The Internet of Things (IoT) has introduced enormous benefits. Yet it also has expanded and changed business and IT risks. Over the past few years, reports have surfaced about hijacked cameras, hacked medical devices, and compromised industrial control systems. As 5G takes hold and devices with embedded IoT capabilities appear, the problem is almost certain to worsen.
What makes the IoT so challenging is that it adds an additional layer of security atop existing protections. Because the IoT potentially touches everything within an enterprise — and outward to partners and supply chains — it involves firmware, operating systems, TCP/IP stacks, network design, data security tools, and much more.
Within this broad ecosystem, "Vulnerabilities are easier to overlook," says Merritt Maxim, vice president and research direct at Forrester.
It's no small concern. Identifying all the IoT devices within a network can be extraordinarily difficult. But that's not all.
"Many IoT devices weren't designed with security in mind. People deploying and setting up systems don't always have a great grasp of security, and the introduction of numerous devices from different manufacturers adds complexity," says Joe Nocera, who leads the Cyber and Privacy Innovation Institute at PwC.
Out of Controls
Any discussion about IoT security starts with a basic fact: The Internet of Things represents a fundamentally different security framework than conventional IT. Because many IoT devices lack a user interface, attacks often take place directly on a device — or they use a device to gain entry to an enterprise network. Maxim points out, too, that attacks often involve a different dynamic than ransomware and other attacks.
"The motivation is often to cause a broader scale of disruption," he says.
Indeed, attacks can lead to devices that can't be patched and repaired — or business disruption that may be politically or financially motivated. For example, In February, a hacker breached a water treatment plant in Florida through an industrial control system and attempted to tamper with water quality. Back in 2018, cyberthieves hacked a gambling casino in the UK through an Internet-connected thermometer in an aquarium located in the lobby. Thieves stole the casino's customer database.
A fundamental problem is that manufacturers frequently engineer their own firmware, protocols, and design standards — and they don't always do a good job of patching and maintaining systems. For example, many early IoT devices rely on older off-the-shelf versions of operating systems, such as Linux and Windows. Adding to the headache: Machinery and industrial control systems that were never designed to be part of a connected world are now part of the IoT.
Remarkably, 74% of firms surveyed by Ponemon Institute last June said their IoT risk management programs were failing to keep pace with the risks posed by the ubiquitous use of IoT devices.
The first step to building strong protection, PwC's Nocera says, is knowing what IoT devices are running on the network and what data they carry.
"Many firms have no idea," he says.
The challenge is compounded by the fact that some manufacturers use crypted names or codes that do not clearly identify devices. Nocera recommends assigning accountability to a group and conducting a thorough inventory to identify risk and potential failure points. In some cases, an organization may require a specialized asset management and discovery solution.
Establishing visibility and controls over the entire IoT landscape is paramount.
"An organization must have the ability to turn on and turn off groups of devices and configure them appropriately," Nocera explains.
With the right tools in place, it's possible to ensure that only essential services are active and running on a device but that old and unauthorized devices are switched off. Configuration management also address another problem: ensuring that devices aren't using default passwords and factory settings.
In fact, changing passwords regularly is essential, says Ulf Mattsson, chief security strategist at data security firm Protegrity. He also suggests using specific data protection tools such as tokens, data anonymization, multifactor authentication (MFA), and even biometric authentication. There's also typically a need for data encryption at rest and in motion, next-generation firewalls, and an intrusion prevention system (IPS). Keeping these systems updated and patched is critical, he says.
Network segmentation is another valuable tool, Nocera notes. It's important to isolate key systems, such as industrial controls and key enterprise applications, so that cyberattackers can't worm their way into a network through an IoT device.
For example, "If you're a shipping and logistics company, maybe the IoT devices used for fleet management don't have to talk to the IoT devices and other system used in a warehouse," he says. "That way, if devices wind up compromised, you only lose one warehouse rather than all your warehouses."
Playing IT Safe
A number of other strategies can aid in building a more resilient IoT framework. These include locking down cloud credentials that can be used to reconfigure devices, ensuring that an IoT network can't be modified through the malicious use of USB devices, disabling features that aren't being used, auditing IoT infrastructure on a regular basis and retiring unneeded devices, ensuring that malware protection is up to date, and replacing older and less secure devices. It's also important to pay attention to how 5G affects an IoT framework.
Maxim says it's also wise to look for newer IoT devices that use secure silicon and root of trust (RoT) technologies. This greatly reduces the odds that the device can be tampered with at the BIOS or operating system level. Still another area to keep an eye on is the growing use of connectors and application programming interfaces (APIs), which extend and sometimes mask device and data sources.
In the end, the best defense is a holistic approach that taps into a variety of solutions, tools, and strategies to ensure devices and data are locked down. Any IoT system or device should ultimately go through the same stringent review process as any enterprise application, and it should be subjected to strong security standards once it's deployed, Maxim says.
"The IoT presents new and sometimes greater risks that could disrupt business or potentially cause loss of life," he adds.