Q: IoT devices have added more attack surfaces to protect and hardware to maintain, which is why we’re trying to adjust our business plans and pricing models accordingly. What are some businesses that will be transformed by IoT and what best practices we can employ to keep customers protected?
The term “Internet of Things” has been around since at least 1999 when a Proctor & Gamble executive was trying to excite his bosses about some new applications for the still-nascent online world. The term languished for a while before really exploding on the scene about 10 years ago. Now IoT is part of the daily language of technicians, MSP owners, entrepreneurs, and everyone who’s even remotely a cyber buff.
However, managed service providers have more than a passing interest in the topic. For MSPs, IoT devices are becoming an increasingly dominant part of the portfolio of protections that need to be offered. In mainstream culture, IoT has captured the public’s imagination with its ability to transform the household — my 76-year-old tech junkie father has a WiFi-controlled garage door opener, washing machine, and a menu of once staid household devices that have now moved to the cloud.
How IoT is transforming the industry
IoT’s influence is really being felt in industry and infrastructure — a solid turf for the average MSP. While sensors and security cameras may lack the conversation-starter status of a WiFi-connected washing machine, it is these seemingly more mundane devices that the MSP needs to pay attention to in the emerging Internet of Things.
With this in mind, SmarterMSP caught up with Ernie Hayden owner of 443 Consulting, a provider of technical and cyber security support, in Washington State. Hayden has extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime, cyber warfare, and physical security areas. Hayden’s primary emphasis is on offering expert advice on industrial controls, energy supply, and oil/gas/electric grid security forums. He is currently the Vice President of Training and Education for the International Operational Technology Security Association (IOTSA), a member of the European Union Network and Information Security Agency (ENISA) Stakeholder Board on Industrial Controls Security.
Hayden says MSP owners first need to do is define what IoT even is. For instance:
“Security cameras are essentially IoT devices…some other devices like sensors are literally IoT devices,” Hayden says. “IoT is basically putting everything on the spot. There’s no need to transmit data. Cameras used to have to transmit pictures to a video server to be analyzed. But that step has been eliminated by with the ability to process and analyze photos in the field.”
With IoT devices growing in popularity, it is important for MSPs to stay organized and keep their customers’ networks secured.
MSPs need to be increasingly organized because the days of managing a single server are over. Even businesses that don’t seem intertwined with IoT devices are. Hayden brings up the example of a Toyota Rav4 that he recently purchased with ‘all the bells and whistles.’ He was surprised when reading the owner’s manual that a sensor in the car will log seat belt usage, direction, speed, altitude, and more.
“This is an IoT device, but the features aren’t designed for me, they’re more for insurance companies or law enforcement,” Hayden explains.
Doctor’s offices are mother lode’s of data increasingly harvested by IoT devices. “It is very rare you get your blood pressure taken any more with an old-fashioned blood-pressure cuff, instead you get an automated analysis of your blood pressure, heart rate, and percentage oxygen and the data is in a signal sent to a chip or USB device or a computer,” Hayden says.
All of this data floating around on connected devices creates an immensely increased attack surface.
MSPs: authenticate, authenticate, authenticate
A gigantic weakness in IoT devices is authentication, according to Hayden. Many off-the-shelf devices are easily commandeered and can be used to harvest data. Another fear that Hayden highlights is that hackers could gain unauthorized access into IoT devices and sensors or intercept local wireless communications to capture sensitive data or deny a particular service.
Encrypting the data would be a useful way to reduce security risk; however, many of the sensor devices currently on the market lack battery or computing capacity to implement sophisticated security precautions.
While IoT has already made its way into many occupational spaces (healthcare, government, and education to name a few), it may transform industrial platforms the most. “IoT devices are inexpensive and can offset the reduced headcount in the plant and still allow for safe and efficient operations — if deployed safely and correctly,” Hayden says.
Four tips for MSPs
So when dealing with increased IoT devices — especially in industrial settings — here are four things to consider:
Authentication: Ensure authentication is turned on and includes strong passwords and preferably two-factor authentication.
Avoid overuse: Make sure IoT devices are only used as necessary and not just because they can be. The unnecessary application simply creates additional attack surfaces to defend.
The challenge of IoT devices for MSPs is to harness its power for efficiency and data retention while avoiding messy unintended consequences.
Control room noise: Control room operators don’t want thousands of alarms and readings that will overwhelm them with noise. Instead make sure the right controls are in place so that they can run the plant safely and efficiently.
Physical safety: MSPs in industrial settings especially need to work with physical plant personnel to ensure that access to critical controls and IoT devices are restricted. Some companies make what are called “lick and stick” sensors that transmit important data like temperature and velocity and specific systems can shut down if certain parameters are exceeded or not met. And if those sensors and data — which can be easily purchased with a corporate credit card — fall into the wrong hands or are placed on the wrong systems; things could go very wrong.
“Someone could be building a bomb in my plant without me being aware,” Hayden says. That’s why the challenge of IoT devices for MSPs is to harness its power for efficiency and data retention while avoiding messy unintended consequences.
Photo: TierneyMJ / Shutterstock.