There are three important security approaches companies need to think about to mitigate edge IoT security risks. Vinh Quang Nguyen and Debanjan Dey discuss them in their blog.
By 2025, analysts predict that the Internet of things (IoT) will cover roughly 20 billion connected devices. The new emerging technology is becoming a reality everywhere – from Industry 4.0 to autonomous vehicles roaming the open road. This is changing how enterprises collect, exchange, analyze and extrapolate vast amounts of data to gather insights on essentially everything. From understanding consumer behavior and improving business efficiencies to reducing operational costs and enhancing overall workplace safety, IoT data is enabling organizations to do more.
The scale of IoT is unprecedented – but so are the cybersecurity threats it leaves open. The surface area for attacks has expanded dramatically over the last decade, with unprotected, unpatchable gadgets that have given cybercriminals the opportunity to hack, compromise and control devices.
Vulnerable connected devices have been exploited to attack national state surveillance, to bring down some of the biggest websites, including PayPal, Spotify and Twitter via DDOS attacks (Mirai), and to paralyze one fifth of the world’s shipping capacity using ransomware (NotPetya). The future holds many new threats and Gartner predicts that, by 2022, IoT security attacks due to lack of insight into edge and third-party device providers will increase by 35%. (Source: Gartner: Predicts 2019: Infrastructure Services. Updated on April 2020, published Dec 2018.)
When companies embark upon their IoT journey, they soon realize there is no silver bullet nor one-time effort to make IoT devices completely safe. However, we believe there are three important security approaches companies need to consider to mitigate the risks.
Securing endpoints is essential because the attack surface grows with each new deployment. Unlike phones and computers, which are often regarded as secure and trusted, IoT devices are more challenging to protect. IoT assets range across a huge variety of different types of non-standard devices with limited on-board security capabilities. These devices are often shipped with vulnerabilities and might not be supported with new patches from vendors throughout the intended device lifecycle, allowing hackers to launch inconspicuous attacks. For companies to secure IoT devices, there are some best practices organizations must employ:
Security hygiene – Inadequate employee security routines account for a large chunk of security breaches. In fact, 50% of security breaches are caused mainly or partly by human error according to Næringslivet sikkerhetsråd’s survey. IoT devices are no exception, but many of these breaches can be mitigated by creating solid security hygiene routines.
IoT Blind spots – Unmanaged devices in networks have been expanding vulnerable blind spots, as it is difficult to defend networks without visibility into these devices. To decrease this risk, companies should separate the main network from the IoT network in order to isolate these devices and ensure comprehensive visibility of the corporate network.
Research from Zscaler shows that 91.5 % of transactional data from IoT devices contained plaintext, which means that hackers could intercept, read and manipulate unencrypted data – and then send it back unnoticed. Therefore, protecting the physical device that stores and processes data is just one part of preventing cybercriminals from obtaining sensitive data. The other part is about protecting the data journey, when data is at-rest, in-transit or in-use across the different entities in the IoT value chain. This means that all parties involved in the value chain must ensure intruders cannot observe and manipulate data – thus avoiding the possibly fatal outcomes of these breaches. Just consider the consequences of security lapses for sensitive applications like heart monitors in healthcare and self-driving cars when securing data across all its stages. Here are some simple pro-active steps to take to keep data safe:
Securing devices and the data itself is just part of the equation. To secure the whole IoT solution, companies must strive for a holistic approach to security that accounts for technologies, people and processes. There are some key approaches to consider when securing end-to-end IoT solutions:
End-to-end ecosystem security – the IoT security environment must be managed and orchestrated both horizontally (device to end-user service) and vertically (hardware to applications), and this includes the ecosystem of collaborators like device manufacturers, network providers, platform providers, app developers and end-users.
Organizational alignment of IoT security – The ownership and responsibility of the different parts of the IoT value chain can be quite scattered, so the dilemma of who is accountable for what naturally arises. For manufacturing companies IoT solution can for example involve an OT operational group, the IT department and the security department, each of which separately owns tools and processes to manage security. This can result in a siloed approach to security, with data seen out of context and complex internal processes. There are multiple ways for organizations to achieve alignment around security:
As IoT mass-adoption is yet to come, many companies are still in a great position to prepare and undertake continuous efforts to combat threats. These efforts will demand a focus on people, processes, and new security technologies.
Contact us to enhance your edge IoT security.
Vinh heads edge computing and IoT enablement and has experience from taking new ideas to the market. He is passionate about building the future IT backbone of society to enable next-gen services. If you are curious about what’s cooking in the IoT space at TietoEVRY – you can connect with him through LinkedIn.
Debanjan is currently working in automation and security practice in private cloud and edge as head of service security and has experience across all areas of Information Security, Enterprise Risk Management, AIOPs Platform, Hybrid Cloud Security Strategy, IoT Security, Technology Risk Consulting, Regulatory Compliance and Privacy. To know more about how you can safeguard and secure your business IT transformation – you can connect with him on LinkedIn.