The rapid proliferation of the Internet of Things (IoT) represents vast opportunities for the public sector. Connected devices and smart technology are pivotal to enhancing the efficiency and effectiveness of public sector organizations, from optimizing critical infrastructure management to transforming remote education and smart city initiatives.
However, as IoT innovation and adoption grows, so do the associated security risks. Security has often been an afterthought in the design of IoT devices, if a thought at all, and connected devices introduce new vulnerabilities and vectors for attack by the day, if not minute. Generative AI makes it even easier for threat actors to identify and exploit these vulnerabilities.
Today’s Internet of Things might as well be called the Internet of Threats. This became abundantly clear last year as malware attacks on IoT devices emerged as a fast-rising threat. In this blog post, we’ll explore the potential impact of IoT malware on the public sector — a story of innovation, risk, and the need for resilience. Learn how Zscaler addresses the unique challenges public sector organizations face in defending against IoT threats.
IoT malware makes presence known in 2023
Based on data from the world’s largest inline security cloud, the recently released ThreatLabz Enterprise IoT and OT Threat Report revealed a 400% year-over-year increase in IoT malware attacks across various industries.
The primary objective of IoT malware is to exploit the weaknesses and vulnerabilities inherent in IoT devices. These malware strains are designed to perform various malicious activities, such as gaining unauthorized access, stealing data, and establishing botnets to carry out large-scale attacks.
ThreatLabz researchers found that the notorious Mirai and Gafgyt malware families, known for turning devices into botnets, drove the majority of attacks (constituting 66% of blocked payloads). These families are a particularly formidable threat to the public sector — in the form of distributed denial-of-service (DDoS) attacks. For instance, threat actors can weaponize IoT botnets to execute DDoS attacks targeting essential services and government websites. The potential impact extends to national security, financial losses, reputational damage, and a heightened risk of data compromise.
Key considerations for the public sector
IoT malware is capable of causing considerable harm to government operations, critical infrastructure, and essential public services.
Here are a few more ThreatLabz research insights that public sector organizations should pay attention to — but download this version of the report for the complete findings and analysis.
Two-thirds (66.7%) of malware attacks blocked by Zscaler were aimed at routers. Vulnerabilities in router firmware, weak passwords, and unpatched software serve as easy entry points for attackers looking to compromise these devices. This finding is a pertinent reminder for the public sector to remain vigilant regarding security threats associated with routers and other ubiquitous IoT devices. In September 2023, Chinese state-sponsored hackers strategically implanted modifying software in routers to obscure their activity and move laterally within the target network. The group’s focus has historically included government agencies and defense sectors, amongst other industries, in both the U.S. and East Asia.
The education sector experienced a staggering 961% increase in IoT malware attacks. Educational institutions are often deemed “soft targets” for cyber threats due to the substantial amount of personal data in their networks and the widespread use of unsecured IoT devices. Smart classrooms, online learning platforms, and connected devices create an expansive attack surface. It’s become imperative for educational institutions to prioritize cybersecurity measures.
ThreatLabz observed a year-over-year decline in IoT malware attacks aimed at government customers. Some financially motivated threat actors may have shifted their focus to lucrative targets that are less likely to provoke law enforcement action. However, motivations behind IoT malware attacks are diverse, and the government must remain vigilant as IoT adoption by agencies and contractors grows — and threat actors look for low-hanging fruit during this election year.
As we shift from understanding the risks to taking proactive measures, the public sector is poised to tackle the challenges of IoT malware head-on. The following strategies highlight the steps needed to fortify against the ever-growing threats in the evolving landscape of connected devices.
Extend zero trust to your IoT/OT
ThreatLabz research findings underscore the importance of the public sector prioritizing robust IoT/OT security measures to ensure the continuous operation of essential services and resilience against IoT malware.
Adding urgency to this imperative for U.S. federal agencies, the Office of Management and Budget (OMB) recently mandated agencies to inventory all IoT assets (and stated that “many IoT devices constitute operational technology ‘OT’”) by the end of 2024. This means that agencies must gain a clear understanding of the devices connected to their networks in order to assess security risks effectively. The directive aims to enhance the overall security posture of the U.S. government and build resilience in the face of evolving cyber threats. It’s a reassuring sign of acknowledgment of the serious risks associated with unknown, unsecured IoT/OT devices.
Extending zero trust security — where visibility is a foundational component — to IoT/OT devices is critical for minimizing risks across public sector operations, contractors, and suppliers. Zscaler ThreatLabz recommends that you:
Implement a zero trust security architecture: Eliminate implicit trust. Enforce segmentation with least-privileged access to ensure users and devices can access only what they need. Unsanctioned shadow IoT devices requiring internet access should undergo traffic inspection and, ideally, be blocked from corporate data via a proxy.
Maintain comprehensive visibility into IoT devices: Gain visibility into all IoT devices, including unmanaged devices, to understand your attack surface and interdependencies. Leverage a solution with AI/ML capabilities to automatically classify and identify device types based on activity and behavior, without the need to install or manage sensors.
Conclusion
This is just the start of understanding the delicate balance between innovation and security in IoT ecosystems. The global number of connected IoT devices is nearly 17 billion today and is expected to surpass 23 billion in the next three years. The threat landscape will only become more nuanced and complicated. Being informed and proactive is key to ensuring the security and continuity of essential public sector services.
Take the next step in securing your organization against IoT malware and gain actionable guidance to reduce risk and enable secure IoT and OT adoption. Download the ThreatLabz 2023 Enterprise IoT and OT Threat Report: Public Sector Insights for comprehensive insights, analysis, and best practices from Zscaler ThreatLabz. Empower your journey towards a safer, smarter, and more resilient public sector.
*** This is a Security Bloggers Network syndicated blog from Security Research | Blog Category Feed authored by Adam Ford. Read the original post at: https://www.zscaler.com/blogs/security-research/securing-public-sector-against-iot-malware-2024