The Internet of Things (IoT) has revolutionized virtually every aspect of our lives, rapidly digitalizing the physical world. After operability, the primary concern of any organization employing IoT devices should be security. As the number of devices comprising IoT increases, the departure of IoT security from traditional IT security approaches has become increasingly evident.
IoT Security Challenges
The sheer numbers can be overwhelming: where traditional IT deals with millions of machines, IoT works with billions. This scales any potential vulnerability, magnifying potential effects. Any individual compromise might be an inconvenient glitch, but when multiplied over thousands of connected devices, widespread failures in critical systems like water treatment or power grids can occur.
An additional concern is the physical nature of IoT, which introduces both environmental factors as well as increased vulnerability to hackers or malicious software. One example is lifecycle mismatches: physical IoT objects are often designed to last years or decades longer than traditional IT assets. As these age, functional devices are increasingly likely to experience unpatched vulnerabilities. The Mirai botnet DDOS attack, for example, exploited outdated versions of Linux on webcams, converting them into a broad grid of remote-controlled bots for widescale network attacks.
The diversity of IoT creates substantial security mismatches. Traditional IT is generally concerned with only a few types of devices (servers, desktops, laptops, and mobile devices) running on limited software systems (Windows, macOS, Linux, Android, or iOS). IoT devices and their proprietary software are virtually unlimited: someone could potentially hack your smart doorbell and wind up accessing your bank account by obtaining personal information and unique identifiers.
Finally, there is an economic disincentive to provide ongoing, up-to-date security. The more expensive something is, the more likely a customer is to pay for ongoing support. As IoT becomes more widespread and commonplace, the cost of each device decreases, lessening the chance these will continually be updated to current security standards. Extended car warranties are an excellent example: if few consumers are willing to invest in ongoing prevention for items that cost tens of thousands of dollars, investing in similar protections for light switches, doorbells, and home thermostats is unlikely.
The Direction IoT Security Should Take
IoT innovators are currently focused on several broad initiatives.
First, there’s a need to design IoT devices from the ground up with preventative security in mind. Security can no longer be an afterthought or a secondary stage of development; it must be included at the blueprint level.
Second is the need for IoT device compromises to be detected in all environments as quickly as if the failures occurred in a server room. This includes errors and failures in device hardware and software, as well as anomalous data that could indicate a malicious presence.
Third, IoT administrators are beginning to rethink network design in the context of IoT. Where traditional IT relies on firewalled perimeters to protect extensive “trusted” zones, each individual IoT device must contain the same level of protection as others. Instead of a single point of access, IoT devices should be sequestered at various levels continually, permitting only authorized communications and commands to be sent and received within the network.
IoT Security Actions You Can Take
When adding IoT devices, insist that all undergo adequate security and penetration testing as well as comprehensive software composition analysis. The obvious reason for this is to prevent malicious activity and device failure in the first place, but even more important is understanding the risk profile each device and system represents.
Creating a zero-trust network, such as that outlined by Google in their BeyondCorp framework, is a critical component of IoT security. This approach treats every device as if it has been infected, beginning with a whitelist of commands that are expected of the particular IoT device. Each device is then required to authenticate to a proxy before it can communicate with the network at large, automatically isolating any device that either fails to authenticate or acts strangely.
The overwhelming number of smart devices makes it impossible to be policed by humans, so leveraging smart software that actively scans IoT networks and reports anomalous activity is crucial. An accurate grasp of the risk profiles present in each device, system, and network is crucial: without this, anomalies cannot be accurately identified or assessed consistently.
IoT has revolutionized traditional IT applications in the physical world. How we approach IoT security also needs to evolve to meet the distinct needs of these technologies as their complexity and diversity steadily increase.
We can help
Dynamic provides solutions to mitigate IoT cybersecurity risks, so your internal IT team can stay focused on innovation and business goals. Contact us today to get started. Call 866-399-1084 or email us at firstname.lastname@example.org.
Moiz Bhinderwala leads the technical services and logistics teams at Dynamic. With more than 10 years of experience in the IT industry, Moiz has deep knowledge of the complex technological landscape, working closely with clients to understand their IT challenges and help design custom technical solutions to meet their business goals.