There are currently more Internet of Things (IoT) connections—such as cars, smart home devices, and industrial equipment—in the workplace than there are non-IoT connections, like computers, laptops, and smartphones. However, many people remain unaware of the risks associated with IoT devices and, as such, fail to secure them properly with regular patching and credential management. In fact, many security teams don’t even know how many IoT devices—as well as OT (operational technology) devices—there are in their environment.
But the fact is, when not secured, IoT devices can provide attackers with an easy route into a company’s data. With nothing more than a paper clip, a hacker can take over an IoT or OT device and use it as a base from which they can spread laterally through the network.
To find out more about the growing risk of IoT devices in the workplace and how businesses can combat that risk, we spoke to Chris Rouland, CEO of Phosphorus Cybersecurity. Phosphorus is a leading provider of enterprise IoT and OT security solutions, helping businesses to manage credential, firmware, and certificate updates across these often-overlooked devices to prevent them from being utilized in cyberattacks.
Our interview covered the Phosphorus Enterprise IoT Security Platform, the need for better IoT security in the workplace, and some of the biggest IoT offenders that business should be aware of.
Can you give us an overview of Phosphorus Cybersecurity’s IoT protection solution and who your typical customers are?
At Phosphorus Cybersecurity, we’re solving the problem of securing the Internet of Things. When we think about the endpoint market, there are about 5 billion computers with keyboards in the world. But that number is actually declining. There are 275 million fewer laptops being made this year than last year.
There are a lot of different numbers when it comes to how many IoT and OT devices there are in the world, but the middle of the road to high number is about 50 billion devices. That’s 10 times the number of computers with keyboards. And that illustrates the bigger picture of the edge moving out to IoT and OT, and computers with keyboards going away in the next 10 or 20 years.
I think of IoT devices as small computers. But we simply have not treated them like computers historically. And because of that, the security problem is enormous. Out of the millions of devices that we’re securing for our customers, 50% of those devices have default passwords. That’s crazy! Imagine if half of your computer servers had default passwords—it just wouldn’t happen! We also found that the average age of firmware on IoT is seven years. Imagine if the average Windows computer hadn’t had a patch in seven years.
So, although the stats paint a pretty dire picture, there’s still not a sense of urgency. We at Phosphorus want to change that.
We support almost 250 IoT vendors now—which includes the broader set of IoT, OT, and network devices. To do that, we procure the device or devices, understand them, and manage them in our laboratory. We instrument them and figure out how to discover them safely and accurately, then we manage their firmware, credentials, and certificates.
Despite the prevalence of them in the modern workplace, many people remain unaware of the risks associated with IoT devices. So, what are some of the biggest IoT offenders in the workplace, and how can an attacker use them to gain access to a corporate network?
That’s a great question, and I actually have a Top 10 list of the biggest offenders. The worst offenders, from a true vulnerability perspective, are cameras. Everyone has lots of cameras. They think about them as CCTV, but they’re not CCTV, they’re little Linux computers or little Macs. They just look like cameras.
And because of this, they don’t get patches, which means they have vulnerabilities that can be exploited. So, they’re often used in botnets, or for pivots, or to launch DDoS attacks.
Keep in mind that cameras and most other IoT devices have the ability to connect to the internet, but no one really uses it. But if not properly secured, it creates yet another vulnerability. They also have Bluetooth, and they have my favourite attack vector: the paperclip attack vector. Anyone with a paperclip can hack an IoT device by simply pushing the reset button and changing the passwords.
So, cameras are a good representative of everything else. Printers are another one that are generally not secure. They usually don’t have passwords on them, for example. And it’s sometimes hard to get excited about securing a printer, but there are a lot of them, and it’s true that valuable information does tend to come out of them. We have had customers reach out to us and say that their printers have been hacked, and ask if we could effectively secure all their printers for them.
