September 28, 2021
How To Secure IoT Systems
September 28, 2021
The proliferation of internet-connected systems other than computers and mobile devices has dramatically expanded attack surfaces, hence the need for IoT security.
To suggest that cybersecurity used to be easy might seem hard to believe for new ones. In the old days, security largely revolved around antivirus software installed on endpoints, network firewalls, and locked doors. It was defined by the notion of a perimeter encompassing a network of on-site computers.
Today’s technology landscape paints a very different picture, in which the number of internet-connected devices is increasing exponentially. 23.9 billion devices on average are connected to the internet. That number is expected to reach 41.2 billion in just four more years.
What might come as a surprise is that most of these devices are not servers, workstations, or smartphones. Instead, they belong to the Internet of Things, an umbrella term referring to any connected object or ‘thing’ other than a traditional computer, such as smart home appliances, factory equipment, and wearable technology.
With IoT devices now making up around 60% of all connected devices and growing, the need for better security is more precise than ever. After all, every connected device is another potential entry point for attackers. In some cases, that entry point might be something as innocuous as an internet-connected fish tank.
What is the Internet of things?
The Internet of Things refers to the billions of internet-connected devices that do not quite fall under the definition of a conventional computer. Virtually any machine can be transformed into an IoT device and connected to the internet for collecting and sharing data or enabling remote control. IoT devices are typically embedded systems designed for a singular purpose, whereas traditional computing devices are built to run different software and accommodate various workloads.
In the home environment, smart speaker systems, such as Amazon Alexa and Google Home, are among the most common examples of IoT devices. Another common example is the smart thermostat, which can be controlled using a smartphone app, or the connected home security systems that allow users to watch live video feeds from their homes no matter where they are physically located.
While the consumer-grade systems mentioned above offer convenience, the implementation of IoT technology is having a far more profound effect behind the scenes. It is also the main driver of what many are calling the fourth industrial revolution. IoT powers digital control and monitoring systems in manufacturing and agriculture, connected cars, patient tracking systems in healthcare, and more.
What are the security risks of IoT?
The potential for IoT technology to change the world is undeniably enormous, but the risks are also huge. The rapid adoption of connected devices in large-scale environments like factories, farms, and critical infrastructure is especially fraught with danger due to the enormous attack surfaces involved. The Colonial Pipeline Attack in 2021 illustrated just how vulnerable these sectors could be, given their rapid adoption of IoT sensors in places like drilling platforms and oil wells. With the rise of cyberwarfare and state-sponsored attacks, the risks are only likely to get worse too.
Many businesses have had a difficult time keeping up with the rapid proliferation of IoT devices, which means security has often taken a backseat. It is now more important than ever to develop a thorough understanding of IoT security and execute a strategy for mitigating the risks it introduces. Those developing IoT products must also factor in security by design and default rather than approaching it as an extra feature.
Here are some of the most common IoT security challenges that teams must train to recognize and remediate:
Weak password protection: Many IoT devices still use their default passwords, making them vulnerable to attackers.
Poor update mechanisms: Some IoT devices are inadequately supported by developers, in which case they may lack regular critical security updates.
Lack of device management: IoT devices are often put into active use without knowledge and oversight from the IT department.
Insufficient data protection: Some IoT developers have a poor track record of protecting user privacy and security, though encryption can greatly reduce the risk.
Botnet attacks: Perhaps best exemplified by the Mirai botnet attack in 2016, IoT devices are often targeted en-masse to launch large-scale DDoS attacks or use for crypto-mining.
The unfortunate truth of the matter is that many IoT devices lack adequate security and, even if they do provide the necessary features and controls, the responsibility to use them correctly still falls to the end-user. These issues are why IoT security training is important in any organization that plans to use these devices, especially those with evolving operational technology strategies and high-value assets.
Redefining the security perimeter
Many modern businesses now operate in a hyperconnected environment. That connectivity is no longer restricted to conventional office networks but myriad mobile and IoT devices, cloud-hosted resources, and employee-owned devices. In environments like factories, connectivity also extends to operational technology (OT), which includes systems used to control, monitor, and manage everything from machining tools to entire buildings. Transport and logistics now make extensive use of connected fleet tracking and driver-monitoring systems. The healthcare sector is leveraging IoT for monitoring drug effectiveness, capturing vital signs, and tracking patients. The list goes on.
These are just some examples of how the adoption of IoT has wholly redefined the original concept of the security perimeter. Modern operational technology systems, including connected devices, can no longer exist in a bubble. They must also be secured, monitored, and managed just like any other connected system.
It is time for the focus to shift to endpoint security, in which each device is protected with robust access controls, encryption, and automated fail-safes. Employees must also be trained in the correct use of IoT devices and be fully aware of the risks of incorporating them into their workplaces.
Cybrary for Teams provides an easy and accessible way for organizations to keep employees up to speed with the latest standards of IoT security. Create your account today to get started.