Internet of Things are devices that connect to the Internet. Some are sensors that collect telemetry data about their surroundings and relay it to a collecting device via a wired or wireless connection to the internet. Others not only monitor but also control the activity of the device they are attached to like an air conditioner or lights. Still, others provide information like the navigation system in a vehicle or a power reactor.
Gartner says organizations implementing IoT are increasingly focusing on the business outcomes of the technology. IoT initiatives are no longer driven by the sole purpose of internal operational improvement.
The bad news is that this expanding universe of applications of IoT in industrial, government, consumer and commercial is drawing the interest of cybercriminals recognising a burgeoning opportunity.
From the Mirai Botnet (aka Dyn Attack) of October 2016 to the discovery of hackable cardiac devices at St. Jude Medicals in 2019 to the hacking of a Bluetooth speaker that allowed the criminals to eavesdrop on a CFO’s private conversation, the threat is real, and it is now.
The why of IoT security
“The interconnection of IoT poses a significant challenge for organisations due to the serious security risks posed by unmonitored and unsecured devices connected to the network. The need to think about security on a daily basis has never been greater, especially given that the number of internet-connected devices is expected to grow at an exponential rate,” he added.
Bots: the who/what of IoT security
Sim said IoT botnets are a type of malware that commonly targets IoT devices. He explained that IoT devices that have been compromised by bots are frequently used as communication channels to other compromised devices in the network known as botnets. Unpatched vulnerabilities may also exist in routers to which the IoT devices are connected.
Citing ESET telemetry, Sim revealed that ESET scanned nearly 200,000 routers during the first four months of 2021 and discovered that over 2,200 of them had at least one known vulnerability. The most common type of router attack is distributed denial of service (DDoS).
DDoS attacks affect 70% of organisations polled on a monthly basis.
IoT security starts here
Echoing a security industry theme, Sim says cybersecurity is a shared responsibility.
From an IoT security perspective, he says the CISO has the responsibility to educate employees on cybersecurity awareness training.
Beyond regular training and continuous awareness, he suggests that when purchasing IoT devices, organisations should first select a well-known, dependable IoT device provider who is likely to be around in the long term. This ensures that the manufacturers will be able to provide patches and fixes to the IoT devices in the future in a timely manner.
“It is crucial that the IoT devices that they have selected are secure by design, with security being a key goal at all stages of product development and deployment,” he added.
The reality of IoT security
Sim acknowledges that not everything can be secured immediately!
“Given that there are so many IoT devices out there, it is unrealistic to consider the security design of every single IoT device, but businesses can look at cybersecurity infrastructure and techniques to reduce risk,” he opined.
He recommended adopting the Zero Trust security model requiring all users, both inside and outside of an organisation's network, to be authenticated, authorised and continuously validated for security, configuration and posture before being granted or maintaining access to application and data.
He also suggested network segmentation as a useful approach to isolating IoT devices from other network systems.
“A simple analogy I’d use is the current pandemic situation, where we enforce social distancing to minimise the spread of the Coronavirus,” he continued.
According to Gartner, utilities will be one of the highest users of IoT endpoints, totalling 1.37 billion endpoints in 2020.
“Electricity smart metering, both residential and commercial will boost the adoption of IoT among utilities,” said Peter Middleton, senior research director at Gartner. “Physical security, where building intruder detection and indoor surveillance use cases will drive volume, will be the second-largest user of IoT endpoints in 2020.”
Building automation, driven by connected lighting devices, will be the segment with the largest growth rate in 2020 (42%), followed by automotive and healthcare, which are forecast to grow 31% and 29% in 2020, respectively.
In healthcare, chronic condition monitoring will drive the most IoT endpoints, while in automotive, cars with embedded IoT connectivity will be supplemented by a range of add-on devices to accomplish specific tasks, such as fleet management.
Click on the PodChat player and listen to Sim describe the why and some options for securing the Internet of Things.
- Define security as it relates to the Internet of Things?
- What some of the most common vulnerabilities in IoT devices found in enterprises?
- Why is it important for organisations to pay attention to securing IoT devices?
- Who is responsible for securing IoT devices in an enterprise?
- What should organisations do to secure their IoT devices?
- Is it realistic to think that we can secure all the 50 billion IoT devices connected out there?
- It’s been said that remote work has accelerated IoT further. What is your advice to organisations today as regards securing known devices and protecting against the unsecured unknown?
- What should enterprises look for when it comes to security solutions to address IoT devices in the network?