The IoT market is projected to hit the $1.5 Trillion mark by 2025. Doesn’t that number look staggering? Putting in perspective, it’s a 600% growth from 2019, when the IoT market was pegged at $250 Billion. It is expected that 25 billion devices will be a part of the IoT network by 2025 with smartphones making 24% or 6 billion of the total devices. The biggest beneficiary of the IoT revolution is Industry 4.0. The IoT revolution can take off only if we can secure troves of data flowing through billions of IoT connections. This brings us to the focus point – IoT Security.
Table of Contents
IoT Security – The key that unlocks Industry 4.0
IoT security involves securing software, hardware, and networks that store, handle, collect, transmit, and process data. Be it your garage shutter, rolling up when your car enters your home perimeter, or your lights turning on the moment you enter the room, work on sensors. These sensors collect and send the data to a Command Center, which then processes and sends the response. This data needs to be secured. Your devices need to be secured. The entire network needs to be secured. This is what IoT security deals with. It comprises tools, strategies, and methods to secure you from bad actors who constantly keep coming back to find vulnerabilities in your networks.
Unlike device-based security, like a smartphone or a laptop, IoT security is cloud-based. It is the fundamental block of the IoT – Big Data – Cloud Computing ecosystem. While IoT devices help in generating and collecting the data, the Big Data platform deals with analytics. The cloud computing system stores, processes, and addresses other aspects related to data mobility. IoT security ensures that everything taking place in the cloud and within the IoT devices is well protected.
“The fate of Industry 4.0 is in the hands of IoT security and not just IoT device interconnectivity”, opines major players in Technology, Industries, Logistics, Commerce, and Government agencies. To tackle IoT Security challenges, Sectrio believes in the deployment of a robust IoT security management plan. At a design level, adopting security-by-design architecture is the best way to prevent and mitigate IoT security threats and vulnerabilities.
A network without IoT Security is a house without a roof!
What would it be like to lose control over a 100-Tonne machine on an industrial site? What would happen if a subway railway signaling system fails? It’s even difficult to imagine. Complex systems like power distribution, water management, traffic management, smart homes, and a ton of other systems and devices are interconnected via IoT devices, forming complex networks.
While the goods of IoT connectivity are already known, the worst of it is yet to come. Any compromise on the security of these complex networks can lead to a catastrophic event. If a military network, nuclear plant network, or power transmission grid is compromised, the threat could be at a national level. Robust IoT security is imperative for complex and sensitive networks which keep this world on its wheels. From a cybersecurity expert’s POV, there are a host of IoT security challenges that a cybersecurity team has to deal with.
Let us take an example of a smart automotive manufacturing factory. The functioning and competence of the factory highlight what the IoT revolution has to offer with time. On the other side, the same factory is a strong case to understand how important IoT security is. Upon infiltrating the factory’s network, hackers can get access to key systems and processes running on the factory floor. It’s only a matter of time before they get control over ‘privilege escalation’ permissions. In the case of our automotive manufactory factory, hackers can tinker with the settings of a manufacturing unit or an assembly unit, putting hundreds of lives in jeopardy. Similarly, if they manage to enter a Medical Command Control that monitors hundreds of medical devices like artificial pacemakers, there is a chance for greater human loss.
Even in-home gadgets like CCTVs, Smart TVs, Smart Refrigerators, and others are not safe. These devices are configured to the home networks without their default credentials being changed. This puts the entire network at risk and the mercy of bad actors. It is important to have all endpoints of a network secured. The data passing between the devices and the cloud should be encrypted at all times. This mitigates the risk even during a data breach.
Understanding the IoT Security Framework
Most guides based on various IoT Security frameworks strictly depend on protocols and pre-defined policies that are actioned via the cloud. Depending on the nature of the industry, level of data collected, data processing, and other parameters, enterprises meet certain compliance standards as required by local laws. While this holds good for secure data processing on the IoT device, even manufacturers and consumers should be cognizant of their practices. IoT Security Framework is primarily spread across three levels:
- Physical Layer – Device End
- Communication Layer
- Edge Network
- Core Network
- Processing Layer (Cloud)
IoT Security by design should be strictly implemented. The development team should consider the ‘security’ feature as important as the device itself, being embedded into the SoC (System on Chip). This minimizes IoT security threats during the lifetime of the IoT device. Patch and firmware updates should be provided only through a secure mechanism.
2. Accessing the device
At all times, user access credentials should be confidential and private. To prevent ‘brute force’ unlocking and abusive login attempts, steps should be undertaken. A thorough IoT security testing can help minimize IoT security risks. MFA should be mandatory to access sensitive data.
