Time to enhance Edge IoT security – from devices to people and processes

IoT security challenges in emerging technologies

By 2025, analysts predict that the Internet of things (IoT) will cover roughly 20 billion connected devices. The new emerging technology is becoming a reality everywhere – from Industry 4.0 to autonomous vehicles roaming the open road. This is changing how enterprises collect, exchange, analyze and extrapolate vast amounts of data to gather insights on essentially everything. From understanding consumer behavior and improving business efficiencies to reducing operational costs and enhancing overall workplace safety, IoT data is enabling organizations to do more. 

The scale of IoT is unprecedented – but so are the cybersecurity threats it leaves open. The surface area for attacks has expanded dramatically over the last decade, with unprotected, unpatchable gadgets that have given cybercriminals the opportunity to hack, compromise and control devices.

Vulnerable connected devices have been exploited to attack national state surveillance, to bring down some of the biggest websites, including PayPal, Spotify and Twitter via DDOS attacks (Mirai), and to paralyze one fifth of the world’s shipping capacity using ransomware (NotPetya). The future holds many new threats and Gartner predicts that, by 2022, IoT security attacks due to lack of insight into edge and third-party device providers will increase by 35%. (Source: Gartner: Predicts 2019: Infrastructure Services. Updated on April 2020, published Dec 2018.)  

When companies embark upon their IoT journey, they soon realize there is no silver bullet nor one-time effort to make IoT devices completely safe. However, we believe there are three important security approaches companies need to consider to mitigate the risks.

1. Prevent security breaches by enhancing IoT device security 

Securing endpoints is essential because the attack surface grows with each new deployment. Unlike phones and computers, which are often regarded as secure and trusted, IoT devices are more challenging to protect. IoT assets range across a huge variety of different types of non-standard devices with limited on-board security capabilities. These devices are often shipped with vulnerabilities and might not be supported with new patches from vendors throughout the intended device lifecycle, allowing hackers to launch inconspicuous attacks. For companies to secure IoT devices, there are some best practices organizations must employ:

Security hygiene – Inadequate employee security routines account for a large chunk of security breaches. In fact, 50% of security breaches are caused mainly or partly by human error according to Næringslivet sikkerhetsråd’s survey. IoT devices are no exception, but many of these breaches can be mitigated by creating solid security hygiene routines.

• Maintain a list of approved IoT devices and enforce cybersecurity policies to block unsecure new devices from networks.  
• Continuously update firmware and software, remove end-of-life devices that are not receiving new updates and build in security policies.  
• Turn off devices that are not actively in use to reduce the window of time in which they can be hacked.

IoT Blind spots – Unmanaged devices in networks have been expanding vulnerable blind spots, as it is difficult to defend networks without visibility into these devices. To decrease this risk, companies should separate the main network from the IoT network in order to isolate these devices and ensure comprehensive visibility of the corporate network.

2. Understand data and apply data protection

Research from Zscaler shows that 91.5 % of transactional data from IoT devices contained plaintext, which means that hackers could intercept, read and manipulate unencrypted data – and then send it back unnoticed. Therefore, protecting the physical device that stores and processes data is just one part of preventing cybercriminals from obtaining sensitive data. The other part is about protecting the data journey, when data is at-rest, in-transit or in-use across the different entities in the IoT value chain. This means that all parties involved in the value chain must ensure intruders cannot observe and manipulate data – thus avoiding the possibly fatal outcomes of these breaches. Just consider the consequences of security lapses for sensitive applications like heart monitors in healthcare and self-driving cars when securing data across all its stages. Here are some simple pro-active steps to take to keep data safe:

• Understanding the data – The first step to securing data is to understand the nature of the data, including what is important and sensitive information, before identifying who does and does not have access.  

• Encrypt everything – To secure the data journey, an encrypt everything approach is necessary. End-to-end data encryption makes it difficult to extract information, even when device security fails, because the data would still be unreadable. However, it is important to consider the limited resources of devices and use tailored encryption tools.  

• Track and trace – The last step is to protect networks through strong authentication and establish protocols for tracking the source of any changes to relevant data.

3. Take a holistic approach to IoT security (people, process and technology)

Securing devices and the data itself is just part of the equation. To secure the whole IoT solution, companies must strive for a holistic approach to security that accounts for technologies, people and processes. There are some key approaches to consider when securing end-to-end IoT solutions: 

End-to-end ecosystem security – the IoT security environment must be managed and orchestrated both horizontally (device to end-user service) and vertically (hardware to applications), and this includes the ecosystem of collaborators like device manufacturers, network providers, platform providers, app developers and end-users. 

Organizational alignment of IoT security – The ownership and responsibility of the different parts of the IoT value chain can be quite scattered, so the dilemma of who is accountable for what naturally arises. For manufacturing companies IoT solution can for example involve an OT operational group, the IT department and the security department, each of which separately owns tools and processes to manage security. This can result in a siloed approach to security, with data seen out of context and complex internal processes. There are multiple ways for organizations to achieve alignment around security:  

• Get rid of data silos – gather and contextualize data into a single reliable source. 
•  Apply real-time analysis, AIOps and automation to reveal insight and predict and prevent breaches. 
• Integrate workflows across departments to effectively utilize real-time information.

Conclusion

As IoT mass-adoption is yet to come, many companies are still in a great position to prepare and undertake continuous efforts to combat threats. These efforts will demand a focus on people, processes, and new security technologies. 

Contact us to enhance your edge IoT security.