IoT encompasses everything connected to the internet but mostly the term is used to describe devices that "talk" to each other, from simple sensors to phones and wearables, all connected together.
Many households now have at least one digital assistant (Alexa, Siri, Google Assistant) and many of us have Wi-Fi enabled CCTV and doorbells – which are all examples of IoT.
Other IoTs include: robotic hoovers that move around without needing a person on the other end, automated robots in factories and sensors that monitor temperatures in buildings. There are already more than 50 billion IoT devices in use globally.
Wi-Fi, 4G and more recently, 5G have made it possible for designers to simply assume wireless connectivity, anywhere.
What are the cyber security risks within IOT?
IOT devices connect to the internet to provide enhanced features. The problem is that there is the possibility of them being accessed remotely by criminals for malicious intent. Any device on the internet means that it sends information and receives information via the internet. If the information travels ‘unencrypted’, there is always the chance that someone with the right skill set and array of cyber tools, may be able to intercept and download the signals, possibly viewing them as a live stream of CCTV for example. Thankfully, many devices encrypt transmission at source – but do you know if yours do?
Did your CCTV come with the standard User = “Admin” and Password = “Password”? (or can you do a search on Google for the default username and password for your device?)
If you haven’t changed the default password, what is stopping an inquisitive hacker seeking out your camera’s IP (Internet Protocol) address and seeing if they can gain access to the main control unit – using the default username and password?
IoT and business?
Are your automated control systems designed to be internet safe or just internet enabled?
The difference is that a simple internet-enabled control system may be able to send and receive information via the internet, enabling remote control and monitoring but is the device really internet safe?
Many controllers have a ‘smart’ control unit that has been bolted onto them, making a ‘dumb’ controller ‘smart’. If you have never considered how vulnerable your company is to cyber espionage, maybe it is time to have a look?
State actors are trying to gain access to UK companies and organised crime gangs are always trying to find ways into companies’ networks. This could be via the mail server, trying to bypass the company firewall, or it may be via a piece of equipment that runs old software that is no longer patched.
When it comes to safety, all companies know they have to be certified to comply with regulations for electricity and they make sure all fire exits and emergency routes are known, and practiced.
However, when it comes to Cyber Security, do you know what damage the IoT devices you have installed could cause to your intellectual property?
Could they provide the entry route into your network to enable a ransomware attack?
Have you looked at Cyber Essentials (https://www.ncsc.gov.uk/cyberessentials/overview) or taken a Penetration test to find out where the cyber weak points are in your cyber security?
Have you carried out an inventory of all the IoT devices in your business, and do you know if there are any ‘known weaknesses’ that they could be harbouring?
Have all the latest patches been applied to the software and hardware of your IoT devices?
One thing is for sure, IoT is here to stay, and properly managed it can help assist your business. However, like anything, you need to keep it up to date and understand any potential security threat it may pose to your business.
Detective Constable Gareth Jordan has been a police officer for 13 years and prior to that, was employed in the IT and Pre-Press and Print sector.
Gareth is now based at Police HQ in Carmarthen and has been involved in investigating all forms of crime that have a cyber-element to them.
He has a wealth of knowledge regarding Cyber Security and continues to expand this by being involved in the day-to-day investigation of cyber-based crimes.
Gareth knows about the latest cyber scams and can explain how they are carried out – and more importantly – how you can avoid falling foul of them.