A recent Gartner IoT security primer revealed that at least 80% of organizations already use The Internet of Things (IoT) for business purposes. The paper also reported that 20% already encountered an IoT-based attack in the past 3 years. Despite these developments, only less than a third of information security professionals are confident in their ability to mitigate IoT-related risk.
I won’t be surprised if you too aren’t familiar with the risks in your IoT environment, let alone with methods for mitigating those risks. In this post, I’m going to share with you some best practices on how to secure IoT devices in your organization. We’ll start by discussing some of the top IoT vulnerabilities. We’ll then talk about some of the major challenges you’re bound to face even when you attempt to implement IoT security, before finally proceeding with best practices.
Sounds good? Let’s begin.
Top 3 IoT Vulnerabilities Putting Your Business At Risk
Estimated at 15.9 billion last year, the total number of IoT connected devices is expected to reach 39.6 billion by 2030. Businesses continue to accumulate IoT devices at an accelerated pace. If you’ve been behaving like these organizations, you need to be aware of the risks these devices pose. Here are three of the top vulnerabilities afflicting many IoT devices today.
1. Weak authentication
Many IoT connected devices are equipped with weak authentication. Some use hardcoded passwords. Since hardcoded passwords are embedded in the product’s source code, you can’t change them to a value that’s only known to you. While other IoT devices do have changeable passwords, they’re often released with factory default values. Sadly, most people don’t bother changing default passwords.
Hardcoded and factory default passwords can be obtained in hacking forums in the dark web. So, if an attacker somehow gets hold of those passwords, those passwords’ corresponding devices can be compromised and weaponized. This is the attack method employed by the creators of Mirai, the notorious IoT botnet that launched one of the largest DDoS attacks in history.
Mirai managed to ensnare IoT devices like routers, surveillance equipment, and CCTV cameras by simply exploiting default passwords. When inadequately secure IoT devices are ensnared in a botnet, they can be used to launch DDoS attacks that can cause serious downtime to targeted businesses. It’s worth noting that Mirai’s attack methods and code are still being used by other IoT botnets up to this day.
2. Obsolete software components
Driven by the desire to roll out products faster than the competition, many IoT connected device manufacturers forgo security measures. Some of them even use outdated software components/libraries. The problem with outdated software is that they no longer receive security patches. It’s almost impossible to secure IoT devices if they have components that can’t be patched. If an outdated software component is found to possess vulnerabilities, those vulnerabilities will no longer be fixed.
In 2019, the FDA issued an advisory warning people in the healthcare industry of potential risks in certain medical devices that used IPnet. IPnet is third party software component no longer supported by its original vendor but still used by some medical device manufacturers. Vulnerabilities in the IPnet code make IoT devices that use it susceptible to Denial of Service (DoS) as well as Remote Code Execution attacks.
Although there hasn’t been any report of any attack associated with that particular vulnerability, it still remains a serious threat. Any attack on a medical device or equipment can put human lives, not just IT systems, in danger.
3. Insecure networks
IoT devices are often deployed on corporate networks, alongside other IT assets. If your network is inadequately secured, a security incident affecting one component in that network can affect other components as well. That’s how computer worms and other similar types of malware propagate. IoT devices, being network-aware, are susceptible to the same types of vulnerabilities that afflict network devices.
Remember Mirai? One particular Mirai variant was found to employ exploits that targeted both network routers and IoT devices. As with other Mirai variants, this particular malware had DDoS capabilities. Meaning, if it manages to ensnare your routers and IoT devices, it can use them to launch DDoS attacks.
If your devices are used to carry out a DDoS attack, they’ll consume precious network bandwidth as well as their own computing resources. This can affect the performance of your network as well as other systems that use it. Moreover, if investigations trace the attack to your network and discover your inadequately secure IoT devices, you could suffer reputational damage.
Many organizations already have security policies in place that mitigate risk in their respective IT environments. Unfortunately, IoT devices and the IoT manufacturing industry are fraught with issues that can impede security initiatives.
3 Major IoT Security Implementation Challenges
The moment you start the process of securing your IoT environment, you’ll realize the task won’t be easy. Here are some challenges you’re bound to encounter when you attempt to secure IoT devices.
1. Lack of visibility on IoT devices in the organization
Most IoT devices like smart HVAC systems, smart locks, smart CCTV cameras, etc., aren’t classified as IT assets. Consequently, these devices are normally procured without the knowledge of IT. When that happens, your IT team won’t be able to track and monitor these devices. This issue is further aggravated by the fact that IT teams have very limited understanding of how these devices work.
Most IT teams don’t even know what types of data these devices collect or generate, let alone where the data is stored. Is the data kept locally or stored in a public or private cloud? This lack of visibility usually results in the inadvertent exclusion of these devices from risk mitigation activities. Chances are, you’ll exclude your IoT devices from vulnerability scans, patch management, security audits, penetrations tests, etc. Alas, you can’t possibly secure what you don’t know.
2. Lack of standards for IoT security
There are currently no security standards that govern development, testing, production, and all other processes in IoT device manufacturing. It’s always been this way in every nascent technology. Vendors, eager to grab market share, rush to roll out products as fast as they can. As a consequence, functions, features, and performance are given priority over things like security.
This could be a stumbling block when you attempt to apply existing standards-based policies and audits to IoT devices. Let me give you an example. Patch management is a common requirement in security standards like ISO 27001 Annex A, PCI DSS, and the NIST Cyber Security Framework. However, even if you have a patch management policy in place, you won’t be able to apply that policy to IoT devices. That’s because many of these devices aren’t capable of being patched in the first place.
