The Internet of Things (IoT), also referred to as Cyber-Physical Systems (CPS) has exploded across all types of enterprises, promising greater efficiency, automation, and data-driven insights. From smart sensors monitoring factory floors to AI-powered cameras securing premises, these devices are transforming how businesses operate. However, this surge in connectivity, coupled with the increasing power of new CPS hardware, is creating a perfect storm for cyberattacks.
We’re no longer talking about simple, resource-constrained IoT devices. Today, we see a new breed: devices equipped with powerful onboard neural processors (NPUs), advanced networking capabilities (like 5G and Wi-Fi 6), and custom memory solutions (that are more hackable). These advancements, while enabling incredible functionalities, are also significantly widening the CPS attack surface for businesses.
There are many reasons why these enhanced internal device capabilities have created a “Hacker’s Playground”. Here’s some of the key ones to be aware of:
Neural processors allow IoT devices to perform complex tasks, including machine learning and AI-driven analysis, directly at the edge. This power can be exploited by malicious actors to run sophisticated attacks locally, without needing to rely on constant communication with external servers. You can easily imagine a compromised smart camera running facial recognition not for security, but for targeted phishing or physical intrusion. This local processing power also enables the device to more easily become a botnet node that can perform advanced attacks.
Advanced Networking: Faster, Further, More Vulnerable. Technologies like 5G and Wi-Fi 6 offer significantly faster data transfer speeds and lower latency, enabling seamless connectivity for CPS devices. However, these advancements also create new attack vectors. Increased bandwidth allows for quicker exfiltration of sensitive data and faster propagation of malware. Also, the more complex the network, the more potential vulnerabilities exist. The broad range of network protocols that these devices are using, increases the complexity of securing each device.
Custom Memory: A Data Goldmine. Custom memory solutions allow IoT devices to store and process larger volumes of data locally. This means that sensitive information, such as customer data, financial records, and proprietary algorithms, could be stored directly on the device. If compromised, these devices become a goldmine for cybercriminals, offering direct access to valuable data without needing to breach central servers. Furthermore, the more memory that is available, the more complex malware that can be stored on the device.
Disastrous Implications From Powerful CPS Devices
The real-world implications of more powerful CPS devices are already being seen with increased volume and velocity of many types of cyber attacks over the past year. Some of the specific attack vectors are:
Increased Botnet Activity: Powerful CPS devices can be easily recruited into botnets, launching distributed denial-of-service (DDoS) attacks with unprecedented scale and intensity. In 2024 there was an exponential growth in DDoS attacks.
Data Breaches: Compromised devices can expose sensitive data, leading to financial losses, reputational damage, and regulatory penalties. This is especially critical because of the types of data that CPS systems are involved in, such as video, access, building, and manufacturing data.
Supply Chain Attacks: Vulnerable IoT devices can be used as entry points for supply chain attacks, compromising entire networks and disrupting critical operations.
Physical Security Risks: Smart cameras and access control systems can be manipulated to grant unauthorized access to physical premises, posing a significant threat to safety and security.
Espionage: Advanced microphones and cameras can be used for corporate espionage.
Protecting Your Business Comes Down to Being Great at Cyber Hygiene Basics
To mitigate these risks, businesses must adopt a proactive and layered approach to CPS security that involves automation to address the scale of CPS devices and applications within the enterprise. Viakoo is the leader in CPS discovery and remediation, and the best practices we see our customers using to reduce corporate risk include:
1. Use Automation to Patch and Update Device Firmware: Ensure that all IoT devices are running the latest firmware and security patches – and use automated firmware updating methods to address the speed and scale of these updates. Viakoo’s Lifecycle Management feature looks at reported vulnerabilities present within the devices, key dates for support, and latest firmware versions. Viakoo’s Device Firmware Manager (DFM) leverages that lifecycle data to schedule firmware updates at scale.
2. Network Segmentation: Isolate IoT devices from critical business networks to limit the impact of a potential breach. Using an advanced asset discovery solution such as Viakoo’s Direct Query Manager (DQM) can show you all CPS devices and applications operating within each network segment.
3. Device Hardening: Disable unnecessary services and ports, and configure devices with strong security settings.
4. Implement Strong Password Authentication and Authorization: Use robust passwords, multi-factor authentication, and role-based access control. Viakoo’s Device Password Manager (DPM) allows you to schedule and automate password rotations that meet your corporate infosec policies.
5. Zero Trust Architecture: Implement a zero trust security model, assuming that no device or user can be trusted by default. Viakoo’s Device Certificate Manager (DCM) gives you a single pane of glass to see all device certificate status, and to schedule certificate deployments and rotations.
6. Supply Chain Security: Conduct thorough security assessments of IoT vendors and ensure that they adhere to industry best practices. Work with your procurement team to make your vendor security requirements a part of onboarding new devices.
7. Educate Employees: Train employees on the importance of IoT security and how to identify and report potential threats. Use events like October’s National Cybersecurity Awareness Month to focus employees on CPS security.
The rise of powerful CPS and IoT devices presents both immense opportunities and significant challenges. By understanding the risks and implementing robust security measures, businesses can harness the power and profitability of IoT while minimizing their exposure to cyberattacks. It’s no longer a matter of “if” but “when” a sophisticated IoT attack will occur. Preparation is key. Viakoo is here to help.
