IoT (Internet of Things) interconnected devices present incredible opportunities for businesses to expand connectivity, automate processes and gather real-time data to which they wouldn’t otherwise have access. On the flip side, these devices present unique challenges to cybersecurity. When these devices fail – or worse, get hacked – they can put an entire organization at risk.
What Is IoT?
The Internet of Things, or IoT, refers to physical objects that are connected with other systems over the internet, collecting and sharing data. Almost any object that can be connected to the internet to be controlled or exchange information, can become an IoT device. Many people are familiar with IoT through smartwatches, smart smoke detectors, thermostats, and common household appliances. In recent years IoT devices have become even more pervasive, especially in industries like health care and manufacturing. Many companies now rely on IoT devices for efficiency and to collect accurate data which they use to improve their operations.
In order to keep up with competition and demand, organizations must adopt the most up-to-date tech – which also means they have to understand and secure the vulnerabilities inherent in these devices by installing updates and patching regularly. Every object that connects to the internet is a new potential entry point through which bad actors can enter into a business network.
Risks and Exposures
IoT devices are extremely vulnerable to cyberattacks via internet connection, cloud platforms, infected firmware and flawed software applications used to interact with the devices. Once compromised, hackers can do a lot of damage. They can hold the data gathered hostage, as is common in a ransomware attack, or they can tamper with the physical devices themselves causing a devastating attack to both the business itself and the supply chain they potentially support. This could range from the relatively mild – adjusting the heat in a room through a smart thermometer – to the extreme, such as tampering with the pneumatic tube systems in hospitals that are used to deliver medication to patients, or even critical infrastructure takedowns. Because IoTs are internet facing and enhance the industrial interconnectedness, they can also potentially serve as an entry point for hackers to attack non-IoT systems by moving laterally into the main network.
IoT devices present a broad attack surface, making them difficult to manage. It is crucial for companies to regularly update their systems, causing many industries to essentially become tech companies in addition to their industry of operation. Health care organizations use IoT to monitor patients, power motorized arms for surgery and more. Manufacturers rely on IoT to gather performance data, and increase efficiency through robotic manufacturing and supply chain enhancements. Both industries by necessity devote the bulk of their resources to their daily operations and frequently lack the bandwidth to keep up with technological updates. As they further integrate IoT into their systems, businesses across industries expose themselves to increased risk of cyber-attacks.
In addition to the question of bandwidth, industries relying heavily on IoT also frequently face issues with Software Development Kits (SDKs). SDKs are sold by software companies to help integrate IoT devices to an organization’s network through and are popular among manufacturers. However, once they are sold, software companies no longer have an obligation or ability to patch or maintain the SDK due to the wide range of software development by the buyer. This creates issues for the manufacturers, which may not be able to keep up with necessary updates. SDKs are contributing to some of the highest rated vulnerabilities as identified by the Cybersecurity & Infrastructure Security Agency that bad actors could potentially exploit and compromise systems.
Impacted Coverage
Underwriters are more carefully scrutinizing the types of devices that insureds use and the protections around them. How do they connect to the internet? Can they be segmented or “air gapped” from the internet? What is the company policy for updates and patches and how successfully is that being achieved? They want to make sure that insureds’ IoT systems are protected from the organization’s main operating system, and above all, that organizations have a regular patching cadence for their IoT networks and devices. Without these measures, carriers are beginning to limit and even deny coverage. This is a natural consequence of an overall hard market, and of the rising prevalence of IoT related vulnerabilities.
The best way to prepare for cyber insurance policy renewals and to make sure your coverage is not impacted is to do your due diligence. Are you keeping up with vulnerabilities? How often do you update? Are you heightening security in the face of new threats? Have you looked closely into the vendors who are supplying these devices, and their own cybersecurity protocols? Underwriters will be asking all of these questions, so make sure you are putting in the time and research to protect yourself and your business.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at lgravel@risk-strategies.com.
