Internet of Things (IoT) security refers to the practice of securing not only IoT devices but also the networks these devices utilize. IoT security aims to keep data confidential and maintain both user privacy and the policy compliance of IoT devices and supporting technology.
The Internet of Things has previously proven to be an attractive target for threat actors, as it is data rich, and the widening attack surface provides hackers with greater opportunities to cause devastation.
Also see: Containing Cyberattacks in IoT
Trends in IoT Security
Increasingly complex IoT environments
The average number of connected devices available to most households in the U.S. was 10 in 2020. Complex IoT environments are progressively becoming the norm. These environments are becoming more difficult to control and manage due to the increasingly elaborate web of interconnected functions.
Operational technology (OT) is already broadly implemented in industrial settings. However, such solutions shall require more data to make more informed decisions. To accomplish this, more meters and sensors will need to be employed.
As a result, the boundary between passive IoT and OT becomes blurrier and exposes the OT environment to more risk. The resulting security risk in the rising complexity of IoT implementations is the introduction of a multitude of new attack vectors for threat actors.
The IoT market has often faced market friction and a dilution of IoT security strategies due to a lack of global regulatory alignment. In addition to industries such as cellular connectivity already being heavily regulated, further regulations like the U.N.’s regulations on smart vehicles are emerging.
The U.S. and Europe have legislation in the works that seeks to regulate the ability to supply IoT by 2024. The current regulatory trajectory shows that regulation shall soon impact all IoT manufacturers, providers, and consumers.
The U.S. and Europe are working on initiatives that will be in alignment with the ETSI EN 303 645 standard. The European Commission adopted the Internet-Connected Radio Equipment and Wearable Radio Equipment initiative to strengthen the security of internet-connected devices through determining baseline criteria for IoT devices. And the National Institute of Standards and Technology (NIST) released a whitepaper titled Baseline Security Criteria for Consumer IoT Devices. These two instances highlight the need for consumer labeling as well as the cybersecurity hardening and testing that needs to be done.
Governments and regulatory bodies will also take greater action to regulate IoT security as consumers begin to demand greater security and the number of breaches continues to rise.
Also see: 7 Enterprise Networking Challenges
Collaboration and cooperation
IoT ecosystems are characterized by heterogeneous devices, connectivity, implementations, and foundations. As a result, effective IoT service delivery will be boosted by the collaboration between experts in the vast technologies and disciplines involved. This will not only yield more intricate and multifaceted solutions but also help to fight emerging IoT security challenges.
More technology decision-makers will be interested in improved industry collaboration as well as cross-market knowledge-sharing concerning IoT security. The need for increased collaboration and cooperation will continue to rise as the impact of emerging challenges brought about by new technology innovations becomes greater.
An increase in IoT devices means that the volume of generated data is rising. The questions surrounding this data revolve around its residency and privacy. However, even if data resides in the cloud, on the edge, or in data centers, all this data needs to be secured. Furthermore, the increase in edge devices means they also have to be governed and secured.
Also see: Best IoT Platforms for Device Management
Challenges of IoT Security
Risk exposure resulting from the growth of IoT devices
The increase in the number of IoT devices has been rapid as a result of enterprises employing several IoT solutions and implementations across a variety of apps.
As organizations continue to attempt to establish IoT initiatives across all their operations to enhance business performance and collaboration, they may end up unintentionally introducing connected devices into their networks. Employees connect their devices to these enterprise networks as manufacturers continue to build connectivity into an even larger scope of devices.
Having all these connected devices with access to enterprise networks raises the concerns of greater risk exposure. These devices have the greatest likelihood of introducing vulnerabilities to networks, as they lack proper and adequate security controls.
To prevent risks such as physical damage, data theft, and data and revenue loss, organizations can institute measures such as assessing and taking inventory of their IoT devices and carrying out device classification and protection.
Taking inventory of enterprise IoT devices ensures that enterprises are aware of all the devices connected to their networks. This allows enterprises to be fully informed when building and implementing policies and controls to lower the risk of unintended data breaches. Device classification and protection can guide enterprises to build the correct controls.
Using the IoT device inventory, enterprises can understand how devices are used, their business impact, vulnerabilities, and that more indicators to ensure security policies are applied effectively.
Lack of encryption
One of the most evident challenges of IoT security is the lack of encryption on regular transmissions. Failure to encrypt traffic exposes IoT devices to various types of man-in-the-middle attacks (MITM), which attackers often use to intercept credentials and can ultimately use to compromise enterprise networks. Risk is also involved with partially encrypted and wrongly configured data.
Organizations should ensure data susceptible to MITM attacks is sealed by the correct encryption when it is stored on IoT devices. They should assess and resolve device weaknesses as well as resolve poor device encryption and weak cryptographic algorithms to reduce the likelihood of interception.
Organizations can also use transport encryption and adopt standards such as TLS (Transport Layer Security). Additionally, they can use isolated networks to keep devices isolated and put in place private and secure communication.
Managing device updates
Carrying out updates as well as security patches to software or firmware on IoT gateways and devices is not a straightforward process. It involves tracking available updates and applying them concurrently across distributed environments defined by different devices that communicate using diverse networking protocols.
Additionally, wireless updates may be unsupported by many devices, or some devices may carry out updates with downtime. Legacy devices may lack updates or may end up being unsupported by their manufacturers.
To deal with these issues, enterprises develop device management strategies or use device management systems that automatically keep track of these devices and roll out the required updates. These systems should also highlight which devices are unsupported and vulnerable as well as which of them should be retired. Enterprises should also ensure the devices they use are backward compatible.
As enterprise security professionals continue to realize the widening scope of security exposure due to IoT devices, they realize they may not have sufficient investment in enterprise IoT practices and solutions to effectively address increasing security challenges.
Enterprises will need to significantly update their security budgets to fund initiatives such as the deployment of agentless solutions and data classification and encryption practices. They also need to strike partnerships with solution providers to help overcome the challenges of navigating the complex and ever-changing IT environments and threats.
Low processing power
Since most IoT applications use little data, their battery life is extended while their costs are lowered. However, it may be difficult to conduct over-the-air updates for most of these IoT devices, leaving them unable to implement cybersecurity features such as end-to-end encryption, firewalls and malware scanners. As a result, these devices are more susceptible to being hacked.
An effective method of securing such IoT applications would be to ensure that the network has built-in – and constantly updated – security features.
Future Trends in IoT Security
As the global chip shortage is expected to carry on beyond 2022, its impact on almost all industries raises a concern that manufacturers may turn away from using components built on a foundational Root of Trust (RoT) to non-standard sources. This may result in manufacturers incorporating counterfeit chips with security vulnerabilities. They may also contain backdoors, which put customer assets at great risk of exploitation.
A rise in certification measures to display the security credentials of components to device manufacturers will enable these manufacturers to procure trusted components, thus mitigating the security risks born of non-standard chips. As many semiconductor companies have vowed to increase their production capacities, there will be a rise in the need for site certification to make sure these production facilities satisfy the security requirements.
Additionally, these certifications will need to be reusable to ensure they do not hinder the deployment and development of IoT. Such certifications will reduce the costs involving third-party evaluations and help defragment IoT security standards.
The adoption of IoT security will rise as negative factors resulting from the global chip shortage combine with greater awareness from consumers and more impactful action from governments and regulatory bodies to trigger this growth. Regulatory and consumer action toward greater IoT security standards will ultimately push organizations to take a more proactive approach to IoT security.