Billions of IoT devices have resulted in a radically larger threat surface through which not only IoT devices but also networks, systems and software can be attacked. Organizations therefore need an IoT security framework that adheres to industrial IoT security standards and conforms to GSMA IoT security guidelines so deployments can achieve compliance and enterprises can ensure their IoT data security strategy is fit for purpose.
In contrast to network or IT security, IoT security specifically focuses on achieving security by monitoring, protecting and remediating threats to IoT devices and the networks they are connected to. The main aim of IoT security is to maintain the privacy of data handled by cloud-connected devices and protect against cyberattacks. IoT security also encompasses protection from physical attacks which can see IoT devices used as a back door into corporate networks.
IoT security risks come in several forms and often stem from the speed at which the market has developed, which has resulted in limited testing and development. IoT device security threats have been overlooked with security treated as an afterthought in the development process. Even when security has been considered in advance of deployment, IoT device security threats often are still not fully addressed because of a lack of regular security updates for deployed devices.
A recent report from security specialist Kaspersky has revealed that, while two-thirds of organizations use IoT solutions, 43% of business don’t protect their full IoT suite with some parts of their IoT infrastructure yet to have any protection. This is holding back the development of IoT as the risk of cybersecurity breaches and data compromises delays implementations.
In common with all security, a popular cause of IoT security problems is human interaction. The human element can leave processes overlooked and weaknesses unaddressed, either unintentionally or intentionally by cybercriminals. A typical example is the shipping of IoT devices that have default passwords. Customers often realize they can and should change these or adopt weak passwords that are also vulnerable to hacking or brute-forcing.
Interest and awareness of IoT security is growing as the value of IoT data increases. IoT devices collect, send, store and process huge volumes of data which can be sold to third parties if accessed by criminals. Few users read data privacy details before using a service and therefore do not prioritize protecting their data. With increasing reliance on cloud and edge computing, ways to access data have increased so securing IoT connections as well as devices is becoming more widely recognized.
IoT cloud security also suffers from malware and ransomware attacks with IoT botnet malware among the most widely experienced attack formats. Infected IoT devices can also be used for distributed denial of service (DDOS) attacks when they are used to infect more machines and conceal malicious activity. These threats are increased by continued usage of common interfaces that offer weak or no encryption.
Changing lifestyles and working practices are also weak points for IoT security. Homeworking sees users on home networks that can have weaker security than enterprise networks and secure remote access IoT is threatened by use of consumer networks that may have greater vulnerability. In addition, the proliferation of devices in the home is leading to growing instances of correct security configuration on devices being overlooked. A single misconfigured device can put an entire household – or business - at risk and, if the home network is being used for work, that could provide a breach point into a corporate network.
IoT security is composed of IoT device security and IoT network security and each has several best practices for ensuring optimized security. Cyber security for devices relies on ensuring updates to devices and software are maintained. Out-of-date software makes it easier for hackers to breach security. Updating and management should also be adopted for passwords with default passwords changed to strong passwords that are updated regularly and the usage of unique log-ins and passwords across different devices.
Organizations should also check the privacy and security setting of devices to ensure preferences are correctly set and device features should be carefully managed. Disabling unused features can lock-down potential attack opportunities by de-activating features such as Bluetooth or voice activation.
For enterprises, deployment of monitoring tools that help discover track and manage devices helps protect the organization from attacks while conducting penetration testing can help to ensure the level of security a device offers is well understood before it is deployed. Conducting tests before devices are deployed is an essential step in developing a comprehensive IoT security strategy.
IoT security standards, such as PSA Certified and the GSMA security guidelines, are coming to market, alongside IT and network security standards. Soon, these will provide frameworks and checklists for IoT organizations to work to, essentially allowing consumers to check for security certification of devices and compliance with relevant national and regional IoT security laws.
Home and enterprise Wi-Fi networks offer well-known security methods, such as WPA2, that are password-based and enable secure communication. Cellular IoT security can also maintained thanks to the in-built security and encryption methods the industry has deployed.
The increase in volume of data transmitted, enabled by 5G, also presents a greater opportunity for criminals to hack, potentially allowing for larger-scale data theft. Many of the methods for managing 5G security are mature and well-proven in previous cellular generations and will continue to effectively address threats such as malware and ransomware. Technology itself is presenting responses to 5G IoT security in the form of artificial intelligence, machine learning and automation which can be applied to analytical security tools, thereby accelerating and automating threat identification and remediation.
Security is a substantial threat to IoT’s continued adoption but the hardware, networking and software industries are working in concert on security measures to help protect and future-proof IoT businesses and their customers. Robust network security along with strong device security and the application of new technologies to monitoring and threat identification create a blend of security capabilities that will provide rigorous protection for IoT projects of all types. As standards mature and IoT legislation comes into play, IoT security will be stronger, more formalized and ready to cope with the scale and diversity of the future IoT-enabled world.