Clearly, IoT security is more important than ever – but unfortunately, it is also more challenging than ever.
Some background: The COVID-19 pandemic and the lockdowns of 2020 threw all analysts’ forecasts into disarray, but as the economy begins to emerge from the crisis, IT spending is expected to recover, including growth in the Internet of Things (IoT).
The Internet of Things (IoT) is not a single category, but rather encompasses many industries and use cases. Forrester Research predicts that by 2021, the growth of the IoT market will be driven by healthcare, smart offices, location services, remote asset monitoring, and new networking technologies.
This is largely driven by the aftermath of COVID-19. The explosive growth of remote work, and telemedicine, has contributed to this trend. New devices are emerging to diagnose patients who cannot or will not see a doctor.
One of the key issues associated with the successful adoption of the Internet of Things (IoT) is having adequate security mechanisms. This is especially important for IoT medical devices, as healthcare is subject to strict regulation for privacy reasons.
It's not just about protecting specific IoT devices, but protecting all devices. If hacked, your connected refrigerator might not pose a significant threat to your home security, but it can act as a gateway to more important devices on your home network. Then it becomes just as crucial as a heart monitor.
The same applies to the Industrial Internet of Things (IIoT). Last summer, news broke that Russian hackers had breached the control systems of a US nuclear power plant. Such compromises have had a significant impact on global manufacturing operations.
Therefore, it is not surprising that IoT security has been a top priority for IT managers for some time.
Understanding the Internet of Things and its Complexities
The Internet of Things (IoT) is a collection of devices connected to the internet; these IoT devices are not traditional computing devices. Think of electronic devices that were never connected in history, such as photocopiers, refrigerators, heart and blood glucose meters, and even coffee makers.
The Internet of Things (IoT) is a hot topic because it connects previously unconnected devices and brings connectivity to places and things that are usually isolated. Research shows that the biggest benefits for companies adopting IoT are increased employee productivity, better remote monitoring, and streamlined processes.
What should you know about IoT security?
For years, an unfortunate pattern has emerged in the tech world: we rush to embrace new things and then later ensure their security. This is true of IoT devices. They frequently make the news due to hacking attacks, ranging from minor to serious threats.
Internet of Things (IoT) security is a top concern for the Department of Homeland Security, which has authored a lengthy paper on the security of IoT devices. Although the document is five years old and the IoT world has changed significantly, many of the principles and best practices outlined in it remain valid and worth considering.
Research from 51Research shows that 55% of IT professionals consider IoT security a top priority, and that number is likely to grow. So, how can you protect your IoT devices? There are many areas to explore.
1) Assume that each IoT device needs to be configured
When the market sees the emergence of smart litter boxes and smart salt shakers, you know we're at or nearing the peak of IoT device adoption. However, don't overlook these features, nor assume they're secure out of the box. Leaving them unconfigured or unlocked creates a vulnerability for hackers, regardless of the device.
2) Understand the equipment
You must know which types of devices are connected to your network and maintain a detailed, up-to-date inventory of all connected IoT assets.
You should always keep your asset map up-to-date with every new IoT device that connects to the network and learn as much as possible about it. This includes information such as the manufacturer and model ID, serial number, software and firmware version, and more.
3) Requires strong login credentials
People tend to use the same username and password on all their devices, and the passwords are usually very simple.
Ensure each employee's login is unique and require a strong password. If available, use two-factor authentication and always change the default password on new devices. To ensure trusted connections, use Public Key Infrastructure (PKI) and digital certificates to provide a secure foundation for device identity and trust.
4) Use end-to-end encryption
Connected devices communicate with each other, and when they do so, data is transmitted from one point to another, often without encryption. You need to encrypt the data on each transmission to prevent packet sniffing (a common form of attack). Devices should have options for encrypted data transmission. If not, consider other options.
5) Ensure equipment is updated
Make sure to update your device upon first use, as firmware and software may have been updated between the device's production and purchase. If your device has an automatic update feature, enable it so you don't have to update manually. Regularly check your device to see if any updates are needed.
On the server side, change the router's name and password. By default, routers are usually named after the manufacturer. It is also recommended that you avoid using company names on your network.
6) Disable features you don't need.
A good step in protecting your device is to disable any features or functions you don't need. This includes open TCP/UDP ports, open serial ports, open password hints, unencrypted communication, insecure radio connections, or anywhere code injection is possible, such as web servers or databases.
7) Avoid using public Wi-Fi
Using Wi-Fi at Starbucks is not a good idea, especially when you're connected to your own network.
Public Wi-Fi access points are often old, outdated, and unupgraded, and their security is easily compromised. If you must use public Wi-Fi, please use a VPN (Virtual Private Network).
8) Establish a customer network
A guest network is a great security solution for guests who want to use your Wi-Fi at home or in the office. The guest network provides them with network access but isolates them from the main network, so they cannot access your systems.
You can also use a guest network for your IoT devices, so that if the devices are compromised, the hacker will be trapped in the guest network.
9) Use network segmentation
Network segmentation refers to dividing a network into two or more sub-segments to allow for fine-grained control over the lateral movement of traffic between devices and workloads. In an unsegmented network, nothing is isolated. Each endpoint can communicate with every other endpoint, so once a hacker breaches your firewall, they have full access. In a segmented network, it becomes much more difficult for a hacker to move.
Enterprises should use Virtual Local Area Network (VLAN) configurations and next-generation firewall policies to implement network segments that separate IoT devices from IT assets. This way, both groups can be protected from the possibility of lateral movement attacks.
Deploying a zero-trust network architecture could also be considered. As the name suggests, zero trust essentially protects every digital asset and does not assume trust in other digital assets, thus limiting the movement of unauthorized users.
10) Proactively monitor IoT devices
We cannot overemphasize this point: real-time monitoring, reporting, and alerts are essential for organizations to manage IoT risks.
Traditional endpoint security solutions often don't work with IoT devices, necessitating a new approach. This means real-time monitoring of anomalous behavior. Like zero-trust networks, don't allow IoT devices to access your network without continuous monitoring.
