IoT: With New Rewards Comes New Risks
Over the past five years, the marketplace has seen an explosion in the number of IoT (Internet of Things) devices being used not only personally but also professionally. From health monitors, smart coffee machines, to cars, the growth in the usage of these devices has gone from millions to billions, driven by a massive decrease in the cost of the technology and faster/low cost internet speeds. While these devices are leading to greater opportunities for real-time collection of data, improved integration, and low-maintenance operations, they also introduce significant security concerns. The addition of hundreds (or perhaps thousands) of new devices on secure networks introduces great risk, and a review on the part of IT professionals to determine how to manage the flood of these devices headed into hospitality operations will be necessary. We will discuss the business implications for the new world of IoT devices, what it means for the hospitality industry, and what precautions operators need to take in order to maximize the benefit without exposing the network, data, and the overall business at to an unacceptable security risk. The technology will soon be available in almost all major industrial appliances and devices – perhaps even in places that you as an operator are not aware of – so getting out in front of this and developing a strategy to deal with it is most prudent.
What is IoT (Internet of Things)?
For years, technology involved a human user interacting with a device; this is what enabled the user to perform certain tasks, collect certain information, or help with making decisions based on the data collected. It was a “supervised” loop of engagement that was initiated and terminated by the involvement of the user. While this provided value through greater clarity, accuracy, or efficiency, it was highly reliant on the engagement with the operator in order to work. IoT removes the reliance on an operator; it is now a “machine-to-machine” relationship that no longer runs in a supervised state, nor is reliant on someone to initiate or terminate its activity. This autonomous level of operation is perfect for the role that many of these devices serve today, which is passing information or collecting information. It can often be a basic and highly repetitive task, but in the right environment the benefits for these basic tasks can be very impactful.
In the restaurant environment, we are seeing more and more IoT devices in use, from video surveillance devices, to temperature sensors, smart ovens, or even beacons and other types of proximity sensors. These devices are in an “always-on” state, collecting data, receiving data, and either providing or collecting key information for upstream or downstream systems. The explosion in the number of these devices means better integration of the restaurant technology ecosystem, but not without some costs. For these devices to be effective, they need connectivity so that they can collect and send data or receive data for processing. They exist as an anonymous silent user on the network.
The growth and proliferation of equipment that is IoT capable has exploded, driven mostly by the economics. According to Juniper Networks, the price of an average IoT device has come down by a magnitude of 100 over the last five years, fueling the growth. According to GSMA, an organization that represents the interests of mobile operators worldwide, there are expected to be 26 billion connected devices by 2020. Simply stated, IoT devices will soon make up the majority of users on many networks and will have significant impact not only on how the network is designed and scaled, but how it is safeguarded.
IoT as a Network User
For them to operate effectively, many IoT devices are constantly communicating, either in sending data or receiving it. Accordingly, they place significant demands on the in-store network to function properly. Since they run un-regulated, and are always on, they require a stable Internet connection with little to no latency. Latency, in layman’s terms, means any form of Internet communication delay. An IoT device is looking for an immediate response to either its request for information or its sending of data, and it does not behave well when it needs to wait long. Many business applications are designed to allow a certain degree of latency, but IoT devices tend to be less accommodating. Accordingly, as IT managers are upgrading their store networks to support the inclusion of these devices they need to account not only for the extra bandwidth that these devices require but also the need for a low level of latency.
The second issue, and by far the more concerning, is that as an un-regulated and un-supervised user, these devices most often need access outside the store network to perform their intended task. This means they need to get through whatever security protocols are in place to operate. This can cause uneasiness on the part of the network administrator and justifiably so. As more and more devices in the restaurant are IoT enabled (think kitchen appliances to energy management and even probes and other sensors) the number of outbound and inbound connections through the firewall or other intrusion prevention means will increase. Every new device introduced increases the ability for a hacker to gain access to the store network and cause havoc to systems or data. Some operators will point to the fact that these devices are rarely involved with any critical financial functions or managing personal data and as such question whatever risk exists is minor. This is simply not true. Unfortunately, the damage can be quite disastrous as illustrated in the examples below.
In 2013, hackers gained access to Target’s system by accessing the company’s HVAC system. They were able to login to the system that the vendor used for electronic billing, contract submission, and project management to gain access to the Target network and place keylogging devices on many of the chain’s POS systems. The data collected was then sent to servers around the world collecting approximately 40 million debit and credit card accounts between November 27th and December 15, 2013. Avivah Litan, a fraud analyst with Gartner Inc., estimated at the time that Target could face losses of up to $420 million not including the effect on consumer confidence and public relations. Despite the fact that the HVAC system was clearly not involved in any way with personal information or payment data, the hackers used the “door” provided by this system to gain access to the most critical of information stored by Target. This case has caused many concerned network admins to segregate their networks so that payment and non-payment systems are kept apart without any co-mingling.
In June 2017, a coffee machine in a petrochemical plant in Europe took down the entire factory when hackers broke in through the device and planted ransomware on the network. The result of the action crippled the facility and forced management to pay hackers for them to resume control of their systems and return to normal operations. While it was not reported which ransomware affected their systems, experts surmise it was likely the notorious WannaCry ransomware, since the timing would agree with similar attacks on other facilities like Honda factories in Japan. This is the same software that was also credited with taking down all the traffic cameras in Victoria Australia.
