The Internet of Things (IoT) is comprised of a hugely diverse range of devices, from smart consumer gadgets to sophisticated solutions that operate in utility, industrial, manufacturing and defence systems. Given the massive breadth and scope of IoT infrastructures, organisations will need to raise their security game to a whole new level to reap the benefits of IoT without risk.
Unfortunately, many IoT devices - thought to be secure - are still vulnerable to attack. Even though critical infrastructure and industrial automation devices usually operate within the secure perimeter of an enterprise network, that perimeter network is often porous and easy to disable or penetrate. What’s more, insider threats are on the rise and account for more than 70% of all cyber attacks.
Cybercriminals use advanced and insidious means to infiltrate even the most simple or benign IoT devices. Any device on a network could potentially act as a gateway to systems that offer more value. Your connected fridge may not hold the secrets of the universe, but it could allow hackers to access other devices such as your laptop, mobile phone or home security system.
Of course, the stakes are raised exponentially for industrial and defence IoT systems. From national power generation and distribution infrastructures to global manufacturing operations, IoT devices could pose an increased operational risk if compromised. In 2018, Russian hackers penetrated the security of a number of power plants in the US. This unauthorised access could have allowed them to shut down networks and cause power blackouts across a wide area. This recent revelation significantly underscores the need for extreme vigilance and robust security measures for any IoT infrastructure.
One way to close the vulnerability gaps in an IoT ecosystem is to start with the devices themselves. Particular focus should be on the devices that operate continuously while unattended. These will not be subject to direct observation or regular monitoring and therefore pose one of the biggest risks. Making these devices tamper-evident and tamper-proof is a good first step in preventing potential intruders from accessing data.
Deploying a layered approach to device security that requires attackers to circumvent a number of obstacles can also help prevent data from being reached. Companies should start with the most common vulnerabilities, such as open password prompts, open serial ports and open TCP/UDP ports. Web servers, radio connections and unencrypted communications that could be vulnerable to code injection and manipulation should also be protected.
Of course, an IoT device is really only ever as secure as the network it is connected to. Organisations should consider solutions with access control mechanisms at their core that ensure only authorised users have access to devices and data. For example, passwords must be sophisticated enough to resist brute-force methods and educated guessing. Where possible, two-factor authentication (2FA) should be implemented to add an additional layer for security every time a user logs into a system.
For IoT applications, adaptive authentication or context-aware authentication can be used to constantly evaluate risks without causing a negative impact on the user experience. For example, a system can be set to only authenticate users logging in from a specific geographic location or at a certain time of day. Any attempts to login outside of these criteria will be denied.
IoT devices depend on a number of network protocols used at various layers of the technology stack. The use of robust encryption technologies will provide multiple obstacles to criminals attempting network-based attacks.
In addition to the devices themselves, companies also need to ensure all stored and flowing data is strongly protected. Often, this data contains personally identifiable and sensitive information. Organisations that fail to protect this data may not only experience an adverse impact to operations if it fell into the wrong hands, but also be hit hard with regulatory fines and penalties.
A good security strategy also means putting strong security policies in place. Endpoint anomaly detection, granular audit trails and responsive forensic capabilities should all be considerations for preventing and detecting security breaches.
And it isn’t just cyber attacks that are a threat to IoT devices and networks. Accidental damage and damage from exposure to the elements are also risks that must be managed. For both consumer electronics and industrial-grade devices, nano-coating technology is adding significant reliability and value. Whether it’s a connected traffic light, sensor in a farmer’s field or a 5G-ready mobile device, advanced hydrophobic coatings can help to protect devices and ensure continuous connectivity throughout their lifetime.
Due to the explosion in the number and diversity of IoT devices available to organisations and individuals, overall management of connected devices has become a difficult task. Security vulnerabilities are threatening to halt IoT’s progress, especially in industrial sectors and B2B landscapes where the stakes and risks are much higher. Organisations embarking on a journey of discovery and innovation with the Internet of Things need to prepare to make investments in the right security solutions and initiatives.