What is IoT?
The Internet of Things, or IoT, refers to the billions of non-traditional computing devices that use the Internet to exchange data. These devices range from soil condition monitors, to Internet-connected refrigerators, to “smart” traffic lights. What they share in common is that they can monitor and/or control critical systems and have access to sensitive data.
What is IoT security?
IoT security is the proper asset inventory, visibility, and control of devices that are internet-connected to a system of computing devices, mechanical and digital machines, or objects that allow for the exchange or collection of data.
In some ways, IoT security mirrors the strategies associated with traditional network security, but the sensitivity of the data that IoT devices collect, and the systems they manage, means that the stakes of IoT security are greater. An IoT device that can shut down a power plant or collect video of a family inside its home demands greater security controls than a traditional PC or laptop.
How are IoT devices managed?
IoT security is especially challenging because IoT infrastructure consists of multiple layers, each of which must be secured. IT security teams must ensure that the software that runs on IoT devices themselves is free of vulnerabilities and is updated properly. They also must protect against vulnerabilities in the APIs that IoT devices use to communicate with each other in order. IoT networks, too, must be monitored for intrusions. Finally, the data that IoT devices collect must be stored securely, whether it is retained on the IoT devices itself, or offloaded to a data center.
It’s possible to centralize some of these security processes. For example, a security operations center (SOC) can manage IoT device identification and software updates. Other aspects of IoT security, however, such as testing APIs for vulnerabilities and ensuring that data is encrypted both at rest and in motion, require additional tools.
IoT management roles
The different responsibilities related to IoT device management generally map to different types of teams.
IT is responsible for device deployment and general management.
The security team focuses on managing vulnerabilities and designing IoT architectures to be resilient against attacks.
Device end-users, too, play a role in keeping devices updated, changing default access credentials and so on.
While this division of responsibilities for IoT device management is unavoidable in most situations, it adds to the complexity of IoT security, because it requires coordination between multiple stakeholders to ensure that best practices are followed and enforced.
IoT security challenges
IoT devices are subject to inherent security challenges and vulnerabilities that, as noted above, don’t always exist on conventional hardware.
“Shadow” IoT devices
One major IoT security challenge is the risk of “shadow” devices, or devices that are connected to an IoT network but are not authorized by or known to the network owner. Shadow devices could be added to the network by users who simply don’t know any better, such as an employee who brings an IoT temperature monitor into the office. Or, they could be deployed by malicious parties, such as attackers seeking to carry out industrial espionage via unsecured conference room phones or smart televisions.
A recent whitepaper, Rise of the Machines: 2020 Enterprise of Things Adoption and Risks Report, notes that a significant percentage (10%-15%) of devices in Ordr deployments are unknown or unauthorized. The most memorable instance of this was a Tesla connected to a hospital network; after some investigation, the security teams found that the Tesla belonged to a doctor who connected to the network from his car in the parking garage.
Lack of reliable software updates
Often, IoT devices are not properly updated to protect against new security vulnerabilities. First, IoT devices typically are small and deployed in remote locations. An organization may have thousands of IoT devices to manage, so it can be easy for organizations to deploy IoT devices and forget about them. Also, many IoT devices depend on users themselves to update the software, and many users don’t bother to do it, or don’t know they are supposed to do it.
Because exchanging data over the network via application programming interface (API) is part and parcel of what IoT devices do, vulnerabilities within the APIs are a major IoT security risk. If attackers find a flaw in an API, they can use it to intercept data via Man-in-the-Middle (MITM) attacks, or take control of devices in order to launch Distributed-Denial-of-Service (DDoS) attacks.
And because there is no universal IoT API—on the contrary, there are dozens of IoT APIs from different providers, and you can also write your own—there is no single set of API vulnerabilities to track. Security teams should be aware of all potential risks in all APIs that they use.
Many IoT devices ship with default passwords that give users access to the software environments inside the devices. If users don’t change these passwords—which many fail to do—attackers with lists of default IoT passwords can use them to gain unauthorized access to a device and its network.
Implementation of standards
Just as there is no single IoT API, there are no unified standards to govern the design of IoT devices, the types of software they run, or how they exchange data. Instead, there is a litany of competing approaches that evolve constantly along with IoT hardware and software.
From a security perspective, this makes it more difficult to secure IoT devices because there are so many variables at play. There is no single security strategy that can protect against all threats on all IoT devices or networks.
What industries are vulnerable to IoT security threats?
The IoT security threats described above apply to any company or individual who uses an IoT device. However, the risks are particularly great in certain industries due to the potential fallout from a breach, or the sensitivity of the data that IoT devices collect:
Healthcare: Internet of Medical Things (IoMT) devices collect personal health data and, in some cases, may even be implanted into human bodies. The harm caused by a security breach in this context could be enormous.
Hospitality: While 70 percent of hospitality companies have IoT initiatives, security risks posed by IoT are a top concern for them, due to the damage to their brands’ reputation that could result from an attack.
Government: When governments rely on IoT devices to collect data or control physical infrastructure—such as dams or highways—attackers may breach their IoT networks in order to access privileged information or disable critical systems.
Manufacturing: A breach in a manufacturer’s IoT network could disrupt operations, leading to downtime and significant financial loss.
Retail: IoT devices can help retailers protect against theft, manage inventory and more. But unsecured IoT devices may also allow attackers to steal customers’ information or disrupt critical business systems.
Transportation: Transportation networks that rely on IoT devices can be easily crippled by a breach of those devices. If buses require IoT devices to operate, or a plane relies on the IoT to navigate, security problems with those devices may lead to critical damage.
How to protect IoT systems and devices
Many stakeholders play a role in guaranteeing IoT security. Device manufacturers must design device hardware to be resistant against attack. Software developers must write secure code to run on the devices. Engineers who deploy and manage IoT devices must take steps to mitigate security risks. End-users who access data or systems via the IoT must keep the devices secure and avoid giving access to unauthorized users.
While the roles of each of these groups in IoT security vary, they can all use a common set of guidelines to help assess and address potential IoT security issues.
All stakeholders should strive to discover unauthorized devices that appear on an IoT network. These include ephemeral assets that may go offline at any time and then reappear in a new physical and network location. It is vital to have accurate information in order to understand and classify these devices.
Once a security team discovers all devices on an IoT network, it needs to know the intended role of each device in order to interpret and predict the device’s behavior patterns: which kinds of data it will generate, when it will come online and go offline and so on. Look for anomalies within these patterns to identify potential breaches.
Not all IoT devices pose the same level of risk. A medical device that controls a patient’s heart is higher-risk than an IoT device that controls a lamp. To assess risk accurately, stakeholders must develop risk profiles for each device on their networks. Then, they can prioritize security incidents appropriately, and know which devices to update first when a security vulnerability is announced for a device they manage.
Following the identification and classification of all devices on the network, IT and security teams can establish segmentation policies to protect high-risk, vulnerable, or mission-critical devices from the rest of the network. Segmentation policies also can control how each device communicates, manage access to other resources on the network, and ensure that every new device is evaluated and secured in real time.
IoT security: final thoughts
In order to capitalize on the benefits of IoT devices, organizations must acknowledge and address the security risks posed by IoT hardware and software, and take steps to protect their devices, their networks, and their data.
These steps include: proper discovery and classification of all IoT devices on a network; continuously tracking device behavior; performing risk assessment; and segmenting vulnerable and mission-critical devices from others.
The Ordr system control engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. One of the differentiated actions with Ordr SCE is that security and IT teams can proactively create microsegmentation policies to only allow sanctioned communications for every class of device. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a demo.