Remember the days when workers used to bring their own mobile device to work that did not meet the guidelines of said organization but found a way to connect it anyway? While troublesome, most times these devices would set off an alert or notification using the multitude of tools available when attempting to acquire data via these devices.

What happens when devices only require your organization’s network for connectivity to pass through data or accept commands? Do those attempting to access the IoT devices only access the IoT devices or do they attempt to access other parts of the network now connected to the newly installed IoT device?  Enter the new realm of Shadow IT of which “off-the-shelf” IoT devices are being connected to company networks at the request of businesses without understanding the risks or notifying those who govern over the networks themselves, the IT Professional.

Break in via the Thermostat Backdoor

Back in July 2017 a casino in Atlantic City that signed an agreement 3^rd party fish tank maintenance company to manage their elaborate fish tank display. The maintenance company then convinced the casino that they would be able to be more proactive in maintaining said fish tanks via an IoT thermometer to remotely to monitor and control tank environment settings.  The fish tank thermometers were connected to the local network and connected to an outside web portal to enable management.

It did not take hackers long to exploit a vulnerability within the thermostats to gain access to the casino network, access the casino’s high roller database (an estimated 10GB of data) and transmit the data back through the thermostats out to the web. In cases like these, IT departments are usually blamed for the data leak even if they had very little or nothing to do with the actual rollout of the devices. Incidents like this are unfortunately becoming much more frequent and IT teams need to be included on IoT planning to help address this.

Securing IoT to Predict Problems and Create Efficiencies

Data has become the new currency, and everyone wants access to it. Companies want to reap the benefits of understanding patterns found in said data to create efficiencies in operations which can save an organization a great deal of money.  Others may want to also capture your data for malicious intent.

Companies like Starbucks are looking to invest in IoT devices to be embedded in various coffee machines in each store so that they can predict potential problems before a machine requires a repair.  What would happen if that same coffee machine were attacked? That would cause a serious issue as each store’s coffee machine provides the majority of its daily revenue.

Microsoft is partnering with organizations like Starbucks to help them secure their IoT data capture.  Solutions such as Microsoft Azure Sphere, a secure high-level application platform with built-in communication and security features for internet-connected devices, enable companies to embed specific IoT devices to capture data securely. 

IoT enablement is an important component for a strong data pipeline to help your organization achieve efficiencies and possibly save operation costs. Security planning is also a crucial part of your company’s IoT enablement plan to ensure others do not gain access to your data.

Written by Anthony Bartolo on behalf of Microsoft.