Last Updated on July 7, 2020
Many organizations struggle to identify what connected devices are on the network, where they’re physically located, what they’re connected to, and what firmware and/or software versions they’re running. Often all that’s known is an IP address. Meanwhile, any of these “invisible” devices can serve as an entry point for unauthorized access behind the firewall.
What makes the IoT security game so challenging it IoT tends to grow and change so quickly.
IDC currently estimates that the global IoT will explode to 41.6 billion devices generating 79.4 zettabytes (that’s 79.4 billion terabytes) by 2025. This expanding scale and complexity creates seemingly endless possible combinations of interactions among devices. Some IoT devices may be interacting with artificial intelligence (AI) and machine learning (ML) algorithms, making their behavior and communication patterns even harder to predict.
More IoT security issues stem from how fast data moves and where it goes within and beyond the IoT. In an instant, data can transfer from a connected device to the internet to a cloud-based system to a user’s mobile device. There could be vulnerabilities leading to data leaks or compliance violations anywhere along that dynamic data path.
What makes IoT security issues so difficult to get a grip on, let alone solve?
IoT devices are not your grandfather’s iPad. They communicate device-to-device without human or computer intervention. Designed to act on streams of data with no intervention, they’re often embedded in complex industrial control systems, medical devices or even weapons, and are sensor- and/or actuator-driven. Their fast-growing list of use cases span critical systems in our facilities, vehicles, homes… even our bodies. Small wonder there are no robust industry standards for connected device security.
All these IoT security issues add up to massively escalating risk.
The exploding scale and complexity of the globally interconnected IoT inevitably creates the potential for devastating breach impacts on critical IoT systems. Think multinational companies crippled, national economies toppled and/or widespread human suffering and death perpetrated. Hacks to date (with the largest Mirai botnets being prime examples) have approached this level.
How are organizations currently addressing their IoT security challenges? According to a commissioned study by Forrester, IoT is largely “unmanaged an unsecured.” For example:
- 67% of enterprises have experienced an IoT security incident
- Only 16% of enterprise security managers say they have adequate visibility to the IoT devices in their environments
- 84% of security professionals believe IoT devices are more vulnerable than computers
- 69% of enterprises have more IoT devices on their networks than computers
- 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices
So what’s the answer to these seemingly unsolvable IoT security issues?
Even with all that is unique and bewildering about IoT, basic “Security 101” best practices still apply. That means having a plan for inventorying, patching and decommissioning all your connected devices just like you would PCs and other conventional endpoints:
- Challenging as it may be, without a comprehensive asset inventory you’ll never be secure. You need to be able to confidently account for all your connected devices.
- When you connect new devices, you mustfollow best practices for securely configuring them. In particular, if the device ships with a known default password, that must be changed before connecting it—otherwise your network is a sitting duck.
- You need to be able to patch connected device firmware and software to eliminate known vulnerabilities that hackers will be looking to exploit. Granted, delivering and installing updates on IoT devices is one of the toughest IoT security challenges in and of itself. Never mind dealing with compatibility problems after the fact.
- Finally, when a manufacturer stops supporting a device, you need a plan for replacing it or implementing compensating security controls.
Another often overlooked best practice that applies to every company’s IoT security issues is risk management. The huge potential impact of IoT attacks demands that businesses analyze and address security and privacy risks throughout the IoT device lifecycle. If you don’t know the nature and level of your IoT risk exposures, how can you prioritize risk mitigation?
In our work helping clients secure their IoT, we have found that proven information security, privacy and application security frameworks offer significant value. These include ISO 27001, ISO 27701 and OWASP ASVS. Relevant IoT-specific guidance includes the OWASP IoT Top 10 Security Weaknesses, NIST 8259, California SB-327, ENISA and CIS.
Pivot Point Security has assessed physical, logical and application security of IoT environments in utilities, medical, pharmaceutical, food safety/supply chain, home/audio, automotive, IoT/Blockchain applications and more.
Contact us to share your IoT security challenges and discuss next steps.