Page 12 - index
P. 12
are the result of targeted attacks by highly skilled and persistent adversaries, including those in
China, Russia and the Middle East.
What could happen if just one of these nation states or cyber terrorists were able to infiltrate all
of the connected cars in New York City? Just last month the Government Accountability Office
reported “significant security control weaknesses remain, threatening the (FAA)’s ability to
ensure the safe and uninterrupted operation of the national airspace.”
So, what are the potential damages of a terrorist accessing airport control systems? The reality
is that cybersecurity is not only about financial loss anymore, but public safety – and because of
this, the government is starting to take notice.
In February, the Senate held its first-ever hearing on the topic of IoT. The discussion focused on
the risks and privacy concerns of connected devices, but also brought into question how
lawmakers can potentially regulate the production of these devices while still encouraging
innovation. However, even if the government determines that the risk is great enough to
become involved, it will likely to take several years for a law to be written and passed.
As a result of the Senate hearing, the Federal Trade Commission recently released a report,
The Internet of Things – Privacy and Security in a Connected World, which also discusses
privacy concerns, but was void of any actionable advice. Consumers, organizations and the
government are slowly, and reactively, realizing that serious and severe attacks are made
possible through the proliferation of the IoT, but there is not a clear solution. While the future of
the IoT is still unknown, there are some proactive measures organizations must take in order to
protect their critical data and ensure the safety of their employees and customers.
Mitigating the Threats in the IoT
Technology takes time to mature, and the IoT is still in its very early stages. It is safe to say that
the security weaknesses in IoT devices will persist for at least the next five years – leaving
organizations highly vulnerable to the increase in threat vectors available for exploit.
BYOD policies, in their current state, do not encompass IoT devices, and there is currently no
standard IoT policies, procedures or guidelines regulating security in the production of devices,
let alone their presence in the workplace.
Device manufacturers are not security companies, and they have no real incentive –besides,
perhaps a moral proclivity- to add security to their devices. These companies are venture capital
funded out of Silicon Valley, and they want their products out the door as quickly as possible.
Until there is a massive IoT security disaster, or the government passes regulations, devices will
remain insecure.
Some may argue that segregating networks is the security solution for protecting an
organization’s data. Creating a separate network for guests and third parties to connect to would
certainly, in theory, protect the corporate network from a cyber attack. However, there is no real
12 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
