7 Steps Every Hospitality Company Should Take to Secure IoT Devices
This article from Digicert details problems with IoT devices. Many do not provide adequate security today, so here are recommendations that any hospitality business can act on immediately.
The hospitality industry is embracing the Internet of Things (IoT) trend and installing more so-called smart devices in guest rooms and lobbies to create memorable guest experiences and improve customer service levels. But do smart devices like thermostats that automatically adjust the room temperatures or do alarm clocks that take room service orders also expose you and your guests to cyber attackers?
The short answer is “yes” but there are steps you can take to harden your security posture.
All IoT devices use the public internet to communicate, and that increases the risk of a data breach exponentially. Mitigating that risk requires business owners and operators to adopt a “secure by default” approach to implementing these devices. But what makes that challenging is the fact that any device that connects to the internet presents a risk. In the case of these IoT devices, most were built without basic security principles in mind like device authentication, the ability to change default passwords, secure update methods and basic firewalls. Security is not always built in as a manufacturing requirement, and that opens the virtual door to cybercriminals who are always looking for entry ways into the network.
What damage can they cause? They can install ransomware that blocks employees, guests and other legitimate users from accessing IoT devices or other IT systems until the company pays a ransom to the attacker. Attackers can also compromise devices by installing new firmware which turns them into remotely controlled bots. Suddenly sprinkler systems start to activate in a thunderstorm and room temperatures are turned up to 90 degrees in the summer. Seasonal resorts start getting high utility bills when no one is there.
Ruggero Contu, research director at Gartner, says the threat of IoT-based attacks are very real, pointing to research that found that nearly 20 percent of organizations with IoT networks have experienced at least one IoT-related attack.
The onus is on the hospitality industry and device manufacturers to shoulder the responsibility for securing all IoT devices they are connecting to their networks. Device manufacturers need to make “secure by design” an integral component of the design and development process. Hospitality owners and operators need to demand more secure devices, and take the onus on themselves to enact security when it’s lacking in the devices that they deploy.
Correctly implemented, secure IoT deployments ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured. This is where the incorporation of Public Key Infrastructure (PKI) using digital certificates plays such an important role in the development of a secure IoT device.
A PKI solution can help solve many of these issues for the manufacturers of these devices, similarly to how PKI has enabled the explosion of e-commerce on the Internet by providing a way for users to share sensitive information via a connected link and to the authenticated source on the other end. A PKI framework supports the distribution of paired (one public and one private) encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party. In a similar way, PKI can provide assurances for IoT devices and the people who use them. This makes PKI a perfect match for the exploding IoT sector, providing trust and control at scale and in a user-friendly way that traditional authentication methods like tokens and passwords can’t do.
Digital certificates used for mutual authentication can authenticate users to devices behind the scenes with minimal-to-no user interaction. They enable safe authentication without the friction to the user experience that comes from user-initiated factors such as tokens and password policies. This protects all devices and networks from malicious actors, even if a data stream or data source were captured or compromised.
There are other steps you can take to secure IoT devices on your networks. For instance, Gartner advises companies to implement IoT endpoint security tools, such as those for asset discovery and management. It predicts organizations will spend roughly $370 million on endpoint security this year, and that number will surpass $630 million by 2021. Spending on products that secure IoT gateways will more double from $186 million this year to $415 million in 2021.
But because so many IoT devices do not provide adequate security today, here are recommendations that any hospitality business can act on immediately:
- If it doesn’t need to be connected to the Internet, don’t connect it.
- Look for “mature” devices when sourcing solutions. Buy from vendors that have been in the market a while and not first-generation products.
- Change default passwords immediately.
- Regularly update the firmware/software on the device.
- Regularly inventory IoT devices on the property so you know what you have in case of product recalls or updates. Ensure IT is managing them.
- In case of compromise, disconnect devices from the network and notify authorities as soon as possible. Do not power down until authorities tell you to do so.
- Speak to an expert third-party with deep experience in building and managing large-scale certificate-based authentication systems using PKI.
IoT devices create an expanded attack surface for the hospitality industry, which most properties are either unaware of or unprepared for. Following the recommendations above will enable the industry to ensure the safety and security of IT systems, employees and customers. This will make for happy guests, who are anxious to leave glowing reviews.
Dean Coclin is Senior Director of Business Development for DigiCert. He has more than 30 years of business development and product management experience in cybersecurity, software and telecommunications. He is responsible for driving the company’s strategic alliances with IoT partners in the consumer security market, and with other technology partners.