In our previous blog, we talked about the various IoT devices and technologies for businesses. We also highlighted that the widespread adoption of IoT brings with it inherent cybersecurity risks to your business. In this blog post, we will talk about IoT security and ways to secure your IoT infrastructure.

This blog post will cover the following topics:

1. Understanding IoT Security Risks

2. Objectives Of IoT Security

3. Common IoT Vulnerabilities

4. IoT Security Layers

5. How To Secure IoT Devices

IoT technology aims at providing a connected digital identity to physical objects and networking them together to benefit from their data gathering and interconnectivity. Analysis of the data gathered by the IoT devices intends to improve quality of life, efficiency, and reduce costs. However, along with all the benefits, IoT also brings in serious questions about data responsibility, privacy, and more importantly about security.

Let’s take the case of a smart connected office that includes smart meters, IoT-connected security cameras, smart lighting, and smart doors. When all of these connected devices function as expected, they create a reliable and efficient system that is secure. The business owner can benefit not just from the efficiency brought by the devices but also from the insights generated from the data gathered by those devices.

However, if a cybercriminal is able to gain access to one apparently innocuous device, they will practically gain access to your entire IoT infrastructure and in the worst case your entire network. For instance, a hacker may gain access to the security camera feeds via your smart lighting. This security concern has become even more critical as more businesses are opting for “work-from-home” exposing their corporate networks to vulnerable IoT devices on employees’ home networks.

According to Bitdefender’s 2020 business threat landscape report, 45% of security professionals believe that IoT devices in employee home networks pose serious security risks as they could be easily controlled by remote hackers. Researchers have also found serious security and privacy issues in different smart doorbells available on reputed online marketplaces such as Amazon and eBay.

Therefore, it is clear that the security of even the smallest, seemingly unimportant IoT device is important for the overall security of the business network. This is even more critical considering that the reach of IoT goes beyond the control of devices at homes and businesses and into the realm of data governance and privacy.

The primary objective of your IoT security strategy is to reduce business risks. You will need to establish controls to ensure the unhindered availability of the IoT services as well as the confidentiality, integrity, and availability of the data gathered by those devices. Therefore, for your IoT security strategy to be successful, it needs to address the following three key foundational principles:

• Confidentiality

The confidentiality principle requires you to ensure that the generated data and information is confined to the users and systems that are authorized to access them.

• Availability

The availability principle requires you to ensure that the service continuity of your IoT system and data is maintained.

• Integrity

The integrity principle requires you to protect your systems and data against unauthorized changes and ensure that the data and information generated can be trusted.

We know that security is a big issue with IoT but what specifically are these issues? Here’s a list of the most common IoT vulnerabilities:

1. Weak passwords and hardcoded credentials

2. Insecure network services exposed to the internet

3. Insecure interfaces with weak or lacking authentication or encryption

4. Lack of an update mechanism

5. Data transfer and storage without encryption

6. Lack of asset management

1. Devices

Connected devices and their interactions with the users and environment are at the core of IoT technologies. A lot of the value generated by an IoT device comes from the data collected. Therefore, it is essential to ensure that the data being collected and transmitted can be trusted. In order to achieve this, we need to establish that the devices are what they say they are. Device Identification & Authentication, therefore, plays a crucial role in establishing trust in an IoT system.

Without proper verification of devices, cybercriminals could easily disguise their own machines as an IoT device on your network and gain unauthorized access to your network and data. Secure IoT devices, therefore, need to have unique and private digital identities right from the point of manufacture that is secure and avoids potential tampering or cloning.

It is also essential to ensure that the firmware and application codes on the device are genuine and haven’t been manipulated. The easiest way to achieve this is to purchase your IoT devices only from authorized dealers. Also, pay special attention to data encryption because it is the principal tool for keeping your data secure. The data must be encrypted both at rest and during transmission. In no case should you allow data to be stored or transmitted in plaintext.

2. Gateways And Connections

Gateways and connections enable IoT devices to connect with other devices, networks, applications, and to share data. The IoT devices usually lack storage and computing power and this is where the gateways play an important role. They act as the bridge between the devices and the cloud, providing functions such as data consolidation, encryption, and long-range communication for further data transfer. Devices in your gateways layer must be able to verify the device identities and routing information of all connected devices. 

