Effectively acting as an invisible shield, the inner workings of IoT security are often taken for granted. However, we can focus and shine a light on the protocols and practices that provide the foundation of IoT security to help others see how these efficiently operate behind the scenes to protect complex networks of interconnected devices.
We will consider everything from everyday smart home devices to large-scale, cloud-based services, focusing on the security measures that are in play to prevent data breaches and avoid potentially disastrous cyber attacks against organizations.
What Is IoT Security?
Internet of Things (IoT) security refers to the protection of devices that are connected by the internet, such as large-scale industrial sensors that monitor environmental conditions or smart home assistants that automate tasks around the house. These devices could be targeted for many reasons, from attempting to obtain individual credit card numbers to industrial sabotage.
Cyber attackers use a wide range of methods to steal credentials and compromise IoT devices, making any device that is connected to the internet vulnerable to attack without the necessary security. An attacker who gains control of an IoT device can steal sensitive data and conduct malicious activity across a network or take systems offline.
Unfortunately, IoT security can be challenging as, fundamentally, IoT devices are not designed with security in mind. Most IoT devices are built for high-level connectivity, good usability, and innovative features, making them a common target for cybercriminals. With more and more IoT devices being developed to assist businesses and consumers in streamlining daily processes, the need for advanced security becomes increasingly important.
Why Is IoT Security So Crucial?
There are two key factors why IoT devices and networks require advanced security, and why they are seen as a prime target by criminals. The main reason is that IoT devices provide cyber criminals with access to sensitive data, systems, and networks, sometimes with minimal effort required.
For example, a simple smart energy meter or thermostat may contain Personally Identifiable Information (PII) that could be sold or distributed on the dark web. A worrying amount of data that traverses IoT devices is not encrypted. This means that if a device is compromised, an attacker has full control over this data.
The second key factor why IoT cybersecurity is a significant concern is how difficult these devices can be to manage and install new security patches. Many IoT devices are deployed without any user interface or management software. This includes environmental sensors, industrial sensors, asset trackers, and of course, heart rate monitors.
As a result, there is no simple method of implementing endpoint security or installing the latest security patches and updates. At the same time, this means unprotected devices can be connected to a single network.
However, with app development trending more and more toward edge computing solutions (an approach well-suited to IoT security,) we might soon see a deluge of both new solutions and professionals ready to tackle IoT security’s most long-lasting and pressing issues, even in the most vulnerable sectors and industries.
High Profile IoT Cyber Attacks: Examples
To illustrate how devastating an IoT attack can be, we will outline two high-profile, large-scale attacks with significant repercussions.
Verkada - The compromised cloud-based video surveillance service
Verkada was attacked in March 2021, with cybercriminals gaining access to sensitive information belonging to the company’s clients. Furthermore, the attackers were also able to access over 150,000 live feeds of security cameras operating in schools, hospitals, factories, and other buildings.
It is understood that over 100 Verdaka employees were unnecessarily given the highest level of access, sometimes referred to as a super admin. By compromising just one over-privileged account, the attackers were able to access every camera on the network.
The Mirai Botnet - The largest DDoS attack in history
Going back to October 2016, the Distributed Denial of Services (DDoS) attack launched on the DNS service provider Dyn still ranks as the biggest attack of its type.
Cybercriminals created a BotNet, installing malware on a large number of IoT devices. Using this BotNet, a (DDoS) attack was launched against Dyn, flooding networks with a huge number of requests to bring down a significant portion of the internet. This attack affected major social media platforms such as Twitter and Reddit, as well as Netflix.
The BotNet was able to grow so large due to the lack of encryption and security on IoT devices, with the attackers easily able to search the internet for other vulnerable devices that lacked up-to-date firmware or weak, crackable passwords.
What Are The Best Practices and Protocols For Optimal IoT Security?
While it may seem like there are numerous IoT security challenges to consider, the overall security situation is more positive than one might think. Hence, IoT devices can be properly secured if you implement:
Tracking and Management
Creating and maintaining a complete inventory of all IoT devices on a network is an essential step for creating an effective IoT security strategy. This inventory should include all device configurations and the current status regarding when each device was last patched. In addition, the full network should be mapped out, clearly showing linked devices, making it easy to identify and manage vulnerabilities should there be a suspected breach.
Security management processes also need to be put in place so that updates and patches can be installed regularly, with ongoing monitoring highlighting any devices that have outdated firmware.
Security Testing
Organizations must conduct regular security assessments to identify new and existing vulnerabilities in the IoT network, including vulnerabilities within any software installed on devices.
Findings from the assessments should be well-documented, with processes in place to resolve any issues along a prioritized and manageable timeline. Assessments should be conducted whenever major changes are made to a network or when new device types are deployed. Preferably, IoT devices should be tested prior to deployment on any production network.
Monitoring and Analysis
Improved observability is a key aspect of IoT security, with real-time monitoring and analysis identifying unexpected network changes, unusual behaviors, and suspected cyber attacks.
Logging is a fundamental component of observability, detailing all aspects of a network so anomalies can be easily pinpointed. Devices should be observable at all times, including when they are running, highlighting suspicious behaviors without affecting the performance of the device.
Monitoring software should feature a user-friendly dashboard, provide real-time alerts, and grant access to advanced analytics and reporting to highlight patterns within the huge amounts of data that are generated and processed by IoT devices.
Adhere to the Latest Encryption Protocols
Encryption is an essential component of IoT security so that even if a breach does occur, the data cannot be read or manipulated without the correct decryption key. All data, both stored and in transit, must be protected using up-to-date encryption protocols. For IoT devices, the Advanced Encryption Standard (AES) is recommended. In June 2003, AES became the default encryption algorithm for protecting classified information, including government information.
Implement Network Segmentation
Network segmentation is the dividing of a network into smaller, identifiable groups. By breaking down the network in this way, it becomes much easier to manage. If a breach occurs in a single segment, measures can be taken to stop it from spreading to other areas.
IoT devices should always be within their separate segment, with different types of devices given their specific segments. This makes it possible to assign relevant access controls and create traffic rules. Controls and rules can then be quickly amended if any new threat intelligence relates to specific devices or user groups.
Wrapping Up
IoT devices can be found almost everywhere, from people’s homes to hospitals and large industrial enterprises. Securing these devices can be challenging, especially if they are part of a large and complex network. Many IoT devices are not designed with security in mind, making it difficult to install the latest security patches and presenting an easy access point for cybercriminals to launch attacks.
Fortunately, by adhering to five key protocols and practices, organizations can develop a robust IoT security strategy that minimizes the chance of a security breach and protects sensitive data. These five best practices include implementing tracking and management protocols, regular security assessments, real-time monitoring, using the latest encryption, and network segmentation.
About the Author:
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.