3. Detection and Anti-tamper Mechanism
Manufacturers should ensure that no tampering with the IoT device can take place with minimal tools during shipping and installation. A comprehensive detection system should be in-built to alert the command control if needed. Complying with certain security certifications can help consumers make better choices in buying IoT devices. This is of primary importance owing to the rise in eavesdropping instances in recent times, which is often executed through budget IoT devices.
4. Keeping the consumer in the loop
Real-time, readable, and easily understandable information about the device should be communicated to the users at all times. Especially, during an attack where a data breach is highly possible, users can secure their accounts by immediately changing the password or taking other preventive measures.
1. Interconnection of IoT Devices (Wired or Wireless)
The edge network facilitates communication between multiple IoT devices on the same network via a wired or wireless interface. It establishes the required protocols for sharing and processing data between interconnected IoT devices. This communication pathway is prone to many cyber-attacks.
2. Edge Computing
Helps in pre-processing data close to the source (IoT devices). This improves volumes and speeds in processing data, enabling more action-led outcomes.
3. Homogeneity across devices
Most of the devices connected to a network often don’t come from a single manufacturer. Most IoT device manufacturers and developers globally opt for basic authentication and security protocols to limit any glitches during connectivity between the devices and to the network. This makes them an easy target for threat actors. Not only the device and the data it stores are compromised, but every device on the network and the network itself are compromised. Establishing a homogeneous security policy on such networks is key in reducing IoT security vulnerabilities.
1. Connects IoT devices to Cloud
The Core Network is the key communication channel that connects the Cloud to the IoT device(s), facilitating data mobility. Hackers often target this pathway to enter a network. Traditional cybersecurity methods have fallen short in the wake of advanced and complex cyber-attacks. With orchestrated and complex cyber-attacks happening, the Core Network pathway throws up numerous IoT security challenges.
2. Endpoints and Security Burden are relative
With the increase in the number of IoT devices on the network, the percentage of IoT security risks associated with the network keeps increasing. Despite the best IoT security practices and efforts in place, constant network monitoring is necessary to secure a network with hundreds and thousands of IoT devices.
Processing Layer (Cloud):
1. Processing & Big Data Analytics
The bulk of the processing and data analytics takes place in the cloud. This is by far the most critical asset that warrants the desired functionality of an IoT device. The IoT device sends data to the cloud for further processing. Upon analyzing the data, one can understand long-term usage patterns and other associate user patterns. Applications, network management platforms, and data storage make up for most of the assets on the cloud.
2. Implementing DevSecOps
The acronym DevSecOps stands for Development – Security – Operations. This is an ascent from the already existing DevOps, which focuses on Development and Operations. Given the agile development model and a single large team working on projects, adopting DevSecOps helps in embedding better security into the code and the device from the very beginning. The developers can adhere to secure coding standards, adopt IDE security plugins, and follow up with threat modeling.
3. Numerous Endpoints
Securing numerous endpoints arising from individual IoT devices and connecting to the cloud is a difficult job. Not all connections are homogeneously secured, and this calls for continuous monitoring for malware and other bots’ presence.
Securing an entire IoT ecosystem is more obligatory than a necessity. It can be achieved by embracing a 4-point strategy that helps in securing the network systems, pathways, and IoT devices:
- Policy-drive Security
- Anti-tamper and Detection
- Data Protection and Confidentiality
- IP Security and Protection
1. Policy-driven Security:
- Protects physical device, communication pathway, and cloud
- Relies primarily upon a set of pre-defined policies and protocols (software) to protect, detect, mitigate, and restore an IoT network
- Easy to implement and deploy. But needs constant updation to combat emerging threats
2. Anti-Tamper and Detection:
- Focuses on securing physical components of the IoT ecosystem
- Deals with the IoT devices, communication pathways, and other physical hardware
- Should be tamper-proof and almost impossible to jailbreak
3. Data Protection and Confidentiality:
- Data storage on the IoT device and data transmission (through the communication pathway) to and from the cloud should be encrypted.
- Data should be transmitted over CoAP and MQTT protocols.
4. IP Security & Protection:
- The IPsec (Internet Protocol Security) is a suite of protocols that secure the communication between IoT devices and the cloud.
- The protocols help in data encryption, authentication, and protection of sensitive data.
- AH (Authentication Headers), Internet Key Exchanges (IKE), and Encapsulating Security Payload (ESP) are the most common methods deployed toward IPsec.
