Back in the 1980’s IoT seemed like science fiction, but today, this technology is widely accessible to everyone.
It’s hard to even imagine a company without these smart gadgets. However, many establishments have no in-house solutions that would allow monitoring the current state and shape of their connected devices. All this information has to be checked manually.
That wasn’t much of a problem until a few years ago – because of the pandemic, most management had to be done remotely. While companies have rapidly adopted tools like antivirus to help secure their entire network of devices, our guest today emphasizes that more robust measures are needed when securing the IoT.
Today we are talking with the CEO of SecuriThings, Roy Dagan. Roy explains the specifics and challenges of managing the IoT landscape.
How did SecuriThings evolve since its launch a few years ago?
It didn’t take long to realize that our customers faced a much bigger and very specific problem. From access control to building management systems, most enterprises have thousands of IoT devices essential for both security and operations. Yet, they have no centralized way of knowing whether connected devices are up and running, or need firmware updates and password rotation. Other areas of IT have this level of insight into systems and applications running on their networks. But that insight doesn’t extend to the Internet of Things. Ultimately, this blind spot creates risk and drives up maintenance costs for organizations. That’s why we expanded our technology to bring IT standards to the IoT.
Today, organizations across a range of industries – companies with large facilities, hospitals, airports, university campuses, tech companies, etc. – rely on us to automate the security and management of their IoT devices.
What challenges do you help your customers solve?
We help our customers operationally manage the growing fleet of IoT devices within their premises. Managing IoT devices that are often dispersed and hardly accessed is a very, very tough challenge. At any given organization, there may be thousands or tens of thousands of connected devices, across various networks.
Take a university campus, for instance. Their physical security team might use several vendors of security cameras, which use different software and integrate with different third-party systems. Operation teams are tasked with ensuring that each individual device is running properly, making sure it’s on a regular password rotation schedule, and running the proper firmware/software versions. Because all of this work is done manually, it’s either pushed to the wayside and never gets done, or it gets done but causes a huge drain on resources.
Can you introduce us to your Horizon solution? How do you help customers detect and eliminate threats?
Horizon, SecuriThings’ flagship product, is designed to manage large-scale deployments of IoT devices and address the biggest operational challenges for organizations. Our flagship solution, Horizon, automates operational tasks, including password rotation, firmware upgrades, device restarts, and more – all tasks which are currently performed manually and result in timely or costly maintenance expenses for companies. The platform helps operators reduce those costs by allowing them to remotely manage their IoT deployments at scale.
Oversight of any operational task related to a device can create an easy entry point into an organization’s network, data, and assets. By automating these tasks, we help security keep up with device operations to minimize any risk of a breach.
How did the pandemic affect the IoT landscape? Have you noticed any new security issues arise as a result?
IoT device management needed to be handled centrally, remotely, and automatically as much as possible. The pandemic meant it couldn’t happen any other way, for many organizations. Staff reductions were another challenge that sharpened the need for automating the management of devices at scale.
In the early days of the pandemic, there was a huge wave of burglaries of newly empty business facilities; keeping security devices online was a major priority. In the big picture, the pandemic drove the expansion of the IoT because many businesses rushed to digitize different processes so their customers, suppliers, and workers could avoid direct contact, yet get the job done. A lot of this happened very fast, obviously, and it did increase the attack surface - more rapidly than it was growing already.
Since SecuriThings ensures IoT security for various industries, what are the most common vulnerabilities you run into in each field?
The first and most dire issue we encounter is that companies lack visibility into their device ecosystem. Nearly two-thirds of organizations lack insight into their device stack and know only a portion of the devices connected to their network. This hampers issue identification and stretches out the time needed to diagnose and resolve issues. It’s crucial to know which devices are up and running, which are down, which need updated firmware, and which still use a default password. Without this information, it’s impossible to efficiently maintain, update, and secure devices.
Another issue we see is outdated firmware. It’s critical for physical security teams to ensure an optimal firmware path is being utilized to avoid introducing any vulnerabilities. IoT devices can stop functioning and/or become vulnerable due to outdated firmware versions.
Rotating passwords regularly is also a pain point. Many companies never change factory-set passwords, which for some devices are published on the Web, and create easy entry points for bad actors. On some devices or controllers, the passwords are hard-coded and still made public. IoT devices can also become vulnerable due to default, short, and shared passwords. To mitigate risk, organizations need to implement a password rotation policy. Devices that are out of compliance with the password policy should be immediately identified so security teams can rotate the passwords.
Lastly, we see that customers have trouble tracking devices’ end of life in order to plan ahead and upgrade and replace as needed. The manufacturer does sometimes discontinue support after a published date, which can present maintenance and compatibility problems. Whichever the case, it’s important to understand what that means for your specific device fleets so you can respond effectively. Outdated equipment can introduce vulnerabilities into your IoT device ecosystem. The cost of keeping unsupported, outdated devices could outweigh the cost of discard-and-replace depending on the situation.
What misconceptions surrounding IoT devices do you notice most often?
The first is that IoT is a thing of the future and science fiction movies. IoT is all around us. They power things you don’t even think about, from your smartwatch to your fridge. The IoT has already happened, and it’s growing and maturing.
I also think people have a limited scope for IoT. Most think of things like “smart cities” given there was a lot of hype behind that years ago. Yes, there are many devices that effectively connect cities and bring infrastructure online – not dissimilar to what we do for companies when we give visibility into their devices.
Also, businesses haven’t seen the real potential of IoT, which is the data that it generates. That stream of information will be a game-changer in many ways, not to mention a source of revenue. If 100 million cars are feeding back data on speed, location, weather, lighting, etc. – what could we learn about preventing traffic accidents? We think of devices rather than their data output, and that’s a profound misconception.
In your opinion, what cybersecurity threats are going to emerge in 2022?
It’s very difficult to predict what the future holds given the nature of cybersecurity. You just never know when a malicious actor is going to affect a breach and from where. There is a sense of unease given the Russia-Ukraine conflict; a feeling that the worst is yet to come, precisely when we let our guard down.
But there is so much awareness around cybersecurity that most governments and organizations are ready for just about anything. This is not always the case with IoT security.
The biggest challenge in IoT is that many devices are left operationally unmanaged and don’t have much built-in security, making them a concentrated target for sophisticated threat actors.
What security tools should organizations and individuals have in place to combat these new threats?
Operations teams need good security hygiene, certainly, and the only practical way to accomplish that is through automation. It’s crucial to have complete and current visibility of your connected devices and be able to detect abnormal responses and behavior. There have been scenarios in corporations and hospitals where IT teams are racing on foot to yank power cords and cables out to stop an attack from spreading – the point being that fast detection is crucial to contain the damage.
Automation is the key to making sure that every device has properly updated firmware and that default passwords are changed upon deployment and updated on a regular basis.
Would you like to share what’s next for SecuriThings?
As a platform upon which organizations rely for the maintenance and security of all their IoTs, we always focus on keeping pace with the expanding range of new devices as they come to market. That may involve working with more partners, including manufacturers of devices, certainly strengthening the ecosystem focused on IoT security. We’re going to be looking for more ways to provide full visibility of IoT devices and boost their security - we do that every day.