Internet of Things (IoT) security is a growing concern for retailers. “IoT is one of the biggest trends in the market today,” said Itzik Feiglevitch, product manager for Check Point Software Technologies at the RSA Conference in May 2021. A large number of devices are expected to be added to company networks in the coming years.
And while Feiglevitch said they’re great (they increase operational efficiency and bring businesses into the digital world), a retailer should also keep in mind that “all those IoT devices are now part of our networks and they bring with them a lot of security risks.”
According to Check Point research, a typical company with 5,000 employees could have as many as 20,000 IoT devices. “I know that sounds like a lot, but think of all the IP TVs, printers, surveillance cameras or sensors inside buildings, smart elevators, smart lighting – it’s all connected to the corporate network.”
IoT uses in retail
IoT sensors are increasingly used in retail to enhance the customer experience, such as with smart mirrors and digital signage; to know the preferences and behavior of customers; and for loyalty and promotion, using sensors to identify the customer’s time and place to better target attendance or incentives. Connected sensors are used to manage power and detect equipment problems, especially in grocery stores, and in warehouses and stores to optimize supply and compliance, such as with RFID and smart shelves.
The global internet of things in retail was valued at $31.99 billion in 2020 and is expected to expand at a compound annual growth rate of 26 percent from 2021 to 2028, according to market analysis by Great view research. “IoT is expected to reshape the retail industry, transforming traditional physical stores into advanced digital stores,” according to the report.
The increase in the number of interconnected devices at the point of sale and the decrease in the prices of IoT sensors are expected to drive growth. “Retailers’ commitment to IoT innovation is contributing to the growth of connected devices, including RFID tags and beacons…and the proliferation of smartphones and the use of mobile apps are driving the growth of the retail software segment.” “.
Problematically, many IoT devices are unmanaged. “They’re connected to our network, but we don’t have any way to control those devices, see them, and define what those devices can and can’t do within our network,” Feiglevitch said. “If we look for those devices within our security management system, we won’t find them.”
Most of the IoT devices connected to the company are, in turn, connected to the Internet in general, to allow providers to deliver updates, for example. Attackers, using standard scanning tools, can find those devices. “They know what to look for,” Feiglevitch said, noting that there are even search tools to help them — “a Google for IoT hackers,” he said. A casual search for “Shodan” will return nearly 300,000 Internet-connected surveillance cameras.
Once found, connecting to and hacking into those devices tends to be “pretty easy,” Feiglevitch said. They often don’t have built-in Internet of Things security, run on legacy operating systems, have weak default passwords, and are difficult to patch. “Many don’t have basic security skills,” he said. “When a lot of those devices were developed, nobody thought about that.”
By accessing a device, hackers can manipulate it (to view a camera, for example) or use it for crypto mining or as a bot for a botnet attack. It can also provide hackers with a back door into the network due to an insecure connection. “Users may not have the proper knowledge on how to connect those devices,” Feiglevitch said. “They are using the wrong protocols and insecure applications, so through those devices hackers can get into the network.”
In exploit tests, researchers have found it’s possible to wreak untold havoc, from taking over entire smart building systems to tricking medical devices into administering incorrect doses of drugs, and while patches are often issued by vendors, Feiglevitch says that are often not implemented. Legacy and insecure devices are ubiquitous, she warned.
Get a handle on Internet of Things security
There are four pillars to address the risks that IoT devices pose to an organization’s network, according to Justin Sowder, security architect at Check Point.
- IoT discovery and risk analysis. “Finding out what devices exist, how much shadow IT is going on, and mapping out what we don’t know is the first part, and getting as close as possible to an accurate representation of what’s in our environment.”
- Zero trust segmentation. “Moving to a kind of zero-trust model where we’re isolating devices from the rest of our network and from each other,” Sowder said.
- Internet of Things Security Threat Prevention. “In addition to basic firewall prevention, we want to see what we can do from a threat prevention standpoint,” Sowder said. Organizations need to examine how they can keep devices running in their designated roles while avoiding traffic to things like command-and-control servers, she added.
- Detection and response. “Now that I know what my devices are, now that I have visibility into them, how do I spot those incidents, respond to them, and get the right people involved to take the right action on them?”
As for the design of the solution, Sowder advised that it should consist of three things: an IoT discovery engine; a solution that extracts information and links it to security protocols; and a security gateway that enforces security policies.
“This flow needs to be completely automated: from connecting a new device or discovering an existing device, to this Internet of Things security management that will extrapolate relevant data and labels to your security policies, and then to a point compliance,” he said. saying. It should be invisible to users, but security discovery, protection and enforcement should be happening, he said.
He believes an automated solution is preferable to a slower, heavy-handed cybersecurity approach where all new devices are ticketed, vetted and managed. “That only encourages shadow IT,” he warned.
The need for retailers to have a robust process in place to gain control of IoT devices only grows as IoT devices proliferate and reliance on field devices communicating with data centers increases. network. That the infrastructure used to enable IoT devices is out of the control of both the user and the IT department underscores that risk.
What is complicating efforts to gain control?
Research indicates that some organizations fail to define exactly who the leaders are in charge of assessing and mitigating risk. Experts suggest that retail organizations might consider appointing a Chief IoT Officer, as many projects fall outside the domain of a CIO and IT department.
“IoT is not an IT project. It’s a business project using IT,” said a panelist at an IoT session at a LiveWorx technology conference. Another agreed, saying IT security professionals should be prepared to share Internet of Things security responsibility with other divisions of the business, including physical security teams.