What is IoT security?
By its nature, IoT opens up networks to the possibility of hacking. That’s because it involves connecting many objects or “things” to the internet that did not previously link to a network. For example, manufacturing companies connect IoT sensors to machinery on the factory floor, while homeowners purchase smart home devices such as thermostats, doorbell cameras, and light switches. With the innovation comes new vulnerability. Each connected thing, whether it’s a temperature sensor buried underground or a fitness watch, adds a doorway through which hackers could enter—and potentially bring down entire networks. IoT security seeks to protect devices and networks, addressing the specific issues inherent to IoT deployments.Why is IoT security essential?
Security is a point of pain for many IoT leaders. It’s complicated and overwhelming to secure so many devices and interconnected systems—and the statistics aren’t very encouraging. IoT attacks grew by 600 percent between 2016 and 2017, and 48 percent of businesses can’t detect if their IoT devices suffered a breach. Yet IoT security is essential if organizations want to safely realize the power of a connected world. Here’s why:Data is very valuable—and worth protecting.
In many ways, data is the currency of our day. Organizations collect, store, and analyze tremendous amounts of information, using it to keep daily operations running smoothly and harvesting insights to make decisions. With so much at stake, cyberattacks can be devastating. For example, if a hacker penetrates a manufacturing company’s system and erases their predictive maintenance and productivity data, the company may be forced to halt production and struggle to find their way forward.IoT security vulnerabilities undermine its success.
If IoT devices and networks are vulnerable to attack, they are of little use to an organization. Once the data is compromised or a hacker shuts down the network, the advantages are negated. Imagine if an agricultural grower sets up an IoT deployment to monitor plant growth, soil temperature and moisture, only to have the system crash when hackers discover and exploit a vulnerability. The grower has come to rely on IoT data to make decisions—and now that data has disappeared.Cyberattacks on IoT devices can lead to compromised privacy and even physical injury.
Because IoT devices track many kinds of information, access to that width and breadth of data can give hackers unprecedented power. For example, if bad actors break into a network of connected cars, they could take control of the vehicles while passengers are inside—resulting in their injury or death. Cyberthreats against health IoT devices such as pacemakers are another example of serious security risks. The more personal information is collected and stored on digital devices, the more risk there is for organizations and consumers alike.How should we approach IoT security?
Here’s some good news about IoT security risks: history repeats itself. While the details of cybersecurity attacks change from day to day, they’re often rehashes of the same incidents that have been occurring since the birth of the internet in the 1990s. The most effective approach to IoT security starts with taking a close look at the history of cyberattacks and security vulnerabilities across the computer network landscape, identifying the recurring themes, and creating a built-in IoT security plan for your deployment that addresses each common area of vulnerability. Let’s start by taking a closer look at a few IoT security breaches and hacks.Examples of IoT security breaches and hacks
Because IoT hacks can happen to any type of connected thing, instances of security breaches include the unexpected and the bizarre.BABY MONITORS
Baby monitors have gone from being simple radio transmitters to sophisticated video devices connected to the internet via WiFi. These features enable parents to keep watch over a sleeping child from their smartphone, but they also create an open door for hackers. In 2018, parents of a four-month-old baby in Texas heard a stranger’s voice over their video monitor, threatening to kidnap their baby. Once they realized it was a hacker and not someone in their home, they disconnected the device and called the police. These types of hacks are not difficult for bad actors to instigate if device users rely on default passwords..jpg)
CONNECTED CARS
In 2015, two hackers remotely took control of a Jeep Cherokee using vulnerabilities in the car’s entertainment system to access its dashboard functions. The two hacker-researchers commandeered the car while a journalist was behind the wheel, initiating a series of unexpected disturbances and finally disabling the brakes, causing the driver to swerve into a ditch. The experiment demonstrates just how serious IoT security vulnerabilities can be.POINT OF SALE (POS) SYSTEMS
In 2014, hackers used login information from an HVAC company to break into Target’s POS system. The HVAC company had login credentials with the retailer to carry out remote monitoring tasks, evaluating and adjusting energy consumption at retail stores. Once the hackers were into Target’s network, they uploaded malware to the POS systems and stole data from 40 million debit and credit cards in the U.S., Brazil, and Russia.THERMOSTATS
There have been a number of hacks to connected thermostats over the past few years, typically due to weak or compromised passwords. In 2016, hackers broke into the heating system at a pair of apartment buildings in southeast Finland, introducing a denial of service (DDoS) attack that disabled the heating system for nearly a week. And in 2019,a hacker broke into a Wisconsin couple’s smart home, turned the thermostat up to 90 degrees, and spoke to them through a camera in their kitchen..jpg)
How does your IoT security program measure up?
