they are a multi-pronged threat. They pose risks to internal networks, can capture all sorts of sensitive/critical data, and can be used to launch cyberattacks.
IoT, while having obvious benefits in corporate and home networks, does have an equal and growing risk associated with them
So, what does this have to do with security concerns of correlating multiple sources of data? At the end of the day, unless you know about every bit of data in your network, you won’t know where additional context is going to be found, assuming that external data sources are unavailable. For example, the name of someone’s personal cell phone – how useful is this information without a corresponding legal name or cellphone number? Probably not much. How much risk is created if this were to get out? Virtually none in most situations. What if this name data is then combined with other data sources, like internal/external IoT devices? Take for example Wi-Fi functionality found on all smart phones. You don’t even need your mobile phone to connect to a Wi-Fi SSID - if Wi-Fi is on, all wireless access points in range will collect info from your phone, such as MAC address. With this and some additional geographic data, someone could track people coming and going. If they were able to then tie this to additional personal information chances are good that they could track a specific individual. Does your organization know how their data is being collected/ generated and being used? Who knows what additional information could be drawn by combining data sources in the right context? This concept of coupling multiple sources of data has taken on a life of its own and found its way into the enterprise.
Enter the concept of ‘digital twins”. The definition per IBM is that they are “the virtual representation of a physical object or system across its life-cycle.” It basically uses real-time data from multiple sources to enable learning and ongoing recalibration to improve decision making. The use cases for this technology cross practically all verticals, including the public sector. For example, Singapore has created a virtual model of itself to improve government maintenance as well as urban and disaster planning. The thousands upon thousands of data points needed to create these virtual twins are in part coming from IoT devices.
Using IoT technology to develop a ‘digital twin’ poses multiple concerns for various verticals, including that of homeland security. Regardless of the system that the digital copy represents, it’s safe to say that it’s taking data, much of it being IoT, from multiple data sources to digitally recreate the physical system in question. How does one secure the digital twin? How do you ensure that it is not used for nefarious purposes? Minimally, the digital model may identify data sources to those that should not have that awareness, let alone access to them. Worse, threat actors would have access to a digital copy of a complete system that they would normally have to piecemeal through ‘traditional’ means – e.g. taking security logs from multiple systems and comparing them to other sources of data to map out a network or system. Depending on the sophistication of the digital twin, it might present similar data in a significantly more comprehensive way, making it that much more of a risk if it were in the wrong hands.
IoT, while having obvious benefits in corporate and home networks, does have an equal and growing risk associated with them. As the world advances, we’ll see how IoT interweaves itself with other technologies, perhaps to the point where the sum is greater than its parts.