Businesses will wake up in 2019 to find they have even more unmanaged and IoT devices throughout their organizations. Some purchases by the company. Some brought in by employees or vendors. Designed to drive productivity and efficiency. All with no security, little or no way to update their systems, and designed to connect.
These devices, actuators, and sensors that make up the Enterprise of Things are part of a digital transformation that every industry is experiencing. From high-tech to healthcare to manufacturing to retail, these unmanaged devices are highly vulnerable endpoints that cybercriminals target today, and in growing numbers. As we begin a new year, these are our predictions for these devices and the IoT security issues that will affect organizations of all types.
IoT attacks will evolve in sophistication. Since the Mirai botnet in 2016, we’ve witnessed a rapid evolution of IoT attacks. Within the past year alone, IoT devices have been harnessed maliciously for crypto mining, ransomware, and mobile malware attacks. In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of the physical world to disrupt operations.
IoT adoption will spike in healthcare and manufacturing. 75 million IoT devices are expected to be online and in use by 2025. Enterprise adoption of IoT grew in 2018 with increased revenue and operational efficiencies for early adopters. Within the next 12 months, healthcare and manufacturing specifically will increase investments in connected devices. IoT will provide operational efficiencies for these environments, in particular, however, increasing numbers of IoT devices expands the attack surface exponentially and creates an increased potential for disruption to physical operations within manufacturing plants and disruption of patient care.
OT / IT convergence will accelerate. OT security will come into sharper focus as IT infrastructures and OT environments converge. Smart, connected devices will become standard in manufacturing plants, utilities, and other areas with critical infrastructure where digital meets physical operations. This will increase the potential for remote attacks that disrupt or sabotage robots, sensors and other equipment that drive much of the machinery and infrastructure behind our everyday lives.
Unmanaged and IoT device security will become a board-level priority. Today, about 30 percent of companies I work with discuss IoT security at the board level. IoT is not simply a driver of revenue growth. More and more Boards recognize the risk, compliance issues, and exposure these new unmanaged devices bring – which is why securing them is now a board-level initiative. I expect at least 60 percent of boardrooms will be prioritizing IoT security going forward.
CIOs will become the enterprise IoT security stewards. Gartner found that 32 percent of IT leaders list security as a top barrier to IoT adoption. CIOs are beginning to recognize the failure of device manufacturers to adequately address IoT security during device design and manufacturing, and have realized the need to monitor and secure these devices in the wild. IoT security will be a line-item on IT budgets in 2019 as a result of the growing awareness of the security issues, and we will see CIOs formalize and shepherd IoT security initiatives in the enterprise through their spending power.
Security frameworks and controls will extend to IoT and unmanaged devices. As a result of the explosion of the unprotected, unmanaged devices in the enterprise and new warnings from the FBI and Homeland Security around IoT security risks, industry bodies such as NIST, CIS, and MITRE have begun to roll out standards for IoT. Even the US Congress, traditionally slow moving in regards to technology policy, passed the SMART IoT Act last month. In the next 12 months, enterprises will address unmanaged devices in their security programs. To do this, businesses will first need to inventory their entire connected environment, assess risks and vulnerabilities, monitor for threats and support security teams who are extending threat hunting and incident response capabilities to unmanaged devices.
Point solutions reach a critical failure point for IoT security. Companies today are cobbling together multiple cybersecurity solutions and pointing them to the dark space of IoT hoping for visibility and protection. Betting on security with this point solution model is dull for several reasons. First, it’s impossible to install agents on all connected devices in an enterprise environment, especially when IT is unaware of nearly half of those devices; there are massive technical hurdles to integrating multiple tools, each with siloed data and their own deployment and operational complexities; pile on the industry shortage of the security skills necessary to get value out of each of these tools; and the Sisyphean task of wrangling point solution vendors into cooperation. The industry went down this path when securing and managing conventional IT. In 2019, I’m optimistic that companies will realize that this piecemeal security approach won’t work for IoT. Instead of jerry-rigging legacy point solutions to mitigate IoT risk, security decision makers will invest in dedicated IoT security platforms that help bring connected devices into the fold of enterprise security and operations.
Smart city initiatives will realize they forgot about security. Cities around the world are planning new “smart” initiatives to connect buildings, infrastructure, local agencies, and devices. London, Singapore, New York, Seoul, Boston, and San Francisco are few of the cities leading this charge. Smart cities include IoT applications for power and energy utilities, transportation services designed to reduce congestion and improve commutes, water, and waste management solutions, as well as information-sharing of their citizens. Unfortunately, these initiatives will fail to build security into their foundations. At Black Hat 2018, IBM announced 17 zero-day vulnerabilities in smart city systems which could debilitate core services. While smart city programs are focused on the right outcomes, they leverage unmanaged devices that lack security, are hard to patch, and have created the new attack landscape. Further, adequate budgets for cybersecurity are not always identified. In 2019, we’ll see increased instances of these systems being exploited.
Network infrastructure will become a new target. From routers and switches to access points, the foundational elements of our networks are not protected in a new IoT age — they’re a new class of unmanaged devices. As Armis showed with BLEEDINGBIT, two critical chip-level vulnerabilities impacting Cisco, Aruba, and Meraki access points, unauthorized hackers can now attack networks undetected, enabling them to introduce malware, move laterally, or destroy network segmentation. These devices are the cornerstone of enterprise communications, and in 2019, we’ll see more attacks targeting these as a vector specifically.
The channel will begin offering IoT-related services. Recent reports show IoT managed security services will increase five-fold by 2021. Services will start in more traditional manufacturing, transportation, oil & gas industries, then move to other IoT use cases and markets, such as healthcare, finance, and the very broad digital office. But layering on IoT security is an obvious offering, given the rising need and questions by every business looking to secure themselves.