IoT Security Making Strides
Some Devices Still a Problem for Consumers and Businesses
It is estimated there will be 20.4 billion IoT devices in the world by 2020, according to Gartner, the world’s leading research company. IoT is short for Internet of Things—the rapidly growing network of physical objects with internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems. They are in our homes, businesses and even inside our bodies as medical devices. But security, including vulnerability to hacking, remains a critical concern.
While the range of available devices explodes, consumer adoption has remained sluggish. There is a continual stream of terrifying stories, such as hackers breaking into a home network through a Nest camera used as a baby monitor or articles on how many ways your personal voice assistant can be hacked. As a result, the whole IoT ecosystem is associated with being insecure.
Part of the problem is vendors rushing to market with cheap, easy-to-use devices which lack a high standard (or any) security protocols.
What is at risk is loss or exploitation of sensitive data for individuals or whole organizations. To remain competitive, businesses are increasing their IoT projects and spending, but often are opening their systems up to vulnerabilities.
Inherent security risks
A recent State of IoT Security report finds that 48 percent of businesses don’t even know if they have suffered an IoT breach. Only 59 percent of companies were encrypting their IoT data.
The same report revealed 62 percent of consumers think security of their IoT devices needs improvement. To meet the demands for better security, manufacturers must continue to improve security measures.
Evolving Security Measures
Many new-gen IoT makers have risen to the challenge with regard to security, including adopting emerging blockchain technology, providing an unchangeable, irrefutable, distributed record of transactions. The IoT industry is also moving toward adopting Public Key Infrastructure (PKI) to verify identity, distributing and naming public encryption keys. Blockchain and PKI both use cryptography, but serve different purposes. When they are used together, a system can not only verify a transaction, but also verify the identity of the transactor.
Legislation is also not far behind, closing the gaps on insecure IoT products.
Lawmakers are getting onboard with increased IoT security protections
California has new IoT security legislation that will go into effect in 2020. Other states are expected to follow suit with regulatory initiatives to protect users by ensuring IoT devices incorporate reasonable security protection features, including:
+ Preventing unwanted modifications
+ Stopping unauthorized access
+ Providing a unique password for each device, or force users to establish one before the device is activated
The last point addresses a common issue where hackers access devices by guessing the manufacturer’s default password.
While this law only raises security requirements for products sold in California, those same products sold elsewhere will have higher security standards. On a national level, several Internet of Things-related bills have been introduced, but none have been enacted into law.
Business IoT security
Here are the 10 best practices for organizations to keep track of the IoT security, recommended by Gartner Research:
1. Profile endpoints
IoT endpoints introduced into a network create a possible breach entry point. Endpoints should be identified with a profile and added to the company’s asset inventory, then monitored for security.
2. Track and manage devices
It might be a simple task now, but as the number of IoT devices grow exponentially, a company may lose track. Every connected device should be documented, including the function they perform. To alleviate having to track them all manually, Gartner Research recommends applying an asset discovery, tracking and management solution at the beginning of an IoT project
3. Identify IT security gaps
Even if there are security protocols that address the cyber aspects of connected devices, the physical device might need to be secured in a different way, with the assistance of an engineer.
4. Consider patching and remediation
Before implementing IoT devices, consider how complex they will be for patching and remediation. This is a good area to discuss with the manufacturer before purchase. Security and other business requirements may require code changes over time, and some devices may involve multiple steps or be more complex than some IT departments can handle.
5. Apply a risk-driven strategy
An IoT project will require cybersecurity planning before deployment. A risk-driven strategy is recommended by Gartner, prioritizing critical assets in the IoT infrastructure.
6. Test and evaluate before deployment
Before IoT devices are launched, device evaluation at the hardware or software level should be performed, and in some cases, reverse engineering. Testing will help companies understand vulnerabilities before system-wide or public use.
7. Change default passwords and credentials
Shockingly, many IoT devices have been manufactured with vendor-supplied default passwords- some that cannot be changed! Hackers learn these passwords and gain control of the device. Look for products with customizable passwords.
8. Review the data
The data generated by a device should be in recognizable format so organizations can detect irregular activity. Be wary of devices that use nonpublic personal information (NPPI) or personal identifiable information (PII). This type of can lead to exploitation of personal or company information by bad actors.
9. Rely on up-to-date encryption protocols
According to a comprehensive global survey by cyber security firm Gemalto, 40 percent of businesses don’t employ any type of encryption on information moving in and out of IoT. Gartner recommends closing this vulnerability by applying the strongest available encryption.
10. Move from device-level control to identity-level control
Incorporate PKI to verify identity. This is becoming more crucial as IoT devices connect with multiple users over a single device. Identifying the user also helps companies recognize patterns, gather better data and protect against inappropriate use.
IoT still presents a huge risk for consumers and businesses, but with increased security, IoT manufacturers will be able to gain consumer trust and increase adoption of connected devices.