If the mere mention of IoT security leaves you feeling uneasy, you’re neither alone nor unjustified. Forbes has reported that the number of malware incidents targeting IoT devices leapt from 813 million in 2018 to 2.9 billion the following year. During that same time period, a NETSCOUT intelligence report on IoT security issues, ominously titled Dawn of the Terrorbit Era, found that devices were attacked by malicious actors within five minutes of being connected to the Internet.
The volume and sophistication of those attacks have only risen as IoT adoption increases among both consumers and industry. In its IoT – The Internet of Transformation 2020 white paper, Juniper Networks estimated that the total number of IoT connections will hit 83 billion by 2024. Those billions of devices will be an attractive target for malicious actors, which in turn will introduce new IoT security challenges while intensifying existing ones.
This has made IoT network security a prime consideration for organizations that want to benefit from automation and efficiency without exposing themselves to undue risk. However, that heightened awareness doesn’t always lead to action. As part of its research for the 2020 Unit 42 IoT Threat Report, Palo Alto Networks found that “98% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network.”
Compounding these IoT security problems is the fact that no standard guidelines on IoT security exist. This means that even well-intentioned organizations that are willing to allocate the necessary funding and resources to cybersecurity will only find a few white papers outlining best practices or offering recommendations from the IT community.
IoT security issues and why they exist
To overcome the many challenges for secure IoT, we first have to understand the nature of IoT security issues.
Generally, organizations put all their IT resources (e.g., servers, computers, printers) behind a firewall. Cloud-service providers allow them to create secure pipelines (e.g., VPNs) to communicate with the cloud infrastructure outside the organization. All of this infrastructure—that is, on-prem, cloud and hybrid—then falls under the supervision of the IT team, who ensure that among other things data communication to and from the servers is fully encrypted. This makes it harder for malicious actors to access that data and steal sensitive information.
But anyone who reads the headlines knows that data breaches still occur. Infamously, Home Depot was broadsided by point-of-sale (PoS) malware in 2014, one year after Target suffered the same kind of attack. The personal information of tens of millions of customers was compromised. Hackers were able to do this by identifying vulnerabilities in “benign” networked devices and exploiting those overlooked endpoints.
In other words, the large organizations were too focused on big, obvious targets, such as their corporate servers, at the expense of IoT network security. It’s akin to investing in a high-tech alarm system and then leaving the basement window open.
The challenges facing IoT security
That analogy is helpful in shedding light on why IoT and security issues seem to go hand in hand. Because IoT infrastructure consists of many small, often inexpensive physical endpoint devices such as sensors or switches, it’s easy to underestimate the risk that they pose. Comprehensive IoT security solutions therefore have to account for all these devices and provide a practical framework for addressing any vulnerabilities.
In order to eliminate or at least mitigate IoT network security issues, here are some of the biggest oversights, mistakes and technological hurdles that need to be overcome:
- Security as an afterthought: According to a survey of 1,000 executives conducted by PwC, 93% stated that IoT’s benefits to their organization outweighed its risks. Only 48% were concerned about possible IoT security issues. IoT and security should instead be treated like two sides of the same coin. IoT security solutions need to be co-developed alongside IoT deployments and implemented as a whole.
- A lack of standard IoT security best practices: Industry leaders, government agencies, recognized IT experts and advocacy groups ought to collaborate and design a common checklist of IoT security recommendations for organizations to follow. Think of something like the NSA’s best practices for mobile devices or home networks but designed specifically for IoT network security.
- Low-powered devices: One of the things that makes IoT devices so inexpensive is their limited processing power and storage space. Unfortunately, that sometimes leads manufacturers to cut corners on their codebase, which leaves loopholes in the devices’ firmware. Lest they be flagged as potential IoT security problems, essential or “frontline” IoT devices should support standard security best practices, such as public key infrastructure (PKI).
- Short device lifespans: As another cost-cutting measure, manufacturers tend to view IoT equipment as short-term devices with limited useful lives. Aside from the e-waste this generates, it also leads to IoT security issues over the distribution and renewal of digital certificates. These digital certificates are essential for secure device authentication and validation, and they should ideally be updated for as long as the device remains in use.
- Limited oversight: Organizations don’t always have standard operating procedures and adequate software tools to monitor and manage their IoT devices from a security standpoint. At the very least, these tools should be a part of any IoT security solutions that they develop and implement.
- Prolonged response times to possible threats: A major side effect of limited oversight is that it prevents IT teams from identifying breaches or responding quickly to attacks. Of all the IoT network security issues highlighted here, this represents the last line of defense. IT teams need to have the ability to easily zero in on a malware-infected device, revoke its digital certificate immediately and quarantine it to stem any further damage.
Identifying the right IoT security solution
With so many concerns surrounding IoT network security, you could be forgiven for wondering if it’s worth implementing IoT at all. But the good news is that IoT and security don’t have to be mutually exclusive. They can—and must—be fully integrated parts of the same solution.
At Bridgera, separating IoT and security issues is fundamental to our entire philosophy. When we develop a custom IoT solution, whether it’s for a logistics use case or a healthcare implementation, we make a point of designing the risks out of the system. IoT security is an integral part of our IoT service enablement, not an add-on or an afterthought.
Do you already have an IoT solution in place that’s running up against some of the IoT security challenges outlined above? Or maybe you’re planning to build one but are worried about IoT security issues? Contact Bridgera today and schedule a free call with one of our IoT experts today. We’ll work with you to develop a custom IoT solution that’s cost-effective, full-featured and above all secure.