Nothing can stem the tide of intelligent devices from becoming integral to business operations. That being the case, experts say it’s high time that organizations take IoT device security under serious consideration.
The company you work for probably has dozens, or maybe hundreds, of IoT devices connected to its IT environment. IoT devices can be part of everything from printers, lighting systems, and HVAC systems to security cameras, biomedical devices, and barcode readers. These small sensors have compute power and memory, as well as the ability to run applications and communicate across the network.
Businesses have good reasons to use so many connected IoT devices. The technology can improve efficiency and productivity, coordinate operations, and improve energy conservation. Those are just some of the reasons for why IoT devices have proliferated. IDC predicts there will be 55.7 billion connected IoT devices worldwide by 2025, generating 73.1 zettabytes of data.
The spread of IoT devices has an important downside, however. Just like other pieces of IT infrastructure, IoT devices are vulnerable to attacks. Kaspersky research highlighted how IoT attacks have grown into a major problem: The company detected more than 1.5 billion IoT attacks in the first half of 2021 and found that the number of IoT attacks has doubled each year. While IP loss presents the largest threat, there are many other risks to guard against.
IoT Devices Expand the Attack Surface
One of the most popular attacks today uses security cameras. Threat actors attempt to exploit known password combinations for the devices and use them as a launching point for attacks. Once inside a camera’s system, cybercriminals can distribute malware, run a botnet, or initiate a distributed denial-of-service (DDoS) attack.
Attacks can happen at any layer of an intelligent device. The physical layer, also called the perception layer, is where the sensors live and where data is collected. This layer can be used to launch a replay attack, where a cybercriminal eavesdrops on a secure network communication, intercepts it, and then resends it to trick the receiver into exposing the system to further attacks. Timing attacks, meanwhile, allow a criminal to evaluate the length of time it takes for an IoT device’s system to respond to different inputs, which can reveal vulnerabilities. In addition, the physical layer of an intelligent device can result in malicious nodes. Malicious nodes try to deny service to other nodes in the network.
Attacks are just as common at the network layer, which connects to network devices, servers, and other smart devices. Common attacks at this level include DDoS attacks, man-in-the-middle attacks, and attacks that target storage.
Then there is the application layer, which delivers application-specific services to users. Common application-layer attacks include cross-site scripting and malicious code.
And it’s only going to get worse. The increasing use of intelligent devices at the edge will expose organizations to additional risks. That’s because devices at the edge generate data that travels between the devices and the cloud, and possibly back again. Extra data movement just creates more opportunities for data breaches and other interference, said Wendy Frank, a principal at Deloitte.
The expected explosion of 5G could also expose organizations to more risk. “It takes a very large and broad ecosystem to operate a 5G network -- not only the devices, but other hardware and the cloud,” Frank explained. “That creates an incredibly large attack surface. It’s a big concern.”
Sean Tufts, practice director for IoT at cybersecurity consultancy Optiv, agreed that IoT device security should be a concern for every organization.
“We need to expand the footprint from the traditional houses of security, which typically include a SIEM [security information and event management], endpoint protection, and a firewall, and understand that there is a whole new busload of devices hopping onto our corporate networks,” Tufts said. “Some companies still think of security as a moat, but you really need a defense-in-depth strategy to handle IoT devices.
IoT Device Security Fundamentals
It takes a multi-pronged approach to keep IoT device security in check.
An organization’s first step is to know the locations of all its intelligent devices. That’s harder to do than it might seem. These devices are commonly installed by one user or department without coordination of the rest of the organization. The move to remote work has exacerbated the problem at the edge, with organizations lacking visibility into the devices used by remote employees.
To locate intelligent devices, an organization must map the IoT security architecture. In doing so, the organization should have a clear view of how each device interacts with the application and technology stack. Additionally, the organization must understand who in the organization is responsible for updating and managing devices.
Having a full list of the devices is also important. Traditionally, companies use network device monitoring or asset management and monitoring software. That’s a good start, but using IoT-specific tools can be more accurate. These include IoT asset management software and network sensors. IoT security platform vendors include Ordr, Tele2, BeWhere, and Particle.
Another increasingly popular option is passive detection technology that uses machine learning to scan networks, identify devices, and capture what the device is doing and who is using it. Vendors in this category include Forescout, Nozomi Networks, and Armis.
Some passive detection technology takes advantage of behavioral analysis. Behavior analysis can help to identify a range of suspicious behavior, such as privilege escalation attempts and lateral movement.
“It’s important to know what the device is doing, but you should also be able to compare that information against what it should be doing based on known good behaviors,” said Christopher Dobrec, vice president of product marketing at Armis. “Think about a security camera: If you pick up a lot of authentication attempts trying to access the camera, that’s anomalous behavior. You need to be able to see that, identify the anomalous behavior, and then take action against it.”
Most IoT devices are designed for a single purpose. They often don’t have extra CPU processing power and memory to run traditional security agents. As such, Dobrec said that organizations should use agentless security products.
Organizations should also focus on endpoint security, Tufts said. However, many endpoint protection products haven’t yet been rearchitected for IoT device security. Tufts recommended organization use products with IoT endpoint protection capabilities, which frequently come in the form of IoT modules within traditional tools. CrowdStrike, SentinelOne, Cybereason, McAfee, Forescout, and Fortinet offer products with IoT endpoint protection capabilities.
Existing cybersecurity efforts can help in other ways. For example, security operations centers (SOCs) can use threat management and incident programs that are specific to IoT devices, Frank noted. SOCs can then monitor devices for anomalies and proactively manage them. The same is true of established vulnerability management programs, which can include IoT devices to ensure that upgrades, patches, and licensing remains up to date.
Finally, organizations should properly segment their networks. Doing so can prevent IoT, operational technology and industrial control system devices from sitting on the same network with other kinds of devices, Frank added.
What About the Devices’ Built-in Security?
It’s tempting, if not naïve, to think devices will be secure right out of the box. Each type of device has a different form factor with physical interface code sitting behind it, and they include varying levels of security. If the devices use Bluetooth or connects to another piece of technology like a USB, those must be secured, as well.
To vet IoT devices as carefully as possible, Frank recommended testing a device before buying it. By testing the devices, the IT staff can gain an understanding of the necessary risk mitigation controls. Frank also advised asking device vendors what type of testing they perform on their products before selling them. A vendor should explain the level of support it provides for the device, including updates, patches, and notifications of vulnerabilities.