Common Issues and their Fixes – IoT Security
Hackers have been finding ways to keep cybersecurity experts busy in developing better security systems. While one cannot completely evade IoT security issues, a robust process when put to action, can mitigate and keep many issues at bay. In most cases, hackers take advantage of unclosed ports, known vulnerabilities, applications built using open-source code, poor configurations, and human errors to infiltrate a network. At times, these vulnerabilities can arise from third-party devices, poor passwords, and other places.
Here we list out the most common factors causing IoT security issues in an enterprise and the measures to be taken. If you need advice, information, or anything related to cybersecurity, do not hesitate to reach us at Sectrio.
1. Weak Passwords
This truly stands out as the No.1 cause responsible for a device or network hack. Weak passwords simply make a network’s security weak and vulnerable. Most consumers do not change the default username and passwords shipped with the respective device. When such devices are brought onto a network, they end up being the hallways for hackers to enter the network. Furthermore, hackers can quickly take over the entire system. Most ransomware attacks are courtesy of weak credentials than anything to do with encryption.
To tackle this, every enterprise should ensure the credentials of all IoT devices are changed even before they are connected to the network. Measures like opting for an alpha-numeric and unique password combination and enabling 2FA/MFA elevates the security posture. This brings down the probability of a successful cyber-attack.
2. Insecure user interfaces
User interfaces are seen as another point of entry for most cyber-attacks. Often, developers ignore the risk users bring while entering information into the system/servers. With little to no encryption, interfaces like mobile, cloud, API, web, network router, and others can pave way for hackers to enter the network.
The cybersecurity team should assess the security posture of every component of the existing network, before making any changes to it. Strong encryption and MFA are key to start with the process of securing a network. At all points, authentication and user verification should be made mandatory before entering the network.
3. Lack of visibility of devices
Large retail spaces, commercial establishments, and industrial ecosystems have hundreds and thousands of IoT devices connected on the same network at any given time. More often than not, we won’t find any definite logs of the devices connected to the network, joining and exiting the network, and the security posture of the network. If a hacker manages to enter a network through an unsecured CCTV or HVAC system, it would be too late by the time an infiltration is identified and appropriate steps are taken.
To prevent this from happening, a robust system that gives visibility and security posture of every device should be in place. Sectrio’s comprehensive cybersecurity solution offers an interactive dashboard that makes managing every device on the network at a button’s click.
4. Using removable media
Not all apples are red. The same goes for employees. A rouge employee, or someone following the instructions of a hacking group, can inject malware into the network using removable media. A similar incident was to happen in a Tesla manufacturing plant. Using removable media to patch systems and share data makes the entire network vulnerable.
Enterprises can completely ban the usage of removable media devices. If it is the need of the hour then a constant anti-malware and anti-virus scan should be running around the clock on all devices. The auto-run feature should be disabled on the removable media and data should be encrypted.
5. Third-party devices
Large office spaces require a ton of facilities apart from their regular workhorses. Be it the elevators, lifts, HVAC systems, or lighting. A majority of the vendors offering these services have no clue about how hackers can use these devices to enter the local networks. Blame it for their lack of knowledge or other constraints, the majority of systems installed by third-party vendors come with absolutely zero security.
The only way to prevent a hacker from taking advantage of a poorly secured third-party device/system is to limit remote access to such vendors. A remote access key should be generated only for a specific period and has to be regenerated upon expiry. The enterprise should make 2FA mandatory for vendors to log into the network. Keeping the corporate network from the IoT device network is a key step in protecting an enterprise’s key assets.
6. IoT Skill Gap
While the IoT revolution is still at the doorstep, IoT attacks have already crept through the windows. There is a vast skill gap among employees other than those working in cybersecurity. Most malware is downloaded into business systems from malicious links sent in the disguise of enticing emails. Upon opening the email, the malware file quickly downloads and executes its commands in the background.
If the skill gap among the employees can be bridged, it becomes easier to prevent cyber-attacks. By regularly organizing talks on cybersecurity and periodically sending IoT Security best practices, an enterprise can educate its employees. This can help prevent employees from clicking on malicious email links and plugging removable media devices to a great extent. ‘Cybersecurity Awareness and Training’ programs should be put into action. The CEOs of enterprises should see this as an investment in protecting their digital assets, and not as an expense.
IoT Security Threats and Solutions
Most of the IoT security issues can be avoided with training, learning, and improved awareness. But that does not stop hackers from finding vulnerabilities. It can be a zero-day exploit or a DDoS attack, the cybersecurity team should be prepared with effective strategies to fight against any kind of cybersecurity threat.
