I have been sandboxed. That phrase was taught to me after I put in a request to interview Nick Espinosa to give readers a better understanding of what should be embedded in their management of technology to stay on top of security. Gaining an understanding of cyber threats associated with Internet of Things (IoT) can provide enterprises opportunities to improve their protocols to avoid product malfunctions and is also an area that became federally regulated with the passing of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020.
At the appointed time our video call was scheduled, Espinosa had yet to accept the invitation, leaving me to wonder if he would be joining. Little did I know he was actively making sure I was not a cyberthreat that was trying to infiltrate his system, hence the term “sandboxed.”
Sound paranoid? No, it’s just another day for most cybersecurity professionals, which Espinosa most certainly can understand. His official title is Chief Security Fanatic for his consulting firm Security Fanatics, which assists mid-sized to Fortune 100 firms and governments as well. He is an author and speaker and was chief spokesperson for the now-defunct Covid-19 Cyber Initiative, whose defined purpose was to provide the general public a place to turn for earlier awareness of cyberthreats, patterns, and information during a heightened time of fear.
When Espinosa casually used the term sandbox, I nodded knowingly because the phrase seemed legitimate enough, but wrote it down to research afterward. A quick internet search showed sandboxing to mean an isolated test box where his system could ensure my link had no malware embedded.
Cybersecurity has a relatively young life span to date, according to Espinosa, but has come to the forefront in the last 10 to 15 years, historically beginning with financial institutions, government, and large corporations. The public and other enterprises sat up and took notice in 2013 and 2014 when retail giants Target and Home Depot were attacked, risking their employees’ and customers’ data privacy. This was followed by attacks on both Equifax in 2017 and Marriott, which occurred in 2014 for the latter but wasn’t discovered until 2018.
“I don’t know if I can quantify what level of security we have achieved only to say based on security setting vs. privacy side (data mining), we have grown up really fast,” Espinosa said. “We’re essentially seeing the pitfalls of not having adequate security when housing others’ security.”
Cyberattacks on data and finances are one thing. Cyber threats to IoT devices become a physical threat to medical devices. Espinosa calls forward a story involving a pacemaker created by one of the largest healthcare manufacturers with Bluetooth capability; it was a demonstration setting that showed the malware could run to the Bluetooth, causing an explosion if the pacemaker had been implanted.
Healthcare can be more vulnerable to a cyberattack because the industry may delay software updates for concern it will be hampered by federal regulations for software update approvals by the Food and Drug Administration.
“The problem with IoT products is they tend to be underdeveloped. Most IoT does not appear to have good lifecycles due to lack of updates and security and it’s a huge headache around the globe,” Espinosa said. “They can be weaponized to steal information. I know of one instance where a casino was hijacked using the IoT fish-tank thermometer. The device is like a ticker, showing stock numbers. The attackers weaponized the device to become a command-and-control center and attack the network. They can browse, download infections, or exfiltrate the database.”
Printers are another weakness because they tend to be left out of updates from IT departments big and small. During a client network assessment for a construction business, Espinosa found a weakness he had never run across before or since — an imported toaster that printed images on bread slices. The client was running an outdated, insecure Linux operating system.
“We were able to hijack through the toaster and convert it into a data exfiltration device to copy network data,” Espinosa said. “We were hired to do this and copied it into the cloud. It was the craziest thing we’ve ever seen. I have no idea where they got the toaster, but you need to consider cases like this.
“I’m sure there’s a penguin in Antarctica breaking into things from a laptop at this point,” Espinosa said. “Cybersecurity is separate from IT. It’s a universal problem and we need to build global herd immunity with good cyber hygiene.”
With the heightened cyber threats growing amidst government sanctions with Russia, Espinosa said U.S.-based organizations should be on alert, especially the areas of Industrial IoT (IIoT) and Industrial Control Systems (ICS). He also offers the following recommendations:
Next-gen firewall should be installed to run geoblocking and limit bandwidth on internet devices.
“If you’re U.S.-based and don’t need to be accessible to other countries, you should block all traffic and limit your area of attack. If there is no reason to be connected, you shouldn’t be.”
Enterprises should conduct cybersecurity assessments and follow recommendations from the Control Systems Integrator Association (CSIA).
“If you have all your IoT devices on the same network as your computers, servers, and users, you have a serious security problem on your hands.”
Investigate cyber insurance and attempt to quantify risk in both hard and soft dollars if the computers are offline and contingency plans need to be activated.
“This could be end-of-life for a business,” Espinosa said. “I’ve been in the boardroom where people are out of business. It’s heartbreaking.”