IoT Usage: Exponential Growth, Exponential Risk?

The rapid increase in connected device (or IoT device) usage by commercial entities and consumers is changing the topography of the internet and corporate network attack surface. Connected devices have been designed to fulfill functional requirements (i.e. observe, control and maintain a piece of machinery remotely), but have often failed at incorporating security in their design. A classic example of this can be seen in in the Mirai botnet that hijacked unsecured IoT devices to power the strongest botnet ever seen and brought down the internet on the east coast in 2016.

As corporations expand their use of IoT devices, their attack surface is expanding as well. These internet-connected devices with lax security can be the weak point that allows an attacker to gain a foothold into the corporate network, or the devices themselves can be exploited to create physical events. In 2010, we saw a Siemen’s industrial control system (ICS) exploited by the Stuxnet virus to manipulate a centrifuge, and spoil years’ worth of product from a uranium enrichment facility in Iran.

Based on Cyence’s data collection of external facing systems, companies have substantially increased their deployment IoT/ICS devices. Cyence’s platform has detected a 155% overall increase in devices over the last year.

Although we have seen widespread adoption, certain industries are using IoT/ICS devices more than others. The highest usage was found by Utilities, Education, and Healthcare entities. This intuitively makes sense given common IoT/ICS device use cases that we see related to remote monitoring and remote operations. As the power grid, gas, and water systems in our society get smarter, we expect to see greater reliance on connected devices and detect more that are exposed to the open internet. Additionally, as medical equipment and devices are becoming increasingly connected, device security will become more important. Finally, our analysis suggests that education entity usage of IoT/ICS devices is likely coming from researchers working with these devices and exposing them to the internet either unwittingly or out of a lack of emphasis on security.

Given the explosion of consumer and commercial use cases for smart devices and systems, we expect to see these trends continue over the coming years. As this trend continues, securing connected devices will become critical to prevent their weaponization or use as an entry point into a network by bad actors.