5 Things CISOs Need To Know About IoT Security

The growth of the Internet and the increase in the adoption of devices has brought a new set of security challenges for enterprises - IoT security. 

The rapid adoption of the Internet of Things (IoT) is hard to ignore: Gartner estimates a compound annual growth rate of 31.7% until the end of the decade. This means that, by 2020, 20.8 billion connected things – excluding PCs, tablets and smartphones, will join the internet. While it’s easier for organisations to roll out their own IoT services thanks to new mobile-based IoT platforms, there are not only opportunities arising from growing IoT, but also new kinds of risks.

Gartner predicts that by 2020 over 25% of identified attacks will involve the IoT. Unfortunately, awareness of the risks is developing at a slower pace. To avoid costly headaches later, forward-looking Chief Information Security Officers (CISOs) should think about what strategies they need to put in place now to ensure the safety of their customers and employees. There are a number of points a CISO must consider to develop a suitable IoT security programme.

What Does IoT Security Mean for the Enterprise?

The rise in the adoption of IoT has increased the potential of cyberattacks. Cybercriminals seek to exploit susceptibilities in smart devices manufactured with poor security practices. It is estimated that over 30 million IoT attacks were done in 2018, an increase of 200% than that recorded in 2017.

By the end of 2025, approximately 30 billion devices are expected to be connected to the Internet. This has led to the growing need for avoiding ransomware attacks and reinforcing security. Additionally, the increasing adoption of cloud-based technologies by a large number of organizations for storing confidential data has given rise to the risk of unauthorized data access.

Moreover, the growing trend of Bring Your Own Device (BYOD) has led to increased concerns regarding the security of data among enterprises and organizations. This, in turn, has unfolded numerous opportunities for security providers to offer effective security solutions, such as device and data security, implementation of security operations at IoT scale, and meeting compliance requirements along with performance requirements.

5 Things To Know About IoT Security

1. The IoT Connectivity Threat

Each IoT device represents an attack surface that can be an avenue into your data for hackers. A Comcast report found that the average household is hit with 104 threats every month. The most vulnerable devices include laptops, computers, smartphones and tablets, networked cameras and storage devices, and streaming video devices, a new report found. 

And unlike laptops and smartphones, most IoT devices possess fewer processing and storage capabilities. This makes it difficult to employ anti-virus, firewalls and other security applications that could help protect them. At the same time, edge computing intelligently aggregates local data, making it a concentrated target for sophisticated threat actors. 

Ransomware can also target applications and data in addition to IoT device hardware. In the third quarter of 2020, Check Point Research reported a 50% increase in the daily average number of ransomware attacks compared with the first half of the year. 

As there is a growing rate of IoT attacks, especially when trends of remote work and remote offices are factored. It is important to know and understand the threat landscape. The U.S. General Accounting Office GAO identified the following type of attacks as primary threats to IoT:

  • Denial of Service

  • Malware

  • Passive Wiretapping

  • Structured query language injection (SQLi controls a web application’s database server)

  • Wardriving (search for Wi-Fi networks by a person in a moving vehicle)

  • Zero-day exploits

2. Supply Chain Vulnerabilities and Endpoints

The Internet of Things (IoT) exacerbates supply chain vulnerabilities. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices. The increased integration of endpoints combined with a rapidly growing and poorly controlled attack surface poses a significant threat to the internet of things.

By using the IoT endpoints, hackers can bombard websites with large amounts of traffic requests, which causes the sites to crash. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, nearly half of U.S. firms using the Internet of Things have experienced cybersecurity breaches. It is likely that many more firms were victims and did not report breaches. 

With 44 billion IoT endpoints today (and that number is expected to triple by 2025), hackers have many attack options and entries for inserting malware and can also employ DDoS (distributed denial of service) attacks to devastating effects.  

In 2017, a variant of ransomware called “WannaCry”, the ransomware spread swiftly in May reaching over 100 countries and thousands of IoT devices. WannaCry disrupted governments and many organizations and company networks that had connectivity to IoT.

Another security challenge posed is the interaction between OT and IT operating systems, particularly to critical infrastructure. Adversaries have gained a deeper knowledge of control systems and how they can be attacked and can employ weaponized malware and the connectivity driven by the adoption of industrial internet of things and operational technology has further expanded the attack surface and that energy infrastructure operators should implement “security by design” to counter cyber threats.

Every form of cybersecurity attack method can apply to the IoT ecosystem, including It and OT. In the future, IoT connected by 5G will increase connectivity, speed, performance, capacity, and will necessitate the need for even stronger security for all IoT endpoints.