3. Poor to non-existent vendor security practices
With no security standards to adhere to, vendors will just tack on their own interpretation of security. That’s assuming they bother with security at all. That can be a problem with vendors who only have a superficial understanding of security. For example, let’s say your IoT vendor recognizes the importance of patching and enables its IoT product to support firmware updates. While patching helps, it may be insufficient if the product being patched doesn’t support firmware signing.
Firmware signing enables developers to digitally sign firmware updates as they are pushed to a device. The device can then check the signature to verify if the update originated from a trusted source. Without this capability, threat actors can hijack your update processes and turn them against you. They can push unauthorized, malicious updates that can compromise your IoT devices.
Alright, so now that you’re aware of the vulnerabilities and security-related challenges in IoT environments, I’m sure you want to know how to secure IoT devices. Here are some best practices you can apply.
Top 5 IoT Security Best Practices And Why You Need Them
Here are some best practices to ensure you only use secure IoT devices.
1. Discover, track, and monitor your IoT devices
This is the first thing you need to do if you want to secure IoT devices, as you simply can’t secure what you don’t know. Discover, track, and monitor every single IoT device in your network(s). If you can find a solution that can automate these processes, that would be ideal. But if not, then you’ll have to accomplish all these tasks manually.
Since your IT team is usually in charge of IT asset management, which involves discovering, tracking, and monitoring IT assets, they can be given this responsibility. To give them a heads up right from the start, you can loop them in on every IoT device procurement. Once you’ve gained complete visibility of your IoT devices, it will be easier to apply succeeding best practices.
2. Implement a strong authentication policy
A strong authentication policy is a security policy that requires all devices, systems, applications, etc. to be protected by strong credentials. What does that mean? If your IoT connected devices use passwords for authentication, then you should assign them long, complex passwords. That means you must avoid short and easy-to-guess passwords like “123456” or “password”. It also means you must replace factory default passwords with new values.
More importantly, you must ensure only authorized users/admins know the passwords of the IoT devices they’re responsible for. A strong authentication policy results in secure IoT devices because attackers will find it difficult to break into them.
3. Adopt patch management
Patch management is a systematic approach of applying software updates a.k.a. patches. Many of these patches include security updates that fix known vulnerabilities in the software being patched. Since your IT team will likely already have a patch management program in place, they can include your IoT connected devices in their patching schedules. As you can see, this best practice would be easier to implement if you’ve already established #1.
Since not all vulnerabilities can be discovered at the same time, patch management should be an ongoing practice. Each security update is supposed to address a new set of vulnerabilities. In effect, you’ll have relatively more secure IoT devices after each round of patching.
4. Apply network security best practices
Network security consists of a broad set of best practices that includes applying/establishing network segmentation, data-in-motion encryption, firewalls, and so on. Network security will usually be implemented by your IT team or your dedicated cybersecurity team if you have one.
Technically speaking, not all network security practices will secure IoT devices on an individual level the way, say, patch management does. Rather, since IoT devices communicate and perform many of its tasks through the network, you can still secure IoT devices by securing your network.
5. Choose vendors that give importance to security
As discussed earlier, it’s going to be more difficult to apply security measures if your IoT device is inherently insecure. You can’t patch a device that doesn’t support patching, remember? The good news is that vendor cybersecurity awareness, even in the IoT industry, is improving.
You can therefore ask your procurement officer to add security as a major criteria in choosing an IoT device. They can, for example, prioritize products that support firmware signing and avoid products that use hardcoded passwords. By procuring only secure IoT devices, you can minimize risk in your IoT environment and simplify the process of incorporating them in your security initiatives.
Final Words
As the Internet of Things gains even greater foothold in business environments, it’s important to understand the risks that accompany it. More importantly, businesses need to know how to secure IoT devices as well as the networks and processes that use them.
In this post, we discussed some best practices to secure IoT devices. We emphasized the importance of establishing visibility, strong authentication, patch management, network security, and vendor security. If you’re using IoT devices in your business, I encourage you to adopt these best practices and start learning more about IoT security.
If you encountered any questions along the way, you’ll find additional information in the FAQ and resources sections below.
FAQ
Can firewalls help secure IoT devices?
Yes, there are certain types of firewalls that are designed to address security issues that involve IoT devices. Some Next Generation Firewalls (NGFWs), in particular, have built-in features that enable IT admins to create firewall rules based on IoT traffic.
What’s the most practical way of implementing data-in-motion encryption for IoT devices in business networks?
When it comes to providing data-in-motion encryption, there are usually two choices: SSL/TLS or VPNs. The latter usually requires SSL/TLS encryption capability at each endpoint device. Unfortunately, many IoT devices lack that capability. Hence, it’s more practical to use, say, a site-to-site VPN, which applies encryption at the gateways instead of each endpoint.
How can we discover vulnerabilities in our IoT devices?
One way to discover vulnerabilities in your IoT devices is to run penetration tests. These are tests that involve not only discovering vulnerabilities, but also attempting to exploit those vulnerabilities the way hackers do. If you don’t have anyone in your organization who can run pentests, you can hire a third party that offers penetration testing as a service.
Why is cloud network security important in a world of IoT devices?
Many IoT devices leverage cloud services to store data, analyze collected data, perform additional processing that can’t be done on the device, and so on. Those cloud services extend your attack surface, i.e., points directly or indirectly associated with your business that attackers can exploit. You can mitigate these risks by instituting cloud network security.
Will the influx of IoT devices affect WAN performance?
Yes, IoT devices will compete with other devices and IT components for wide area network bandwidth. The more IoT connected devices you have, the greater their impact will be on your network. One way to address network performance issues in your WAN is to employ WAN optimization.