While IoT devices are often accessed and compromised for criminal or financial gain, other times it is simply done for sport. Take for example a university who in 2017 had their network brought to its knees by over 5,000 IoT “bots” hammering the DNS (Domain Name Servers) inquiring about seafood-related searches. According to CSOonline.com, the university network was “attacked by its own vending machines, smart light bulbs & 5,000 IoT devices.” These incidents are classified as DoS attacks, or Denial of Service. This means is that the intruder sends instructions to the devices which in effect overwhelm the network with requests for information overloading the network traffic and causing major performance issues. This flooding of the network with superfluous requests is often mis-diagnosed early on as an equipment issue or in some cases organizations think it is a temporary peak in traffic, not realizing what is actually occurring. A DoS can often be a challenge to diagnose and resolve since IoT devices by nature are quite simple in their design and are rarely easy to diagnose across a large enterprise. Altman Vilandrie & Company, a strategy consulting firm that focuses exclusively on the telecom, media, technology and investor sectors, reported that 46% of companies experienced intrusions/breaches of IoT devices or networks in the past 3 years.
IoT Risk in the Restaurant Industry
While these devices present great access to data and will allow restaurant operators to make better real-time decisions, the industry as a whole is not always the most progressive as it relates to adopting new technology to address security and network risk. Some of the reasons are obvious: organizations are often made up of small businesses that have less sophisticated technology, and that do not have the finances to deploy and maintain a sophisticated and secure network. Additionally, in a franchised environment, franchisees are often left to their own to decide on restaurant-level technology with little or no oversight or guidance. This often leaves franchisees and other owner-operators in a position to make their own selections without the greater understanding of potential implications. Franchisors are often reluctant to mandate systems for fear that their franchisees will push back or challenge corporate decisions, but the reality in the emerging landscape of these new applications is that each new system not properly vetted out or certified inside the network poses a threat to any data contained inside the enterprise. More organizations will start rethinking the position and recognizing that there might be such a thing as a “benevolent dictatorship.”
IoT Risk Mitigation & PCI
In a recent survey conducted by Juniper Networks, participants were asked whether IoT introduced new security threats, and whether as a result of IoT they were changing the way they looked and intended to address security issues. Not surprisingly, 98.5% of those surveyed viewed IoT as a security threat, and 94% responded that it had changed their way of thinking about security issues. Whether it is as a result of the fact that these devices are difficult to maintain on an enterprise level, whether cannot be easily patched or updated, or any number of other application and functionality-related issues, they clearly are top-of-mind for many network administrators.
It is becoming quite clear that the proliferation of always-on un-supervised devices is going to require some attention and a formal process in place in order to keep them behaving properly. While there are enforcements in place to address the handling of payments (PCI) and even personal information (PII), the industry has not yet recognized the potential risks that these devices can bring. As is often the case, technology is moving quicker than legislation or enforcement, and as such there will need to be a great deal of industry self-policing and safeguarding until the industry catches up. In the meantime, there are some viable options on the horizon to try and help deal with these risks.
Blockchain & IoT Security
Industry experts have recognized the shortcomings of current network security schemes that fail to adequately address the growing number of IoT devices and the potential threats they can pose. Accordingly, many are looking to new and creative ways to resolve this dilemma, and as a result more and more experts are looking toward the new Blockchain technology as a potential solution to improve network security. In a Blockchain environment, no one location or user contains all the necessary information to access or hack data, as the information is widely distributed across a secure network of untrusted users. This distributed approach all but guarantees that network credentials and other key pieces of data cannot be located easily and used to access a network.
While this technology looks promising, there are some challenges that need to be addressed for it to be a completely viable solution. One such challenge is the aforementioned latency (or lack thereof) that IoT devices insist upon; Blockchain transactions tend to be very resource-consuming (requiring lots of devices and processing power to operate effectively) which not only means a lot of processing resource to operate but these transactions and their complexity lead to increased latency. IoT devices are typically designed to be very processing-efficient so they rarely possess the processing resources capable of supporting a Blockchain transaction, plus, as discussed earlier, IoT devices do not operate well in a heavily latent environment. For example, a temperature alarm requires a speedy delivery because corrective actions must occur immediately to avoid costly issues. In addition, Blockchain is highly effective with a limited number of transactions and utilize a large amount of bandwidth; this is contrary to IoT devices who process massive amounts of data and are normally engineered to function with minimal bandwidth requirements. Despite these current limitations, many companies are confident that Blockchain and the level of validation and security that it offers holds the key for the long-term securing of networks with IoT devices. Conclusion While IoT devices will provide insightful data and analytics to the industry, they will also introduce network security issues that have not yet been fully assessed and evaluated, As illustrated through hackers using HVAC, coffee and soda machines, and other benign systems to create intensive business interruption, these systems need the same attention in terms of patching, updating, inventorying, and managing as any other system. While operators point to the existence PCI DSS as a safety-net or a foundation for dealing with data security issues and applying best practices to remedy them, it is not a cure-all, and frankly does little if anything to address the new security risks introduced by IoT devices. As a technologist, or an operator who manages technology, there are several key action items and takeaways:
- Understand what devices are operating unattended on your system and have a plan in place to monitor them and their activity. Any unusual behavior of the devices or the network should be cause for immediate review and action.
- Understand where the data from these devices is stored, what data it is storing, and ultimately who owns and has access to this data. Ensure that the data it is storing is compliant with any privacy laws in that state or country, and that contracts with the device vendor clearly lay out data ownership and transferal of data in the event of contract termination
- IoT devices do not need to invoke a hysterical security reaction but rather a thoughtful approach to securing these devices on the network and a plan to monitor and update them as necessary; consult with your vendor partners to craft a plan to mitigate the security risks
- Recognize that technology is moving faster than regulation or legislation and that the private sector will be timelier in addressing the security concerns than any formal guidelines, so collaborate with industry peers to share ideas and best practices
- Challenge the IoT vendors to be part of the solution and provide the necessary precautions to securely co-exist on your networks. Work with those that recognize that application functionality extends beyond the native capabilities and includes safeguards to prevent unauthorized access to your critical systems.