With IoT now part of everyone’s lives, our things are connected to each other and centralized systems via networks but these are all at risk from weak IoT security which threatens the security of users’ and organizations’ data, leaving them open to threats from malicious actors. The IoT industry has been fighting back for many years by enabling IoT security tools that protect devices and systems from threats and breaches.
IoT security risk can be mitigated by identifying and monitoring common threats before they become reality, helping to protect availability, integrity and confidentiality. Even so, cybercrime continues to grow with IoT deployments under threat from weak passwords and facing IoT security issues caused by the radically enlarged threat surface of IoT. We have seen examples such as tire pressure monitors being used to hack into vehicle systems or even a connected fish tank pump being used as a means to access financial systems at a Las Vegas Casino.
IoT security awareness is high and continuing to increase but this can also be damaging to the market place and decrease trust in IoT. Many organizations are therefore focusing on fixing vulnerabilities and helping to foster confidence by detailing best practice and conforming to various legislation and regulation initiatives that are being developed specifically for IoT across the world.
As IoT device numbers scale up further, the risk profile becomes higher. We have already seen the 2016 Mirai botnet attach on more than half a million unsecured IoT devices around the world which caused a flood of traffic and made many websites temporarily inaccessible. The scale of this attack underscored the need to address IoT security issues by ensuring their integrity and confidentiality while mitigating security risks.
Organizations that deploy IoT face substantial security risks as criminal target their operations, utilizing ransomware attacks to extort payments. Checkpoint Research has uncovered that the average number of daily ransomware attacks increased by 50% in Q3 of 2020 in comparison to the first half of 2020 (Source).
Organizations such as GSMA have published IoT security guidelines and in California and Oregon in the US, as well as in the UK, IoT Cybersecurity Laws have been put in place since 2020 which require IoT devices sold in their countries to be fitted with reasonable security features. These include having unique password, offering regular security updates and disclosing vulnerabilities.
The concept of integrating IoT security by design is now well understood and a vital consideration for devices that will be in the field for up to 20 years. This lifecycle means that security must be easy to update regularly and offer flexibility to counter new threats. Lifecycle management of device credentials, cryptographic keys, software patches and upgrades, and digital certificates are fundamental foundations of a new era of enhanced IoT security.
A network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.
This came into force in May 2018 and imposes rules on controlling and processing personally identifiable information.
A secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. IPSec uses cryptographic security services to protect communications over IP networks.
A collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate or automate industrial processes.
A framework for business processes that facilitates the management of electronic or digital identities.
US regulatory body NIST has offered frameworks for IoT security and Congress passed the IoT Cybersecurity Improvement Act in December 2020. It also requires NIST to publish standards and guidelines on the use and management of IoT devices.
Organizations implement privileged access management (PAM) to protect against credential theft and privilege misuse. PAM describes a comprehensive cybersecurity to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment.
A set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. PKI is a critical enabler of secure communication, data and money exchange.
Ransomware is a type of malware that extorts victims for financial gain. Once activated, it prevents users from interacting with their files, applications or systems until a ransom is paid.
Terms to describe IoT devices in active use without the knowledge of the owner or their IT departments.
An encryption protocol used to protect data in transit between computers enabling two computers to agree to encrypt the information in a way they both understand.
Describes a security model designed to protect digital businesses. Zero Trust sets out that organizations should not automatically trust anything regardless of whether it is outside or inside their operation. Zero Trust demands that everything trying to connect to your systems must be verified before access is granted.
A unique identification or serial number that all mobile phones and smartphones have. It is normally 15 digits long.
A barcode symbology and numbering system used in global trade to identify a specific retail product type, in a specific packaging configuration, from a specific manufacturer.
A globally unique number identifying a physical piece of CDMA2000 mobile equipment.
RFID devices are used for data transmission and capture by way of radio waves.
An enhanced version of a bar code. Unlike traditional bar codes, a smart label can contain much more information about a product. Smart labels take the shape of RFID tags, Electronic Article Surveillance (EAS) tags, or the most commonly seen, QR codes.
A number given to any device within any system to allow the ability to interact with it.
A string of characters that unambiguously identifies a particular resource.