A recent Gartner security primer stated that 80% of organizations use The Internet of Things (IoT) for business. The paper also reported that 20% of these enterprises have already encountered an IoT-based attack in the last three years. Despite these reports, less than a third of security professionals are confident enough to secure IoT devices.
Some IT professionals aren’t familiar with the risks in their IoT environment or how to mitigate them. In this article, I’ll share some best practices for securing IoT devices in your organization. We’ll start by discussing some of the top IoT vulnerabilities. We’ll then move on to some of the challenges you’re bound to face while implementing IoT security and continue with best practices.
Sounds good? I’ll begin with the top 3 vulnerabilities putting your business at risk.
Top 3 IoT Vulnerabilities Putting Your Business At Risk
The total number of IoT-connected devices could reach 29.4 billion by 2030. In turn, businesses continue to accumulate IoT devices at an accelerated pace. If you’ve been one of those firms, you should be aware of the risks associated with owning such devices. Here are the top 3 vulnerabilities afflicting many IoT devices today.
1. Weak Authentication
Many IoT-connected devices have weak authentication. Some use hardcoded passwords embedded in the product’s source code. Unfortunately, you can’t change these to a value only known to you. Some IoT devices have changeable passwords, but they’re released with factory default values. Sadly, most people don’t bother changing default passwords.
Moreover, cybercriminals can find hardcoded and factory default passwords on the dark web. Basically, an attacker can compromise and weaponize a device if it gets a hold of those passwords. When inadequately secured IoT devices get caught in a botnet, they can launch DDoS attacks. Consequently, these attacks cause serious downtime for targeted businesses, leading to a loss in revenue and opportunity.
This is the attack method employed by the creators of Mirai. This notorious IoT botnet launched one of the biggest DDoS attacks in history. Mirai hacked IoT devices like routers and CCTV cameras by using default passwords. Other IoT bots use Mirai’s attack methods and code even today.
2. Obsolete Software Components
Many IoT-connected device manufacturers forgo security measures to roll out products faster than their competition. Additionally, some of these manufacturers use outdated software components/libraries.
The problem with this is that they no longer receive security patches. It’s almost impossible to secure unpatchable IoT devices. Consequently, devices using outdated software with vulnerabilities become easy targets for cyber attackers.
In 2019, the FDA warned the healthcare industry about potential risks in specific medical devices using IPnet. IPnet, a third-party software component, is no longer supported by its original vendor. However, it’s still used by some medical device manufacturers. Vulnerabilities in the IPnet code make IoT devices that use it susceptible to Denial of Service (DoS) and Remote Code Execution attacks.
Users haven’t reported attacks associated with that particular vulnerability. But, it doesn’t mean these attacks could never happen. What’s worse is that an attack on an unpatchable medical device or equipment can endanger human lives, not just IT systems and business operations.
3. Insecure Networks
IoT devices are often deployed on corporate networks alongside other IT assets. Consequently, if your network is inadequately secured, a security incident affecting one component in that network can also affect others. That’s how computer worms and other similar kinds of malware propagate. IoT devices are susceptible to the same types of vulnerabilities that afflict network devices because they are network aware.
Remember Mirai? One particular Mirai variant employed exploits that targeted network routers and IoT devices. As with other Mirai variants, this specific malware had DDoS capabilities. Meaning, if it manages to trap your routers and IoT devices, it can use them to launch DDoS attacks.
If your devices carry out a DDoS attack, they’ll be consuming precious network bandwidth and computing resources. This can affect the performance of your network and the systems that use it. Moreover, your reputation suffers if the attack is traced to your network and the inadequately secure IoT device.
Many organizations already have security policies that mitigate risks in their respective IT environments. Unfortunately, IoT devices and the IoT manufacturing industry are fraught with issues that can impede security initiatives.
Next, I’ll look at the 3 major IoT security implementation challenges.
3 Major IoT Security Implementation Challenges
When you start securing your IoT environment, you’ll realize the task isn’t entirely straightforward. Here are some challenges you’re bound to encounter.
1. Lack of Visibility on IoT Devices in the Organization
IoT devices, like smart HVAC systems, smart locks, smart CCTV cameras, etc., aren’t classified as IT assets. Consequently, people procure these devices without IT knowledge. When that happens, your IT team won’t be able to track and monitor these devices. This is typically because of their very limited understanding of how these devices work. This isn’t entirely their fault; most of these devices’ functions (e.g., cooling and heating) have nothing to do with IT.
Most IT teams don’t know what types of data these devices collect or generate, let alone where they store it. Is the data kept locally or stored in a public or private cloud? This lack of visibility usually inadvertently excludes these devices from risk mitigation activities. Chances are, you’re excluding IoT devices from vulnerability scans, patch management, security audits, penetration tests, etc. Indeed, you can’t possibly secure what you don’t know.
2. Lack of Standards for IoT Security
Currently, no security standards govern development, testing, production, and all other processes in IoT device manufacturing. It’s always been this way in every nascent technology. Vendors rush to roll out products as quickly as possible to grab market share. Thus, functions, features, and performance are prioritized over security.
Applying existing standards-based policies and audits to IoT devices could be a stumbling block. Let me give you an example. Patch management is a common requirement in security standards like ISO 27001 Annex A, PCI DSS, and the NIST Cyber Security Framework. However, even if you have a patch management policy, you can’t apply that policy to IoT devices. That’s because many of these devices aren’t patchable at all.
3. Poor to Non-existent Vendor Security Practices
Vendors continue to tack on their interpretation of security with no security standards to adhere to. That’s assuming they bother with security at all. This can be a problem for vendors with a superficial understanding of security. For example, let’s say your IoT vendor recognizes the importance of patching. They enable their IoT product to support firmware updates. While patching helps, it may be insufficient if the product you’re patching doesn’t support firmware signing.
