The internet didn’t stop growing once it became the largest metaphysical entity known to mankind; now it’s manifesting itself around the world, physically, in an assortment of devices that are gradually taking up more space in our everyday lives. The growing network of internet-connected robots, switches, hubs and even refrigerators has given rise to a novel category of appliances which are largely referred to as the Internet of Things (IoT).
These IoT products fulfill a vast array of needs, from medical aid to environment control to vainly trying to understand what you meant when you said “play that one song from yesterday,” and as they occupy more space throughout the world, it has become increasingly apparent that keeping these devices secure is of the utmost importance.
"There is a serious difference between the pace at which we're deploying tech and the pace at which we can secure that tech."
Curtis Simpson, the Chief Information Security Officer of Armis Security
Not only could a hacked thermostat lead to some sweaty nights, but it can also act as a weak point of entry that nefarious actors can use to bypass a network’s security, leading to vulnerabilities that could be catastrophic for anyone: business and consumers alike.
“In past years, many of us would say ‘we can't patch the network because if something goes wrong, we won't be able to recover quickly enough and it's going to cost the business too much money; therefore let's not update our network appliances.’ The whole world has changed now: if we don't update our network appliances, a bad actor can take full control of our network, and recovery from that is going to be 10x worse than recovering from a patch,” explained Curtis Simpson, the Chief Information Security Officer of Armis Security.
Armis is an asset visibility and security company that provides the industry’s first unified asset intelligence platform designed to address the vulnerabilities presented by network-integrated applications and devices.
Simpson has been in the IT and cybersecurity industry for more than 20 years and is responsible for building and leading multiple world-class global cybersecurity and compliance programs within complex Fortune 100 operations.
In an interview with The Jerusalem Post, Simpson explained the potential danger of IoT security negligence, what the industry is doing to keep everything as safe as possible and best practices for consumers hoping to partake in the IoT zeitgeist without overexposing themselves to harm.
Stepping stones for ne'er do wells
“The general challenge, though, when you look at IoT isn't just IoT, it's the intersection of IoT, operational technology (OT) and information technology (IT). There is a serious difference between the pace at which we're deploying tech and the pace at which we can secure that tech,” he said.
“If you look at these types of devices as a bad actor, you look at them as stepping stones. It's not about having everything connected to the internet, it's about having something connected to the internet that's easy enough to break into. And then I’m able to hop to the other things that you haven't really secured well enough, such that I can get into them and then do whatever I need to through them,” Simpson said.
He noted that, because the IoT sector is so new, “In most cases, we don't know what normal looks like, therefore, we don't know what abnormal looks like. When a bad actor gets into an IoT device, often what they're doing is buying time, they're able to sit there and run reconnaissance activities across the rest of the larger landscape, look for the path to the destination, and then take that path when the time is right.” From there, they’re able to exfiltrate data, take full control of environments and execute ransoms.
"In most cases, we don't know what normal looks like, therefore, we don't know what abnormal looks like."
Curtis Simpson
How to be safe with IoT products
With that said, there are a few rules of thumb that one can keep in mind if they decide that the siren song of smart appliances is too much to resist. “One of the first questions I would ask is whether they have any expectation to access this thing over the internet versus just having it control their home. I say that because having things be internet-accessible or not makes such a massive difference in terms of your level of risk,” Simpson said.
“Nowadays there are a number of [smart] hubs out there that allow you to create a localized network, allowing all those smart things to communicate locally, without ever exposing themselves to the Internet.”
“The other thing is, look it up — if any governments around the world have specifically dictated that they're not buying equipment from certain manufacturers, you should also refrain from buying equipment from those manufacturers,” he advised. “If you want to be even more simplified than that, try to refrain from Chinese manufacturers entirely unless they're incredibly well known. It's about the reputation of the manufacturer, it's about the territory of the manufacturer and it's about understanding whether or not there are risks associated with that manufacturer.”
Armis leading the charge
Simpson elaborated on what Armis is doing to ensure that the future of IoT, for both businesses and consumers, remains secure and as risk-free as possible.
“We have a lot of different types of computers. We call these computers IoT, IT and OT, but they're computers, they have a CPU, or they've got a processor, they've got memory, they communicate on a network using network protocols. These things are computers, the difference is they're not multi-use devices, they're generally single-use or ‘isolated use’ devices,” he said.
Armis Security, he continued, was founded as a way to help people “understand every computer [they] have, what it is, why it exists, and whether or not [they] should care about it at any given moment, fundamentally establishing a zero-trust model for every type of device within a landscape.”
Armis is achieving that goal, protecting over 3 billion devices, 6 of the 10 largest hospitals in the US, 7 of the 10 largest food companies in the world and over 40 Fortune 100 companies.