An IoT cyberattack can happen anywhere, to any kind of connected device. It’s essential to look at every network element and every piece of hardware as a potential entry point—and act aggressively to protect those doorways. Every successful IoT security program must address four basic areas. Before you do anything else, take a moment to assess the state of your organization’s IoT security protocol using this checklist.How does your IoT security program address:
INTERNAL THREATS?
(How do you ensure vendor alignment? What measures are in place to detect hidden malware and monitor logging practices? How do you detect internal bad actors?)EXTERNAL THREATS?
(How does your organization safeguard against external hackers who may spread malware and perpetrate ransomware attacks?)PRIVACY?
(Is encryption effective? Is your network private?)COMPLIANCE?
(Which regulations are you subject to? How do you ensure compliance?)If your responses were vague or incomplete, you’re not alone.
Cybersecurity is one of the major thorns in the side of IoT at the moment. As more devices, vendors, and networks become involved, ensuring security becomes increasingly complicated. But if you think critically and make sure you’re paying attention to each major area of concern, IoT security is quite achievable.What are the biggest concerns for IoT security?
Let’s take a closer look at these four main areas of concern for IoT security..jpg)
Internal threats
The phrase “internal cyber threats” conjures up images of malicious employees who intentionally leak sensitive information. But while it’s important to safeguard against bad actors, the vast majority of internal threats in IoT networks come from ignorance or negligence about best practices. Here are a few essential areas to focus on when you’re creating or refining IoT security policies:VENDOR ALIGNMENT
One weakness of IoT security occurs when organizations unite hardware and software elements from different vendors who may not be working together to achieve optimum security. For example, a connected car manufacturer may have a vendor deep inside their system who’s not worrying about security because they make a vehicle part that’s normally not connected to the internet. When connected, that part becomes a security risk. Ultimately, the weakest link in your chain of vendors becomes a potential entry point for hackers. To offset that risk, work toward vendor alignment: look for vendors who share your security standards and ensure that every connection point in your hardware and software chain is secured.INTRUSION DETECTION SYSTEMS
A software application or device that monitors your network for suspicious activity, an intrusion detection system is an essential step toward safeguarding against internal (and external) cyber threats. Intrusion detection systems may use signature-based detection to find malware or other bad patterns, or anomaly-based detection to highlight diversions from normal activity.EMPLOYEE ADHERENCE TO CYBERSECURITY BEST PRACTICES
Making sure employees are well-versed in cybersecurity best practices should be an ongoing effort in any organization, especially those utilizing or designing IoT devices. Because the threat landscape is always changing, it’s important to schedule frequent check-ins to keep teams in the loop.CHANGE MANAGEMENT
A good change management system requires approval and record-keeping to prevent unauthorized changes from occurring. Change management reduces the risk caused by the human element, which can include errors as well as social engineering. It creates a standard process that all personnel must follow strictly for any changes to network access control or device management.PRINCIPLE OF LEAST PRIVILEGE
An IoT device on your network shouldn’t have access to other devices on your network by default, because those unnecessary links create additional attack surfaces. Enforcing the Principle of Least Privilege helps to restrict access between devices. Role-based control, a tool within some IoT platforms that allows you to restrict network and account access depending on the person’s role, is another helpful security precaution for any company developing or deploying IoT.External threats
Threats from outside your immediate IoT network can come from anywhere, in any number of forms. There’s no way to anticipate every possible threat, but there are things you can do to ensure network security and make it very difficult for a bad actor to break in.SECURING BACKDOORS AND OPEN PORTS
Oversights such as backdoors and open ports can lead to serious cyberthreats. To the best of your organization’s ability, eliminate these open doors and utilize network monitoring, anti-malware solutions, and/or multiple firewalls as added layers of protection.FIREWALLS
In IoT security, firewalls are essential—and should come in several layers. Network operators should implement multiple firewalls to detect and log anomalous traffic and unexpected port access attempts. Set up your system to trigger alerts so you’ll be notified immediately if something is amiss.PASSWORD MANAGEMENT
Everyone knows it’s important to use strong passwords and change them regularly—but many organizations still struggle to stay up-to-date on this key element of security. Some IoT devices come pre-loaded with default passwords set by the manufacturer, creating an open door for hackers to penetrate the network. If your devices operate with traditional passwords, change them often or consider using an automated password management system. Today’s cellular IoT devices may also use authentication as an additional layer of security, such as Hologram’s multi-factor authentication for connected devices.DISASTER RECOVERY PLAN AND DATA BACKUP
Backing up your systems is a given, but with the amount of data gathered in today’s organizations, it can be an overwhelming task. Even if data is backed up, you need to make sure you can restore it quickly—so you can avoid costly network downtime. These details should be worked out in a disaster recovery plan (DRP), an essential roadmap to the policies and procedures your organization will use to cope with a physical disaster or large-scale cyberattack..jpg)