Firmware signing enables developers to digitally sign firmware updates as they reach a device. The device can then check the signature to verify if the update originated from a trusted source. In essence, threat actors can hijack your update processes and turn them against you without this capability. They can push unauthorized and malicious updates, compromising your IoT devices. This is just one of many ignored security practices.
Alright, now that you’re aware of the vulnerabilities and security-related challenges in these environments, I’m sure you want to know how to secure IoT devices. I’ll go over some best practices you can apply next.
Top 5 IoT Security Best Practices And Why You Need Them
Here are some best practices to ensure you only use secure IoT devices.
1. Choose Vendors That Give Importance to Security
Vendor cybersecurity awareness, even in the IoT industry, is improving. Thus, you can add security as a major criterion in choosing an IoT device. Your procurement officer can then, for example, prioritize products that support firmware signing while avoiding products with hardcoded passwords.
Evidently, you can minimize risks in your IoT environment by procuring secure IoT devices. In addition, this simplifies the process of incorporating them into your security initiatives. All the best practices on this list are easy to use if your IoT devices already have built-in security attributes.
2. Discover, Track, and Monitor Your IoT Devices
This is one of the first things you must do to secure IoT devices. Discover, track, and monitor every IoT device in your network(s). If you find a solution that automates these processes, that’s ideal. But if not, you’ll have to accomplish these tasks manually.
Your IT team is usually in charge of IT asset management. This involves discovering, tracking, and monitoring IT assets. Hence, the team can take this responsibility. To give them a heads-up from the start, you can involve them in every IoT device procurement. Then, once you’ve gained complete visibility of your IoT devices, it will be easier to apply succeeding best practices.
3. Implement a Strong Authentication Policy
A firm authentication policy requires all devices, systems, applications, etc., to be protected by strong credentials. What does that mean? Suppose your IoT-connected devices use passwords for authentication, assuming they are changeable. In that case, you should assign them long, complex passwords. In essence, you must avoid short and easy-to-guess passwords like “123456” or “password”. This also means replacing factory default passwords with new values.
More importantly, you must ensure that only authorized users know the passwords to IoT devices they’re responsible for. A strong authentication policy makes it difficult for attackers to break into them.
4. Adopt Patch Management
Patch management is a systematic approach to applying software updates, a.k.a. patches. Many patches include security updates that fix known vulnerabilities in the software you’re patching. Since your IT team will likely already have a patch management program, they can include your patchable IoT-connected devices in their patching schedules. This best practice is easier to implement if you’ve already established best practice #1.
Since you can’t discover all vulnerabilities at the same time, patch management should be an ongoing practice. Each security update should address a new set of vulnerabilities. Effectively, you’ll have relatively more secure IoT devices after each round of patching.
5. Apply Network Security Best Practices
Network security consists of a broad set of best practices, including establishing network segmentation, data-in-motion encryption, firewalls, etc. Your IT or dedicated cybersecurity team will usually implement network security.
Technically, not all network security practices will secure IoT devices on an individual level the way patch management does. Instead, since IoT devices communicate and perform many of their tasks through the network, you can secure these devices by securing the network they use.
Now, let’s summarize what we’ve covered.
As the Internet of Things gains an even stronger foothold in business environments, it’s important to understand its risks. More importantly, businesses must know how to secure IoT devices, networks, and the processes that use them.
In this article, I discussed some best practices to secure IoT devices. I emphasized the importance of establishing visibility, strong authentication, patch management, network security, and vendor security. If you’re using such devices in your business, I encourage you to adopt these best practices and learn more about enforcing security.
If you encountered any questions along the way, you’ll find additional information in the FAQ and Resources sections below.
Can firewalls help secure IoT devices?
Yes, certain types of firewalls address security issues that involve IoT devices. In fact, some Next Generation Firewalls (NGFWs) have built-in features enabling IT admins to create firewall rules based on IoT traffic.
What’s the most practical way of implementing data-in-motion encryption for IoT devices in business networks?
When it comes to providing data-in-motion encryption: SSL/TLS or VPNs. The latter usually requires SSL/TLS encryption capability at each endpoint device. Unfortunately, many IoT devices lack that capability. Hence, it’s more practical to use a VPN like IPsec. These support site-to-site architecture which applies encryption at the gateways instead of each endpoint.
How can I discover vulnerabilities in my IoT devices?
One way to discover vulnerabilities in your IoT devices is to run penetration tests. These tests involve finding vulnerabilities while trying to exploit those vulnerabilities the way hackers do. You can hire a third-party team that offers penetration testing as a service.
Why is cloud network security important in a world of IoT devices?
Many IoT devices leverage cloud services to store and analyze collected data, perform processing that the device can’t do, and so on. Those cloud services extend the surface that attackers can hack. You can mitigate these risks by instituting cloud network security.
Will the influx of IoT devices affect WAN performance?
Yes, IoT devices will compete with other devices and IT components for wide area network bandwidth. The more IoT-connected devices you have, the greater their impact will be on your network. You can use WAN optimization to address network performance issues.
TechGenix: Article on Firewall Best Practices
Strengthen your IoT device environment’s defenses with these firewall best practices.
TechGenix: Article on Proxy Servers
Get the rundown on proxy servers and their role in cybersecurity initiatives.
TechGenix: Article on IDS and IPS
Learn how intrusion detection and intrusion prevention systems secure your network.
TechGenix: Guide on Remote Network Access
Learn all about remote network access in this definitive guide.
TechGenix: Guide on Cyber Threat Hunting
Get acquainted with cyber threat hunting in this introductory guide.