IoT Security Threats in Retail: How Do We Eliminate Them?
By Andrew Zola
The number of smart connected devices on the Internet, including cameras, machines, and sensors, has grown exponentially. According to the premier market research firm, International Data Corporation, by 2025, it’s estimated that we will have approximately 41.6 billion connected devices. That number includes the adoption of the Internet of Things (IoT) across industries and countries.
Driven by the emergence of 5G networks, these smart “things” together will generate a whopping 79.4 zettabytes of data (and is expected to grow at an annual rate of 28.7% over the next five years). IoT in the retail market is forecasted to reach $94.44 billion through 2025. It makes a lot of sense as IoT is transforming and enhancing consumer retail experiences by improving self-checkout and in-store experiences, optimizing supply chain management logistics, and more. However, with so many cameras, GPS sensors, RFID tags, and other smart devices connected to the Internet, the industry’s exposure to risk is gigantic and growing in the current threat landscape.
This scenario is quite disconcerting when you consider the fact that data breaches in the retail sector are already the norm. So what can retailers do to combat potential IoT security threats in 2020 and beyond? Let’s take a look.
Think about Security from Ideation to Integration
Companies have long been guilty of deploying insecure IoT devices with vulnerable firmware. Last year, for example, security researchers in the Microsoft Threat Intelligence Center identified the infrastructure of a known adversary (or Russia) communicating with multiple external devices. In this scenario, a state actor was trying to compromise popular IoT devices at a variety of customer locations. These types of events aren’t initiated to compromise the smart device itself, but to use it as an entry into enterprise networks. The primary culprit here was technology professionals deploying devices with default (manufacturer) passwords. The secondary reason that made such as attack possible was the fact that the latest security update was not applied to the devices.
Once hackers access the network, for example, all it takes is a simple network scan to find other insecure devices. This approach helps them move across the network (undetected) to identify high-privileged accounts with high-value data. They would also have the authority to run tcpdump to monitor network traffic on local subnets. When you think about integrating security into the design and development of retail networks, your exposure to risk is reduced (significantly). Beyond the hardware, even if you’re developing your own IoT apps, security is a priority and not an afterthought. This is because any potential vulnerability could lead to a data breach.
However, this isn’t a permanent solution. As the threat evolves, so should your efforts to combat it.
Thoroughly Vet Third-Party Vendors
If your partners are not security conscious (land don’t share the same principles), vulnerable smart devices on their networks can act as a point of entry into your network. Such supply chain networks are standard in the industry and increase the attack surface significantly. For example, cybercriminals compromised a point-of-sale (POS) system, and remained embedded in it over a busy holiday period, siphoning customer credit card details. When the intrusion was identified, it came to light that the breach impacted as much as 41 million customers.
The root cause in this incident was an unlikely HVAC repair company that served as a third-party contractor with VPN access to the network. In this scenario, threat actors were able to gain entry by stealing the password of an employee (at the repair company) to install malware on the POS system. Retailers demand effective supply chain management protocols to function efficiently. So these types of partnerships can’t be avoided. But what you can do is thoroughly vet potential vendors before allowing access to your network.
Follow the supply chain (all the way) to the end to ensure that the vendor’s subcontractors also follow adequate cybersecurity best practices. But don’t stop there. IoT security will also demand background checks on employees across the supply chain.
Keep Internal Retail Networks Segmented
Since there’s no such thing as a foolproof security measure that can be adopted by retailers, it’s best to keep your network segmented. This approach will help minimize the damage caused by a security breach by limiting access to the network. The best way to go about this is to use firewalls and architect boundaries between networks. Whenever you do this, authorization and additional levels of authentication will be required to gain access. As retailers process credit card payments, it’ll be critical to create segmented high-security environments within enterprise networks.
Monitor IoT Networks in Real-Time
After segmenting the network, retailers need to determine what smart sensors and devices are on the network and block anonymous connections. Enforce rules based on what type of behavior is expected from the device. If it’s a smart thermometer, for example, only let it communicate information with a specific source. When it’s set up the right way, you can leverage artificial intelligence to monitor abnormal behavior on the network. If you took the time to map out all the “things” on the retail network, it would be easy to track and shut down the device that was potentially compromised.
Follow Security Best Practices
Keeping your store secure is an ongoing undertaking. So an annual cybersecurity and best practices workshop, for example, won’t suffice. You will have to revisit and reeducate everyone in the organization and evolve with security threats. Include IoT security in the entire organization’s security best practices. Even if the smart sensors and devices aren’t generating sensitive information, it’s best to encrypt that data. Make it mandatory to upgrade the firmware and change default passwords. At the same time, develop an inventory of the retail IoT network to get an in-depth picture of your risk exposure.
Sometimes manufacturers also embed backdoors to enable remote access. While this approach helps customer support, malicious actors will target them. So don’t purchase any new devices unless the manufacturer has addressed all known vulnerabilities. Going forward, with every new device on the market, you can expect to find new vulnerabilities. As a result, retailers need to be proactive to stay a step ahead of bad actors. The point here is to make it incredibly hard to breach.