Some of my favourite culprits, though, are KVM switches in the data centre. So, this is a bit of an oxymoron. KVM switches allow you to control multiple computers via one keyboard, mouse, and video, and they’re connected typically to between 64 to 128 actual servers. They’re kind of the last line of defense. Yet, KVM switches never have their passwords changed, and they’re very rarely updated or patched. Imagine that the thing controlling all of your servers is also running an unpatched version of firmware.
Another big risk is entropy in cybersecurity—we often see this concept of “drift”. For example, a computer might stop working because it had software that was written by thousands of people over years installed on it, and after a while it started to drift with entropy. The same occurs in IoT, so, if you have 30,000 Cisco phones, I know that 3000 of them have drifted and are out of compliance. They’ve somehow gone off of VLAN, they haven’t had the password changed—it’s things like that.
I look at the world, and there are little computers everywhere. When you walk into work, you go past the camera, through the turnstile, maybe up the elevator—all of these have some level of complexity, and they all need to be secured.
In recent years, the network perimeter has moved, with many employees working remotely at least part-time. How big is the risk to organizations of users having personal IoT devices in the home?
I think about this a lot, and believe we’ve got to take this one bite at a time. I think the bigger risks are the vulnerable devices that are actually in your office. If I were a CISO, I’d put those at the top of my priority list and address them first.
But another risk is the fact that your workforce is now probably more than 50% remote, so you’re going to inherit the vulnerabilities that exist on their network, wherever they may be—whether it’s a Starbucks, in their smart home, or in a cyber cafe. All of those are dirty environments.
When I started this company, we built our product as a consumer iPhone and Android app to secure the home. But we had to decide whether we wanted to focus on enterprise or consumer security first, and we chose enterprise. I still am planning on going back into that consumer space, but our priority is securing those devices in the enterprise, since those are the biggest risk.
How does Phosphorus Cybersecurity help organizations to protect against attacks on IoT devices?
So, I’ve been doing this my whole life and I’m very familiar with the patching market. And I found this white paper, which outlined a study of DDoS attacks from NETGEAR routers. They watched it for 14 years, and they extrapolated the half-life of the past seven years.
That’s why I started the company: someone else’s academic study extrapolated the hypothetical half-life by patching IoT, and I thought, “I’m going to solve this problem.” But it’s a hard problem to solve, because it’s a manual process to go through and manage these devices. They weren’t designed to be managed at scale. So, we had to build that infrastructure. It took us four years of coding to build, and on our journey to solve this patching problem we also realised the security risks of using poor passwords. So we decided to manage the patching and the passwords.
In around 2020, we were ready to actually do it. We’d start by saying, “Hey you liked our demo, so could you send us a list of all your enterprise IoT devices to get started?” And we’d get a response saying, “I don’t know what devices I have!”
At the time, we integrated with Tenable, Qualys, Rapid7, and Forescout, and we could get some of that information but not all of it. So, we realised then that we had to build an effective discovery element.
So, now we find all of the devices, we scan for the vulnerabilities, and then we remediate them by applying firmware patches and managing the credentials and certificates. We see those as the three biggest issues in IoT embedded devices—so, IoT, OT,and network devices. And our platform is fully automated. You just click a button and every Thing—every printer, every camera, every KVM switch—gets new passwords and any necessary patches.
We wanted to truly solve this problem, so we didn’t just write some scripts and stick a nice UI on it; it took a lot of hard engineering over several years to develop.
What would your final piece of advice be to organizations struggling to secure themselves against IoT threats?
I would just say, make sure you know what devices you have. Then work out your next steps to secure them. Do you change the passwords on those things? Do you patch those things? Do you know what they are? Do you have a plan to monitor them? If your answer is yes, and they’re all secure, then you’re in the top 1% and you’re doing a great job. If you answered any of those questions with “no”, then it’s something to think about.
Thank you to Chris Rouland for taking part in this interview. You can find out more about Phosphorus Cybersecurity’s IoT security solutions via their website. Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.