Why It’s Time to Adopt IoT Security by Design
By Arndt Kohler
Although the definition is ever-evolving due to the influx of new technologies and widespread convergence, in general, the internet of things (IoT) is a massive infrastructure comprising countless interrelated computing devices. We encounter the IoT in a myriad of forms as we go about our daily routine, from sensors and actuators to complex products such as smart vehicles.
In fact, new industrial equipment added to the production environment is more and more IoT-enabled, connecting to cloud services and backend IT systems via the internet.
Like traditional IT systems, IoT deployments are susceptible to a host of cyberthreats, such as phishing campaigns, exploited vulnerabilities and ransomware attacks, to name a few. However, due to their interconnected nature, the impact of a compromised IoT device, depending on the use case, could be much more significant and farther-reaching. For example, while a disabled household appliance might be an inconvenience, a connected car under an attacker’s control could cause serious physical harm.
3 Common Barriers to Effective IoT Security
IoT security gaps arise from multiple areas. Let’s explore three of the most common challenges security teams face when protecting IoT deployments from sophisticated cyberthreats.
1. Device Life Cycle
Put simply, if your laptop or smartphone is 10 years old, it belongs in a museum — not connected to enterprise networks that house highly sensitive data. Vendors do not support such devices for that long, and outmoded devices quickly become incompatible with operating systems and applications employees need to perform their jobs.
For IoT devices, however, the life cycle is often much longer or even indeterminate. Organizations may not upgrade their equipment or update the software running on IoT systems with the same regularity, putting devices — and, ultimately, enterprise data or entire IoT infrastructure — at risk.
2. Vulnerability Management
For traditional devices, most organizations have processes firmly in place to regularly update operating systems and applications. There are widely followed security frameworks and best practices to help manufacturers and organizations detect, analyze and fix vulnerabilities. IoT products are governed by no such standards, which leads to vulnerabilities going undiscovered and unpatched for long periods of time — or even forever.
3. Security Controls
It’s easy to think of security measures such as multifactor authentication (MFA), closed operating systems and restricted applications as invasive, annoying and unnecessary, but they all reflect vital lessons learned from past security incidents. Because the IoT is still in its infancy, connected devices often lack these basic security measures. In many cases, these products were not designed to connect to the internet in the first place. The automobile, for example, evolved over many decades, starting long before the dawn of the internet.
How Can Businesses and Manufacturers Achieve IoT Security?
What, exactly, does it mean to secure the internet of things? Where do you start?
A good first step is to review recommendations and frameworks from cybersecurity authorities such as the National Institute for Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). Keep in mind, however, that these frameworks were largely designed for classical IT, not IoT infrastructures, which vary widely depending on the use case and are rarely homogeneous in terms of security.
For example, some newer solutions might be able to support identity and access management (IAM), while others may not. During a product’s life cycle — even in the time it takes to perform a regular update — uses cases are added and changed, which dramatically impacts risk. Data that is insignificant under one set of circumstances could lead to unacceptable levels of risk when set to automatically trigger decisions.
In classical IT, manufacturers typically support their products during operation or offer operation as a service integrated within the company’s security organization. Aftersales for IoT devices and infrastructure often involve maintenance, not functional operations or security. Ideally, a device operator should know that a) they are obligated to operate the device and b) the device has the ability to operate. In practice, however, it is often more complex, since different entities tend to design, produce, install, deliver and operate these devices. As you might imagine, it is difficult to unify all parties involved under the same IoT security strategy and ramp them all up to a similar level of maturity.
Given these challenges, the guiding principle for IoT security today is to adopt security by design and by default. Since different use cases call for vastly different strategies, this principle will not look the same across IoT deployments. But this much is clear: Now that IoT adoption is the norm across enterprises, it’s time for businesses, governing bodies and device manufacturers to come together and define the appropriate controls to satisfy the ever-increasing need for IoT security.