IoT security explained

August 26, 2020  |  Mark Stone

This blog was written by a third party author.

The Internet of Things (IoT) is a term used to describe a system of interconnected computing devices that use the internet to send and receive data without requiring human to computer or human to human coordination.

The world of IoT encompasses a wide variety of technologies, vendors, and connectivity methods. While cameras, smart kitchen appliances and smart locks often come to mind, IoT devices are prevalent in all industries.

IoT has broad applications across the enterprise and provides numerous benefits — including increased operational efficiencies, improved customer experiences, better business decisions, and keeping workers safe.

For the organization looking to adopt IoT to any degree, security challenges must be overcome using more than typical network security solutions alone. Given the inherently insecure nature of the IoT space due to the lack of industry standards, new security complications arise.

Any cyber risk related to an IoT deployment requires a proactive approach with security built-in from the start. Not unlike any new technology that enables digital transformation, the goal for IoT should include strategies that align the technology with the company’s current cybersecurity systems and policies.

What are the security vulnerabilities of IoT?

The use of IoT is expanding astronomically. According to research published in May 2020 by Transforma Insights, by the end of 2019, 7.6 billion IoT devices were active. By 2030, the number is expected to balloon to 24.1 billion.

The rush to meet the growing demand for IoT devices is giving rise to favoring functionality over security. Connected and unprotected devices are vulnerable to botnet and distributed denial-of-service (DDoS) type attacks.

Despite plans to adopt these devices in greater numbers, a Trustwave report notes that only 28 percent of organizations consider IoT-specific security strategies as “very important.”

Alan Mihalic, founder and president of the IoT Security Institute, says that despite the incredible number of IoT devices, most are unsecured.

“IoT devices provide an easy and attractive entry point for criminals seeking to enter an organization's network,” he said. “Moreover, their omnipresent nature provides access to opportunities never before possible within the technology environments; a presumably innocuous twenty-dollar IoT device can become the catalyst for a major cyber breach.”

The IoT attack surface

One look at the sheer amount of possible devices in the production environment gives us a window into the magnitude of threat possibilities.

Because securing IoT devices requires real-time authentication and authorization, complexity is escalated — providing opportunities for bad actors to carry out many types of attacks. Whether it’s man-in-the-middle (MitM) attacks, leveraging stolen access credentials, spoofing or cloning, or encryption attacks targeting key algorithms, a hacker’s arsenal is well-stocked.

But at its most basic level, IoT security is not built in from the ground up. Compromising a device is far simpler than most people think. Sadly, the most common userid/password combinations are support/support, admin/admin and default/default. For many devices, security is an afterthought. 

The mere act of changing a device’s default password can go a long way to pave the way for a robust IoT solution.

How common are IoT attacks?

IoT attacks are frequent, and they’re escalating. In the first half of 2019, honeypots set by AV vendor Kaspersky detected approximately 105 million attacks launched from 276,000 IP addresses on IoT endpoints. Compared to the first six months of 2018, the attacks increased nine-fold, from 12 million the previous year.

Attack targets go far beyond the enterprise. Areas of increased attack include smart cities, critical infrastructure and Industry 4.0 environments.

According to Mihalic, IoT attacks will only be more common with a lack of adequate device patching and poor privileged access management. To mitigate this risk, he advises organizations to embark on cyber training to ensure key stakeholders can adequately secure these devices at the design and deployment stages.

What are the main IoT security technologies?

Breaking down the key areas of IoT security, there are five essential security controls to be aware of:

1. IoT network security

This is all about protecting and securing the network that connects IoT devices to the internet. The sheer number of devices, combined with the complexity of communication protocols, make IoT network security a primary concern within IoT networks.

2. IoT authentication

The mechanism with which users authenticate an IoT device, which may include multiple users on one device (such as a connected car). Mechanisms range from a static password or PIN to more robust authentication mechanisms like multi factor authentication (MFA), biometrics, and digital certificates.

“It is a critical imperative that, within IoT environments, authentication methodologies be implemented that align access control technologies to the criticality of the service and/or data being accessed,” Mihalic said. “Often, this access extends beyond human authentication, and extends to machine-to-machine authentication.”

3. IoT encryption

The communication channels between edge devices and back-end systems require that encryption technologies are implemented across various IoT devices hardware platforms. As such, data integrity is maintained and hackers trying to intercept data are thwarted.

4. IoT Public Key Infrastructure (PKI)

Provides complete X.509 digital certificate, cryptographic key and life-cycle capabilities, including public/private key generation, distribution, management, and revocation.

With PKI, digital certificates can be securely loaded onto devices at the time of manufacturing. Not only that, but they can be activated at the point of development, providing a means for an effective PKI application across a large number of IoT devices at the critical stage of deployment.

5. IoT security analytics

Much like other analytics, IoT device data is collected, monitored, aggregated and normalized to provide actionable alerts and reports when abnormal activity is detected. Recently, analytics have leveraged more sophisticated AI, machine learning, and big data to help with predictive modeling and reduce false positives.

“These data analytics will provide valuable information that can be utilized by threat intelligence and cyber hunting services,” said Mihalic. “It is clear that to stand a chance against cyber-attacks against IoT services and devices, cybersecurity needs to adopt a proactive rather than reactive approach to securing IoT ecosystems.”

How can you get started on securing your IoT environment?

IoT devices require end-to-end security that is adaptable to the various connectivity models and varied device types. AT&T recommends a multi-layered approach of protecting the data, application, network, and the endpoint layers with a threat management layer covering each of these components. While there is no prescribed best practice when it comes to securing IoT, AT&T Cybersecurity Consultants can provide your organization support by developing a customized security solution to fit your needs. AT&T can also help with this journey in making it safer for your business to innovate.

Share this with others