The Internet of Things (IoT) marks the dawn of a new era in data transfer. Every day, countless new devices join various network infrastructures, exchanging vast amounts of data, writes Ross Brewer, pictured, Vice President & Managing Director EMEA at the threat detection and cyber incident response product firm Graylog.
Over the next decade, we anticipate the number of IoT devices to soar to an eye-watering 207 billion, outnumbering the human population nearly tenfold.
The prospect of these devices communicating with one another to make human lives more seamless, seems like an exciting new adventure. Yet IoT devices are quite obviously becoming an area of vulnerability. According to data, the manufacturing industry was the top targeted sector for IoT malware attacks, accounting for 54.5 per cent of all attacks and averaged 6,000 weekly attacks.
The enactment of the Product Security and Telecommunications Infrastructure Act (PSTIA) by the UK Government comes at an opportune moment. The act requires manufacturers to take ownership when selling smart gadgets and apply stricter rules during the building phase. The legislation highlights the need for manufacturers to protect consumers and wider society by building security into the design of their products. To do this, manufacturers must be invested in the safety of their customers and go beyond merely checking legislative boxes to build cyber resilience.
Where are manufacturers going wrong?
This year has seen a surge of sophisticated supply chain attacks. In the first quarter of 2024, we witnessed an advanced threat actor that took advantage of a software package utilised by Linuxโ XZ project. This is not only significant due to XZโs widespread use in global systems but also because the attack has been active and running undetected since 2021.
Unfortunately, manufacturing standards are still lacking, corners are cut to keep the prices low at the expense of security, and there are difficulties in properly encrypting IoT devices. These obstacles collectively create vulnerable access points within interconnected supply chains, rendering them visible to hackers.
Cyber threats of this magnitude however, can disrupt the supply chain, leading to bottlenecks, delivery delays and financial loss. Damaging the long-term reputation of supply chain partners, and affecting business relationships. For this reason, cybersecurity is essential to maintaining operational integrity and it is up to manufacturers to take ownership of that.
The distinct digital environment of supply chains, characterised by complex networks and data exchanges, requires specialised cybersecurity measures to protect against emerging threats. APIs are a critically under-protected and under-monitored attack surface, making them a prime target for attackers and a significant risk in IoT deployment. Malicious actors can exploit zero-day vulnerabilities, weakness in authentication mechanisms and gateway protections to access the valuable information APIs carry. This includes personally identifiable information which can have real world consequences. But APIs are also required to communicate between devices, applications and systems.
The PTSIA is reminiscent of the recent EU Cyber Resilience Act (CRA) which represents a significant step in European cybersecurity policy. It aims to enhance the conditions around the development of secure products by taking a proactive approach to cybersecurity. Interestingly, the PSTIA goes beyond the manufacturer to extend onus to distributors, importers and marketers who all need to do their part to reinforce compliance standards throughout the supply chain. Essentially, the business of collecting data while neglecting security and privacy, is no longer going to cut it for manufacturers.
While both the PTSIA and CRA are considerable steps forward, manufacturers need to go beyond the minimum requirements on the fringe of legislation before truly affecting change.
Beyond the checkbox
Businesses should draw lessons from GDPR’s shortcomings to not treat the new laws as a simple compliance checkbox. Going through the motions of compliance isnโt going to cut it. There must be genuine security measures in place to tackle the growing threat from IoT deficiencies.
The GDPR aimed to enhance user privacy by reducing cookie tracking. However, instead of eliminating tracking, it has merely made users explicitly consent to it, compromising the browsing experience and costing companies millions. Businesses haven’t eliminated tracking; they’ve spent money to inform users about it. This allows companies to comply superficially with the regulation, addressing security measures in design, development, delivery, and support without fully tackling the issue.
It’s clear that manufacturers need to prioritise and deepen IoT security measures which means integrating robust authentication mechanismsโsuch as cryptographic keys, certificates, or biometric authenticationโto prevent unauthorised access to devices and functionalities. Establishing authentication protocols like role-based access controls during the IoT device design phase is always recommended. Additionally, maintaining up-to-date operating software is essential to address vulnerabilities and prevent zero-day exploits.
Given the increasing sophistication of threat actors, relying solely on perimeter defences is no longer sufficient. Manufacturers should leverage their access to user activity logs to monitor and identify malicious behaviour before it impacts the manufacturing environment. For instance, by tracking API calls, manufacturers can gain valuable insights into data movements within their networks, helping to prevent physical damage from compromised IoT devices. This proactive approach is essential for safeguarding the integrity and security of modern manufacturing operations. Going beyond the devices, manufacturers should also consider improving the security of their environments. The increased threat calls for a greater need to mitigate against suspicious activity. By correlating events across an IT environment, manufacturers can proactively detect threats early and then quickly investigate, respond to and mitigate incidents before they negatively impact the supply chain.
With that said, none of the above will come to fruition if creators continue to skirt around the edges of security. Letโs take the learnings from GDPR and apply them to the next generation of digital connectivity to avoid repeating history’s costly mistakes.