 

3. Growing number of IoT security regulations

The growing popularity of 3G and 4G networks and wireless technologies has led to an increasing number of cyberattacks. In order to address this, governments across the globe are focusing on implementing stringent regulations regarding data security and privacy.

Advancements in technology have led manufacturers to connect consumer goods, right from toys to lights and other major appliances, to the Internet. This indicates that there is a wide range of exposure to potential vulnerabilities with multiple attack surfaces, making it easier for hackers to gain control.

Thus, the implementation of IoT security regulations to safeguard data is anticipated to enhance the use of IoT enabled devices.

 

4. Companies are doubling their budget on IoT Security

Global spending end-users of 3rd party security solutions is currently estimated at $ 703 Million for 2017 and is forecast to grow at a CAGR of 44% to become a $4.4B market by 2022, driven by new regulation and increasing IoT adoption.

In addition to the security tools provided by IoT platforms (which is not part of this figure) the IoT security market is an aggregation of innovative startups and established firms such as global chip manufacturers, infrastructure providers, as well as cloud and enterprise software companies.

 

5. Increasing automation of IoT security tasks

With forecasted growth to billions of IoT devices, manually handling security tasks (e.g., revoking certificates, isolating compromised devices), as is still the case in many solutions today, will not be feasible. Security automation techniques that merge security solutions and artificial intelligence are becoming more and more prevalent.

For example, next-generation activity monitoring enables advanced anomaly detection, building on sophisticated machine learning algorithms. One case includes objectively classifying ‘good’ files from ‘bad’ files based on mathematical risk factors, which means it becomes possible to teach a machine to make the appropriate decisions on these files in real-time.

This method drives autonomous decision making and changes the way an IoT device understands, categorizes, and controls the execution of every file.

IoT Security Works on 4 Different Layers

IoT solution architectures require multi-layered security approaches that seamlessly work together to provide complete end-to-end security from device to cloud and everything in between throughout the lifecycle of the solution. The 4 layers consist of:

Device: The device layer refers to the hardware level of the IoT solution i.e., the physical “thing” or product. ODMs and OEMs (who design and produce devices) are increasingly integrating more security features in both their hardware and software (that is running on the device) to enhance the level of security on the device layer.

Security components include physical security, data at rest, chip security, secure boot, device authentication and device identity.

Communication: The communication layer refers to the connectivity networks of the IoT solution i.e., mediums over which the data is securely transmitted/received. Whether sensitive data is in transit over the physical layer (e.g., WiFi, 802.15.4 or Ethernet), networking layer (e.g, IPv6, Modbus or OPC-UA), or application layer (e.g., MQTT, CoAP or web-sockets) unsecured communication channels can be susceptible to intrusions such as man-in-the-middle attacks.

Security components include access control, firewall, IPS, IDS, and end-to-end encryption.

Cloud: The cloud layer refers to the software backend of the IoT solution i.e., where data from devices is ingested, analysed and interpreted at scale to generate insights and perform actions. IoT cloud providers are expected to deliver secure and efficient cloud services by default to protect from major data breaches or solution downtime issues. Security components include data at rest, platform and application integrity verification.

Lifecycle management: Secure Lifecycle Management refers to an overarching layer with continuous processes required to keep the security of an IoT solution up-to-date i.e., ensuring sufficient security levels are in place from device manufacture, initial installation to the disposal of things.

Security components include risk assessment, policies & auditing, activity monitoring, updates & patches, vendor control, user awareness assessment, and secure decommissioning.

Conclusion

Unfortunately, despite all efforts, when it comes to securing IoT, there are no failsafe solutions. It is a daunting challenge.  Eventually, the deployment of better-automated cybersecurity tools enabled by machine learning will greatly reduce breaches.  In specific regards to IoT security (and any security), there is an adage that rings true; it is better to be more secure than less secure (and make yourself less of a target).

Using a comprehensive risk management approach to understand and mitigate the threats of the Internet of Things can be of major help in that regard in helping mitigate security gaps.  Being more cybersecurity ready should be a priority pursuit for everyone connected.

Published on Aug 4, 2021
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is co-founder and CEO of Appknox, a mobile security suite that helps Enterprises and Financial institutions to automate mobile security. Over the last 6 years, Harshit has worked with over 300+ businesses ranging from top financial institutions to Fortune 500 companies to set up security practices helping organisations secure their mobile applications and speed up the time for security testing.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now