3. Cloud Applications

As you might already know, all the magic of IoT happens in the cloud. The cloud applications that perform all the storage and computing on the data generated by the IoT devices reside in this layer. It filters, analyzes, and draws insights from the swathes of collected data and sends instructions back to the devices helping improve performance, efficiency, and quality of life.

Just as in the case of the devices, the identity of the applications also needs to be verified. The systems and applications where data is being sent to and instructions received from must be verified as genuine to prevent misuse. And again, it goes without saying that data encryption needs to be a standard in this layer.

4. Users

When it comes to security, if IoT devices have a bad reputation, users aren’t too far behind. People are often considered the weakest link in your security system. Therefore, you need to treat the users of IoT devices as a critical link. It doesn’t matter how innocuous the device may appear, be it the voice assistant or the connected music system, you need to establish access control. Users of systems, platforms, and applications must be verified to prevent unauthorized access and misuse.

Now that we have some understanding of the threats, vulnerabilities, and security layers, let’s take a look at some simple steps that will help you secure your IoT devices and network.

1. Create A Segregated Network For IoT Devices

Most IoT devices connect wirelessly and most businesses allow these devices to connect directly to their internal network. This may open up your network to unauthorized access because the IoT devices have many vulnerabilities. Therefore, you should ideally put your IoT devices on their own wireless network, segregated from your internal network and allowing Internet access only.

You can easily segment your network with business-grade network equipment by creating a separate service set identifier (SSID) and virtual LAN (VLAN). You can route the traffic through a separate firewall with strict security rules. The SSID can also be assigned different policies, encryption, authentication, etc. in order to ensure an added level of security. Your IoT devices thus run on the same network hardware but on a separate VLAN.

2. Define Security Standards For IoT Devices

IoT devices don’t yet have the same security and maintenance standards as your other network devices. Due to this, it is quite possible that you may be using devices with outdated components or operating systems, presenting a soft target to hackers. In order to mitigate this, you must clearly specify your security requirements to your vendors and apply the same level of control on IoT device vendors as you would on hardware OEMs and software companies. Make sure it’s clear who is responsible for updates as well as for providing timely updates to address identified vulnerabilities and hold them accountable for it.

You also need to create and implement IoT specific internal security standards w.r.t the following:

1. Passwords - ensure that you have a password policy in place and it is followed. Never retain default credentials, change them during installation.

2. Network Security - conduct regular network security audits to identify and fix vulnerabilities. 

3. Device Update And Management - Similar to traditional devices and software, regular software and firmware updates and password changes should be mandatory for IoT devices as well.

The above security measures ensure that known vulnerabilities are fixed in a timely manner, while also giving you the ability to adapt to the changing threat and regulatory landscape.

3. Implement Access Control

Access restriction is such a simple, yet effective tool that can mitigate many of the data security risks. By simply restricting access, unauthorized remote access, which is a common method used by hackers, can be mitigated. Grant access only on a need basis and revoke when no longer needed. Maintain proper documentation listing all authorized users. However, this is not restricted to users, maintain a similar posture on all access and rules on your IoT network firewall.

4. Don’t Allow IoT Devices To Initiate Network Connections

By limiting the ability of your IoT devices to initiate network connections, you can mitigate the risk of attackers gaining access to your internal systems. The devices should ideally be connected via network firewalls and access control lists. While this cannot prevent your IoT devices from getting hacked, it will prevent the hackers from moving laterally to gain access to your internal network. You can also direct the IoT connections to go through a network proxy, where it can be verified if the traffic is appropriate for the IoT device to be receiving or transmitting.

Conclusion: IoT Security Is A Critical Investment

IoT technology, at least at present, is a double-edged sword. On one hand, it offers endless possibilities of efficiency, performance, and cost-effectiveness. But on the other, due to its nascent stage of development, it carries many security risks. In order to stay competitive, you will most likely adopt IoT technologies. With this, you will put a greater burden on your security team.

IoT devices open new entry points and attack vectors that cybercriminals can use to hack into your internal systems, causing disruption, data loss, and in the worst case, regulatory fines and reputation damage. So the bottom line is, while there is a lot to gain from IoT deployment, there is much more to gain from IoT deployment with integrated security.

Are you looking for help securing your IoT infrastructure security? Reach out to us for any and all support for your IoT or general IT security needs.

If you liked the blog, please share it with your friends