Internet of Things (IoT) security is a growing concern for retailers. “IoT is one of the biggest trends in the market today,” said Itzik Feiglevitch, product manager for Check Point Software Technologies at the RSA Conference in May 2021. Huge numbers of devices are expected to be added in the coming years to company networks.
And while Feiglevitch said they’re great—they increase operational efficiency and move companies into the digital world—a retailer also needs to take into consideration that “all of those IoT devices are now part of our networks, and they bring with them lots of security risks.”
According to Check Point’s research, a typical enterprise of 5,000 employees could have as many as 20,000 IoT devices. “I know it seems like a huge number, but think of all the IP TVs, printers, surveillance cameras, or the sensors inside the buildings, the smart elevators, smart lighting—everything is connected to the enterprise network.”
IoT Uses in Retail
IoT sensors are increasingly being used in retail to enhance the customer experience, such as with smart mirrors and digital signage; for insight into customer preferences and behavior; and for loyalty and promotion—using sensors to identify the time and place of the customer to better target assistance or incentives. Connected sensors are being used for managing energy and detecting equipment problems, especially in grocery, and in warehouses and stores to optimize supply and fulfillment, as with RFID and smart shelves.
The global internet of things in retail was valued at $31.99 billion in 2020 and is expected to expand at a compound annual growth rate of 26 percent from 2021 to 2028, according to market analysis by Grand View Research. “IoT is expected to revamp the retail industry, transforming traditional brick and mortar shops into advanced digital stores,” according to the report.
The surge in the number of interconnected devices in retail outlets and the decreasing prices of IoT sensors are expected to propel the growth. “Retailers’ commitment to IoT innovation is contributing to the growth of connected devices, including both RFID tags and beacons … and the proliferation of smartphones and the use of mobile applications are driving the retail software segment growth.”
Problematically, many IoT devices are unmanaged. “They are connected to our network, but we don’t have any way to control those devices, to view them, and define what those devices can and cannot do inside our network,” said Feiglevitch. “If we go and search for those devices inside our security management system, we will not find those devices.”
Most company-connected IoT devices are, in turn, connected to the wider internet—to allow vendors to deliver updates, for example. Attackers, using standard scanning tools, can find those devices. “They know what to look for,” said Feiglevitch, noting that there are even search tools to help them—“a Google for IoT hackers,” he said. A casual “Shodan” search will turn up nearly 300,000 surveillance cameras connected to the internet.
Once found, connecting to those devices, and hacking into them, tends to be “quite easy,” Feiglevitch warned. They often have no built-in Internet of Things security, run on legacy operating systems, have weak default passwords, and are difficult to patch. “Many don’t have basic security capabilities,” he said. “When many of those devices were developed, no one thought about that.”
By accessing a device, hackers can manipulate it—to view a camera, for example—or use it, for crypto mining or as a bot for a botnet attack. It also can provide hackers a backdoor into the network because of an insecure connection. “Users may not have the right knowledge about how to connect those devices,” said Feiglevitch. “They’re using the wrong protocols and insecure applications, so through those devices, hackers can get into the network.”
In exploitation tests, researchers have found it possible to create untold havoc, from taking over entire smart building systems to tricking medical devices to deliver incorrect doses of medicine, and while vendors typically issue patches, Feiglevitch says those often don’t get implemented. Legacy, insecure devices are ubiquitous, he warned.
Getting a Handle on Internet of Things Security
There are four pillars to address the risks that IoT devices pose to an organization’s network, according to Justin Sowder, a security architect for Check Point.
- IoT discovery and risk analysis. “Finding out what devices are out there, how much shadow IT is happening, and mapping out what we don’t know, is the first part—and getting as close as we can to an accurate representation of what’s in our environment.”
- Zero-trust segmentation. “Moving into some sort of zero-trust model where we are isolating devices from the rest of our network and from each other,” said Sowder.
- Internet of Things security threat prevention. “Aside from basic firewall prevention, we want to look at what we can do from a threat prevention side,” said Sowder. Organizations need to examine how they can keep the devices functioning in their designed roles while preventing traffic to things like command-and-control servers, he added.
- Detection and response. “Now that I know what my devices are, now that I have visibility into them, how do I detect those incidents, respond to them, and get the right people involved to take the right action with respect to those.”
In terms of solution design, Sowder advised that it should consist of three things: an IoT discovery engine; a solution that extracts information and ties it to security protocols; and a security gateway that enforces the security policies.
“This flow should be completely automated: from a new device being connected or an existing device being discovered, to this Internet of Things security management that will extrapolate relevant data and tags to your security policies, and then down to an enforcement point,” he said. It should be invisible to users, but discovery, protection, and enforcement in the security realm should nonetheless be happening, he said.
An automated solution is preferable, he believes, to a slower, more heavy-handed cyber security approach in which all new devices are assigned a ticket and vetted and managed. “That only encourages shadow IT,” he warned.
The need for retailers to have a robust process for gaining control over IoT devices is only growing, as IoT devices proliferate and there is increasing reliance on field devices that communicate back to network data centers. That the infrastructure used to enable IoT devices is beyond the control of both the user and the IT department underscores that risk.
What’s Complicating Efforts to Gain Control?
Research indicates that some organizations fail to define exactly who are the leaders in charge of assessing and mitigating risk. Experts suggests that retail organizations may want to consider appointing a Chief IoT Officer since many projects lie outside of the domain of a CIO and IT department.
“IoT isn’t an IT project. It’s a business project that uses IT,” noted one panelist at an IoT session at a LiveWorx tech conference. Another agreed, saying that IT security professionals should be prepared to share Internet of Things security responsibility with other divisions across the enterprise, including physical security teams.