Our experts at Sectrio have compiled a list of IoT security threats and how an enterprise can avoid them in the modern world. At all times, it is recommended to have a zero-trust policy about sharing login credentials and other information across devices.
1. DDoS Attack via Botnets
A single ant may not be powerful. But a colony of ants can bring down the mighty. Well, hackers know this for a fact and they put it to the best use. A single IoT device has low processing power. But when thousands of such IoT devices are put together, the power they bring together is insane. Hackers inject malware into the IoT devices, which further replicate the process and infect more IoT devices. These devices are then used to send overwhelming requests to the targeted server, causing it to crash.
It is difficult for anyone to tell the difference between real and (DDoS) attack traffic in real-time. Though one cannot prevent a DDoS attack, one can mitigate it by deploying tools like Web Application Firewall (WAF). It protects the targeted server from malicious traffic by acting as a reverse proxy. Other solutions available are Rate Limiting – limiting the number of requests a server can accept, and Blackhole Routing – entire traffic is routed into a black hole and is taken away from the system. IP Spoofing is another way DDoS attacks are carried out. This can be limited by adopting ingress filtering. Limiting bandwidth and hardware resources is a great way to prevent DDoS attacks.
2. Zero-Day exploits
There have been cases hackers identified exploits in an application code even before the development could. Capitalizing on the situation, hackers use these exploits to enter networks and create chaos. Operation Aurora carried out by the ‘Elderwood’ hacking group is a classic case of a zero-day exploit. Tech giants like Google, Yahoo, Adobe Inc., and dozens of other companies were the victims. Sensitive information was reportedly compromised.
Avoiding open-source code, rigorous code testing, beta testing, and code review by experts outside the organization are a few ways to limit zero-day exploits. If the code is already pushed, the development team should work to find ways to enter the application posing a hacker’s mindset. Regular vulnerability scanning, input validation, sanitization, deploying WAF, and regular patch management can help in identifying any exploits.
3. Ransomware attack
The GDP of over 90+ countries is less than the projected cost of ransomware attacks in 2022 – $20 Billion. This stat can keep security managers and the C-suite awake at night, worrying about the security of their digital assets. Hackers take control over critical data, IoT devices, security systems, thermostats, and anything they have access to and demand a ransom. Upon receiving the payment, they may or may not relinquish the control of the assets.
Enterprises should always have a backup of their critical data from time to time. This comes in handy when they have to decide about paying ransom to a hacker or not. At all times, the corporate, IoT device, and payment networks should be separated. Smart-home owners should ensure all the endpoints on the network are secured and well protected. Enterprises should run thorough ransom malware scans from time to time, under the supervision of an expert cybersecurity team.
A smart light-bulb is sufficient to hack into a network – This line is not from a James Bond film, Israeli researchers proved it in real life. IoT devices are an excellent choice for eavesdropping exercises. Hackers can modify the IoT devices and use them to record audio-visual. It is a constant threat across business, politics, and even an individual’s life. Industrial and political espionage can break a country’s GDP.
Only buy IoT devices from certified, branded, reliable, and compliance-met manufacturers. Bandwidth and other resources should be continuously monitored. Devices should be thoroughly checked and tested before installation for any bugs or spying electronic equipment.
5. Social Engineering attack
The likelihood of responding to an email that has your pet name in the subject is 10x times greater than a regular marketing email. Hackers spend hours compiling a profile about an individual. They go through the target’s social media profile, company details, blogs (if any), contact information, and everything they can get. They then use this information to make you believe they know you in person and try executing the attack. Hackers are incredibly patient and manipulative.
When receiving an email from someone who claims to know you in person, always ask them to furnish their details along with identification proof. Only if you recollect should you engage in a conversation. Keep your business email, personal email, and bank-related email separate. It is best advised to have personal and work laptops separately.
IoT Security Standards
Whether you are buying off-the-shelf at a local electronic store or placing an order on Amazon, you should engage only in buying certified IoT devices. Internationally, numerous agencies and trade organizations (both governmental and non-governmental) have come forward in recommending a set of protocols to make an IoT device secure before launching it into the market.
Depending on the geographical location and the local laws, manufacturers and developers can follow cybersecurity standards as per the chosen framework. Major IoT security frameworks are as follows:
- ETSI EN 303 645 – European Telecommunications Standards Institute recommends a set of 65 security protocols and practices aimed at organizations involved in the manufacturing and development of consumer-based IoT devices.
