What Is IoT Security?
While relatively new as a discipline, the internet of things (IoT) has matured out of its initial stages of incubation into a clearly defined set of use cases that deliver discernible benefits to a variety of market verticals.
Today, IoT tangibly solves pressing business problems across many industries. Early adopters of this technology – such as healthcare, smart cities, building management, utilities, transportation and manufacturing – are attesting to its many benefits.
Advancements in IoT portend business transformation: 30% of devices on enterprise networks today are IoT devices.1 Rich data collected from these devices provides valuable insights that aid in real-time business decision-making and accurate predictive modeling. By enabling the convergence of IT and operational technology (OT) systems, IoT remarkably improves process automation, supply chain management and adherence to regulatory compliance to significantly bring down capital expenditures and operational costs. In addition, IoT is a key enabler of digital transformation in the enterprise, with the potential to drive up workforce productivity, business efficiency and profitability, and the overall employee experience.
The Question of Security
Despite the many advantages, the interconnectedness of IoT presents a substantial challenge to enterprises in terms of grave security risks arising from unmonitored and unsecured devices connected to the network.
While enterprise IT teams protect standard IT devices with appropriate network security, the security risks associated with IoT devices are less well-known, and securing them is too often overlooked. The reason is twofold. First, standard cybersecurity systems lack the ability to recognize specific types of IoT devices, their unique risk profiles and the expected behaviors associated with them. Second, IoT devices can be deployed by any business center and are not typically seen as part of IT, therefore bypassing typical IT security controls and processes, such as asset management, security patching, etc. Of course, this is perpetuated by the first reason. This is not to mention that different IoT devices use different hardware, chipsets, operating systems and firmware, and have a longer operational lifespan than their cyber lifespan.
By their very definition, IoT devices are electronic devices that sense or interact with an internal state or the external environment – this would include OT devices that monitor and control equipment or their processes. These network-connected devices are all targets for attackers and often aren’t maintained by IT, unlike computers (servers, laptops, etc.) and phones that are managed by agents. Without proper device identification and tracking mechanisms in place, IoT devices are often relegated as unmanaged endpoints in the network and therefore left vulnerable to exploits, password-targeted attacks and malware infiltration.
IoT Security Defined
From the above-noted vantage point, IoT security can be understood as a security strategy and protection mechanism that specifically safeguards from the possibility of cyberattacks on IoT devices that are connected to the network and purposely built for a fixed set of functionalities. Without robust security, any connected IoT device is vulnerable to getting breached, compromised and controlled by a bad actor to ultimately steal user data and bring down systems. Network security and operations teams should be incorporating IoT security into standard practice, process and procedure to ensure these unmanaged devices fall within the same level of visibility and control as those that are managed.
A cause for concern with securing IoT is that as more and more diverse types of IoT devices continue to connect to the network, there is a dramatic broadening of the attack surface. To add to this, the entire network security posture is diminished to the level of integrity and protection offered to the least secure device, unless that device was already adequately secured. On top of that, 98% of all IoT device traffic is unencrypted, putting personal and confidential data at severe risk.2
In a network, endpoints are the devices that are connected to the internet, and this includes IoT devices. Every endpoint provides a potential point of entry for a bad actor to expose the network to outside risks. So, as with other endpoints, IoT devices are vulnerable to intense weaponization. Infected with malware, IoT devices can be used as botnets to launch distributed denial-of-service (DDoS) attacks on the network the bad actor wishes to bring down. However, unlike IT devices, the vast array of hardware and operating systems for IoT devices makes it impossible to protect them all in the same way. A single malware prevention agent compatible with most IoT platforms does not exist.
Apart from this, poor password security practices continue to fuel password-related attacks on IoT devices, and weak device and network security postures make IoT devices easy to target. A growing number of IoT devices are unpatched and run on outdated operating systems. Some of the most frequent attacks on these devices are exploits executed using techniques such as network scanning, remote code execution, command injection and others. 41% of attacks exploit device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses.3 After compromising the first device, lateral movement is opened up to access other vulnerable devices and compromise them one by one.
Besides using some of these time-tested attack tactics thought obsolete by modern IT-based malware prevention, peer-to-peer command-and-control (C2) communication and self-propagating IoT malware worms are two new attack tactics emerging on the IoT security horizon. IoT worms are, in fact, becoming more common than IoT botnets. Both tactics target decades-old legacy OT protocols to disrupt critical business operations in the enterprise.
IoT security must protect devices and the networks they are connected to from the ever-widening spectrum of IoT security issues. View this infographic to get straight facts on the State of Enterprise IoT Security in 2020.
1,2,3 2020 Unit 42 IoT Threat Report, Palo Alto Networks, March 2020, https://start.paloaltonetworks.com/unit-42-iot-threat-report.