Internet of Things (IoT) basically encompasses a wide variety of technologies, vendors, and connectivity methods. While cameras, smart kitchen appliances and smart locks often come to mind, there are lot many more of IoT devices that are prevalent in all industries. IoT devices are finding great applications in enterprises of all types.
Deploying IoT devices is easy, but they brings their own security challenges. Because there is a lack of industry standards for IoT devices, they are usually inherently insecure in their nature.
At the end of 2019 there were 7.6 billion active IoT devices, a figure which will grow to 24.1 billion in 2030, a compound annual growth rate (CAGR) of 11%, according to new research published by Transforma Insights (2019).
Any cyber risk related to an IoT deployment requires a proactive approach with security built-in from the start. Not unlike any new technology that enables digital transformation, the goal for IoT should include strategies that align the technology with the company’s current cybersecurity systems and policies.
There is a great rush to develop the ‘functionality’ that is overlooking security issues of IoT devices. That’s why, despite the incredible number of IoT devices, most are unsecured. IoT devices provide an easy and attractive entry point for criminals seeking to enter an organization’s network. A $20 device can potentially open the doors for multi-million dollars breaches. Because securing IoT devices requires real-time authentication and authorization, complexity is escalated. It is providing opportunities for bad actors to carry out many types of attacks. Whether it’s man-in-the-middle attacks, leveraging stolen access credentials, spoofing or cloning, or encryption attacks targeting key algorithms, a hacker’s arsenal is well-stocked. Although IoT devices may seem too small or too specialized to be dangerous, there is real risk in what are really network-connected, general purpose computers that can be hijacked by attackers, resulting in problems beyond IoT security.
Once attackers have control, they can steal data, disrupt delivery of services or commit any other cybercrime they would do with a computer. Attacks that compromise IoT infrastructure inflict damage, not just with data breaches and unreliable operations, but also physical harm to the facilities or worse—to the humans operating or relying on those facilities.
1) First thing to remember is that IoT by default is new industry. Most manufacturers and designers of these devices do NOT prioritize the security during their product design and development phases. Their primary focus is only to get the products out quickly with functionality, even if it compromises the Infosec. Since no security solution is integrated from the very beginning, most IoT devices will remain exposed to cyber-threats. Compromising a device is far simpler than most people think.
2) Another big issues is the usages of default passwords. Sadly, the most common user-id/password combinations are support/support, admin/admin and default/default. For many devices, security is an after-thought. In my views, it is a cardinal sin. Default passwords often facilitate security breaches. Even if passwords are changed, they are usually not strong enough to block infiltration attempts.
3) One of the largest issue is that most IoT devices are resource-constrained and do not have the compute resources required to implement sturdy security solutions. Some devices, such as temperature and humidity sensors, are not designed to run with advanced security features.
4) Connecting legacy assets that are not inherently designed for IoT connectivity, is also a big challenge. Replacing such assets with connected technologies is expensive, so they are usually retrofitted with smart sensors. And because legacy assets have never really encountered modern security threats, the attack surface becomes even larger.
5) A lack of standardization also hurts IoT device security. While multiple IoT security frameworks exist, there is no universally agreed-upon framework. Variations in security frameworks doesn’t just impact IoT security, but also hinders inter-operability between them.
5) Many systems include support only for a specific timeframe. If additional support is not added in the form of updates, the security structure can collapse. And considering that many IoT devices remain on the network for years, it is difficult to add more layers of security periodically.
What Can You Do To Secure Your IoT Devices?
Here are some actionable IoT security tips for safeguarding IoT devices:
1. IoT security should be at the forefront of device development processes, whether it be a consumer device or industrial. Enabling security by default, designing for the latest operating systems and using secure hardware is critical. The more security measures built into the device from the outset, the more tamper-proof it will be.
2. If the device has default credentials, then users should modify them with a strong password, multi-factor authentication, or biometrics.
3. Active and sturdy software security measures must be implemented to secure devices connected to the IoT. For example
· Restrictions must be put in place on internet usage through connected devices. Usage could be restricted to only certain software features to prevent critical data leak.
· Sensitive programs should be blocked behind firewalls.
· Every connected device must be updated to the latest version of the software.
· Potential threats must be constantly monitored. Periodic security inspection must be performed. Security loopholes identified during such inspections must be immediately resolved.
1. Application performance indicator (API) security safeguards the integrity of the data that is sent from IoT devices to various back-end systems. It ensures that only authorized devices, developers and apps can communicate with the APIs. That’s why you must integrate API security with IoT devices.
2. Each device can be assigned a unique identifier, which will help understand and monitor the device’s behavior, its interaction with other devices and identify the proper security measures for that particular device. It will also help thwart identity spoofing attempts.
3. Making devices more ‘tamper-proof’ through hardened security helps thwart many IoT security attacks. This method assumes even more importance for devices that are usually used in harsh environments or where continuous physical monitoring of devices is not possible.
4. Use all the measures of Network Security to your IoT devices too.