- NIST IoT Security Framework – Developed by the National Institute of Standards and Technology, NISTIR 8259 Series (for manufacturers), SP 800-213 Series (for federal agencies), and EO 14028 (for consumer IoT devices) guide people manufacturers and developers of IoT devices towards establishing higher security standards of the devices.
- US FTC – US Federal Trade Commission aims to bring government regulations that manufacturers and developers are bound to comply with legally. This improves the security posture of IoT devices across the nation.
- ENISA – European Union Agency for Network & Information Security Framework aims to lay the foundation for upcoming developments and initiatives in cyberspace and help foster IoT security compliance standards in Europe.
10 Essential Requirements for a secure IoT device ecosystem
- Unique and complex passwords. No default/regular passwords
- Constant software updation and security patching.
- Encrypted communication channels
- Minimizing the attack surface
- Robust backup and resilience plan
- 100% device visibility and management
- Separate networks for corporate and IoT devices
- Adopting a zero trust policy and 2F authentication
- Implementing Micro-segmentation
- Regular vulnerability scans and checks across the entire system
Millions of enterprises are waking up to the harsh reality that cybersecurity threats are real, and their enterprise could well be the next target. In recent times, considerable budget allocations are been made toward IoT security and cybersecurity. This has opened doors to a large market that is rapidly growing. It is expected that during 2022 – 2029 the IoT security market will grow at a CAGR of 21.2%, reaching $59.16 Billion by 2029.
State of Enterprise IoT Security in North America
Enterprises located in North America account for over 50% of the total IoT Security market size globally. With thousands of enterprises from North America offering digital services to their global clients, there is a heightened cybersecurity risk. According to a Statista IoT Security market report, over 2/3rd US companies have paid a ransom to overcome a ransomware attack in 2020. On average, companies spent $8.4 Million after a reported security breach in 2020, a jump of 235%+ from 2006, when it averaged out to $3.54 Million. Meanwhile, the average cost incurred to businesses after a security breach globally was $3.86 Million. While these IoT security stats can be hard to digest, they paint the true picture of the state of enterprise in North America, and the US in particular.
It is no surprise that over 65% of companies have more IoT devices on their network than computers. Additionally, the IoT skill gap is most evident in large companies due to the ‘Labour Division’ concept. Hacking groups primarily target service industries, healthcare, grocery outlets, payment gateways, and other industries whose applications are fuelled by tons of user data.
Third-party service providers of HVAC systems and others get access to the main system. This is done to minimize operating costs, as it is cheaper to ‘maintain’ than ‘train’ or ‘hire skilled’ individuals. A security failure on the third-party service provider end can pave way for hackers into the main network.
Hardly less than 20% of enterprises are confident about their IoT security installments. Most enterprises do not have 100% visibility and management of their IoT devices. It would take at least weeks to even months to identify the point of entry of a hacker if such establishments are compromised.
Despite many frameworks and guidelines available for the IoT device manufacturers and developers, a filtered few follow them. This lack of compliance often brings down the price of the product in the open market and thereby luring many enterprises. For this to end, the governments should bring stringent regulations to ensure certain industry standards are met for IoT devices. Organizations that have increased vulnerability due to their position in the market, have to be prepared with a robust ‘Identify, Defend, Detect, React, and Restore’. Backing up data on regular basis can help during a ransomware attack. Modern-day cybersecurity and IoT solutions come with AI and ML embedded into them, along with auto-alert segregation systems.
The increased budget allocations toward IoT security management tools and services is a glimmer of hope at an enterprise level. CISOs (Chief Information Security Officers) should proactively take part in explaining the security posture to every employee in a company. It is the CISOs who need to come up with schedules for IoT security best practices to keep their enterprise safe and secure. There are hundreds of IoT security companies that promise to offer a full suite of cybersecurity services. The decision while choosing an IoT Security provider should be taken after an in-depth study of the firm’s experience and the team onboard.
Can IoT Security issues hinder IoT Revolution?
No. Pessimists might have a different view than ours. But we at Sectrio strongly believe that ‘to advance we need to progress’ putting aside any fears or inhibitions. There is no doubt about the fact that the frequency, complexity, and nature of cyber threats are increasing every hour. But on the same note, security researchers are coming up with robust tools and technology to keep these threats at bay. By following recommended IoT Security best practices, most of the threats can be evaded. Even if a hacker infiltrates, a robust cybersecurity system, like one provided by Sectrio, the threat can be mitigated in a short span and the network can be restored in less than a few hours.