How Much Awareness Did #NCSAM Raise on IoT Security?

Over the past month, we have taken a sharper focus on connected devices and the Internet of Things, as National Cybersecurity Awareness Month has pushed the issue of the safety and security of these devices under the spotlight.

Now we are in the final week, it is important to not only look at the success of the month, but also what the future of IoT really looks like. Infosecurity contacted the Cybersecurity and Infrastructure Security Agency (CISA), who hold the responsibility for the awareness month, for their perspective on how it felt the campaign had gone.

Bradford Wilke, assistant director (a) of the stakeholder engagement division at CISA, said: “As I look back on Cybersecurity Awareness Month, I am energized by all of the momentum I have seen among CISA’s partners in spreading the message of Do Your Part, #BeCyberSmart.

“More so, the response to this year’s campaign has overwhelming told us that this message resounds loud and clear to the average American – that, now more than ever, Americans’ ever-increasing reliance on secure technology requires personal commitment and stewardship. I’m proud that as we see cyber-enable life come of age, citizens and the partners supporting them are embracing the collective responsibility that starts with one’s own actions.”

Of course the agency would be positive, and in my view, this has been one of the most notable awareness months in recent years. What about the view from industry, has this month succeeded in raising awareness in IoT? Adam Strange, global marketing director at Boldon James, believes we have seen “a concerted and collaborative effort from governments and industries to raise awareness about various cybersecurity issues, inclusive of IoT, and to educate members of the public so that they can do more to keep themselves safe online,” but he believes a lot more still needs to be done.

He praised the work of the National Institute of Standards and Technology (NIST) in its active communications with the public, in a bid to develop useful IoT cybersecurity guidance.

On the other hand, Greg Foss, senior threat researcher at VMware Carbon Black, said he did not feel the focus on cybersecurity over the month of October raises much awareness for IoT, due to the fact that many people don’t consider the risk of these types of devices.

“They are thinking of more common risks and scams, such as phishing and social engineering in general,” he said. “Granted many of the more technical individuals will equate IoT devices with their inherent risk, but this just isn’t something I feel that a majority of the general population considers. When hooking some new lights up to their home ZigBee network, they aren’t considering how the fact that they can manage their lights from anywhere in the world could be opening up their whole home network to potential attack.”

Foss said that while IoT is definitely a growing and pivotal component of the home network, it’s often overlooked as a security risk. Strange also said that it is critical that we do not get to the 31st October, and stop these lines of communication until October 2021.

“The dialogue should be ongoing because as the number of IoT devices increase from security cameras, smart TVs, home assistants like Amazon Echo, doorbells like Google Nest, and smart refrigerators to name but a few, so do the opportunities for the adversary to compromise these devices and use them to perpetuate attacks,” he said. 

"It is critical that we do not get to the 31st October, and stop these lines of communication until October 2021"

The other side of the debate, is if this will push for a more secure IoT in the future? As the theme of this week has been the future of connected devices, do those people we spoke to really believe this month’s campaign could actually ensure a better build of IoT products going forward?

Foss believes IoT will inherently become more secure as time progresses, simply due to the necessity of creating secure and simple devices for the home network. “Undoubtedly there will be attacks that affect these devices in such a way that the issue of the security of these devices raises to the general public’s attention and necessitates a large-scale response,” he said. “Be this through regulation, governance, or otherwise, these devices will become more secure over time as educated users will not be willing to purchase devices lacking adequate security controls.”

Adrian Taylor, regional vice president at A10 Networks, believes the issue lies with organizations, who may need more support around connecting and managing IoT devices on a secure home network. “Likewise, IoT device manufacturers need to adopt better security measures (such as not allowing default passwords to remain in place) to ensure their devices cannot be harvested for DDoS attacks,” he said.

He also believed anyone using IoT needs to be more mindful of ensuring they are following manufacturers’ recommendations for device security while ensuring network security. “In particular IoT device security has lagged behind owing to the proliferation of devices and this also needs to be addressed if we’re to have more secure IoT in the future.”

However, Strange took a more dim view of the future, saying that unless someone forces manufacturers to include security on the user devices, there will not be, as at the moment the drive seems to be functionality very much over protection.

“IoT devices have broadly been lacking in effective cybersecurity in my opinion since they were created, because no-one has really felt the need,” he said. “Regulators (if such a thing exists) do not seem interested and device protection does not seem to be high on the priority list when these products are developed.  Why would you need cybersecurity on a fridge or home heating system?  No-one seems to be considering the security angle, but the reality is that if it is networked it can be hacked and exploited.” 

He also made the point around the challenge of keeping IoT devices protected, and whether the consumer is responsible for updating the security on each device, or does that lie with the manufacturer?

Strange said: “Are we potentially faced with a never-ending cycle of security upgrades as we use more and more IoT devices? Despite the best efforts of initiatives like Cybersecurity Awareness Month consumers are not yet educated to be able to do this properly. End result - poor overall security enforcement and a hacker’s paradise.”

As the month draws to a close, we can look forward to future awareness initiatives, and hope they also find some way to draw the public’s attention. Until then, October is over and we can only hope there has been some impact.

What’s Hot on Infosecurity Magazine?