Mozi. Dark Nexus. Mukashi. LeetHozer. Hoaxcalls. These are just a few of the nefarious botnets continuously threatening internet-connected devices around the world. And for now, they are succeeding: Internet of things devices saw a 100% increase in infections in 2020 over the previous year. And more than 150,000 IoT devices will be connected every minute by 2025.
Botnets are just one type of threat that can bring down internet-connected devices. Others include phishing, distributed denial-of-service (DDoS) attacks and many other types of malware. According to one report, 57% of IoT devices are vulnerable to medium- or high-severity attacks.
So why are IoT devices at such risk and why is securing IoT so difficult? For starters, there are just so many of them. In addition to connected devices in healthcare and manufacturing, they have entered both the consumer and business mainstream. In business environments, the devices are used for environmental monitoring, asset tracking, security, fleet management, predictive maintenance and much more. Wireless IoT—by far the fastest-growing type—can be powered via cellular, Bluetooth, WiFi, RFID, Zigbee or low-power wide area networks (LPWANs). They can either be out in the open and easy to see or hidden inside cabinets or devices. When out of sight, these devices are trickier to secure because, as tech experts are prone to say, “You can’t protect what you don’t know about.”
The devices themselves also can present risk. There are few security standards for IoT—although this is changing—and this lack of standardization in device security means that some are less secure than others.
California has made some headway in device security, and a few states have emulated it, but there is much more to be done. The California IoT law requires connected device manufacturers to provide “reasonable” security features. The new federal IoT Cybersecurity Improvement Act of 2020 requires that all internet-connected devices purchased by the federal government comply with minimum security recommendations issued by the National Institute of Standards and Technology (NIST). While this bill will have a major impact on the way federal agencies buy and use any type of internet-connected device, it’s unclear how, or if, it will improve private sector IoT security.
Finally, securing IoT is simply different from securing other types of computing infrastructure. Traditional security approaches are built to execute things like authenticating scans on a regular basis. If that’s done on an IoT device, which continually collects information, it could cause big problems. “When you do something as fundamental as pinging a device, it could potentially bring down some of these operational capabilities because the IoT is working all the time,” said Sean Peasley, an IoT security veteran and Deloitte Risk & Financial Advisory partner.
Securing IoT Is Far from Hopeless
There are several ways to improve IoT security. Start with the devices themselves. Because there are few standards, it’s important to do your own research. That means focusing on devices that have as much security “baked in” as possible.
Once you have the devices in your environment, make sure they are configured properly. That may seem like simple advice, but misconfigurations are the cause of many IoT vulnerabilities. For example, research from IBM X-Force found that poor configurations have left the door open for command injection attacks. It also pays to check whether your IoT device traffic is encrypted. According to one report, 98% of all IoT device traffic is unencrypted.
And know what you have. That means unearthing all devices in your environment—both standalone and embedded, out in the open and hidden. Then, once you know what you have, disconnect those devices you don’t need or use.
The next step is ensuring that the same protections you use for the rest of your infrastructure—access control, network security, endpoint security, etc.—work well for your IoT devices. It’s not so simple; even applying security patches becomes more difficult because doing so could disrupt the operational environment.
In some cases, it’s possible to tweak the tools you have to provide some security for IoT devices, but it’s probably better to focus on IoT-specific tools. “Take something as simple as monitoring your devices. When you’re dealing with devices on the scale of IoT, it’s not that translatable. It would take a lot of manipulation of your existing tools, and it doesn’t always make sense,” said Tanner Johnson, lead analyst for IoT security at Omdia.
For example, Palo Alto acquired IoT security company Zingbox in 2019 and used the technology to develop a secure endpoint solution for IoT devices. There are plenty of others on the market, including products from F-Secure, Armis and Pulse Secure.
Monitoring is another area where it pays to consider IoT-specific solutions. Security information and event management (SIEM) platforms, for example, collect information about activity on networks and in the environment. Because IoT devices are constantly collecting information, this requires a more passive monitoring approach, Peasley said. Examples of IoT-specific SIEM tools include RSA’s IoT Security Monitor and LogSentinel SIEM.
Other solutions try to provide all of the security necessary for IoT environments. Palo Alto’s cloud-delivered IoT solution, for example, promises to prevent known and unknown threats, prioritize risk with continuous vulnerability assessments, easily implement policies with automated risk-based recommendations and segment devices. Other vendors, including Fortinet, Check Point and CyberArk, also have broad spectrum IoT security solutions.
Because it often takes adopting new technology to protect IoT devices and traffic, more companies are choosing to turn to an IoT security service. These services provide secure device management, network security, secure data hosting, over-the-air device management and firmware updates. ABI Research predicts that the IoT security services market will reach $16.8 billion by 2026.
The nuanced approach companies must go through today to secure IoT is largely because it’s still relatively new and the standards that exist for traditional IT environments have had time to mature.
“Enterprise security has been a focus for the last 20 to 25 years and has expanded significantly in the last 15 years, but it’s early days for IoT security,” Peasley said. “We’re in the second inning. Companies are starting to see it as a top risk as it becomes a revenue-generating aspect of their organizations.”
And even as companies find ways to secure the IoT devices and environments they have today, new technologies may prolong the struggle. For example, 5G, which promises excellent performance, can also present more risk. Current 4G LTE technology maxes out at about 4,000 devices per square kilometer for one signal transmitter, while 5G allows for about one million in the same perimeter, a 250x increase.
Because the technology is so promising, companies are likely to adopt it in droves, which means more devices on more networks, representing a bigger attack surface, but that’s probably not going to be a deal-breaker.
“When you have a bigger attack surface, there will undoubtedly be more security issues, but that doesn’t mean you should avoid 5G,” said John Moor, managing director of the IoT Security Foundation. “You just have to put as much protection as possible in place and accept that you will probably get hacked at some point.”