Last year, Congress passed the Internet of Things Cybersecurity Improvement Act of 2020. This piece of legislation requires the National Institute of Standards and Technology (NIST) to develop a set of standards and guidelines “on the appropriate use and management by agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” While the bill is certainly a step in the right direction, its application is limited to government agencies, leaving out the rest of the industries, which, too, have been experiencing an explosion of connected technologies, or IoT.
In 2020, there were 11.7 billion active IoT devices. That number is expected to increase almost threefold within the next few years, reaching 30.9 billion by 2025.
While IoT devices – be it smart assistants, fitness trackers, smart security systems, or industrial-level sensors – have increased our productivity and quality of life both as consumers and businesses, they have also unleashed a storm of cyberattacks. IoT devices have a number of vulnerabilities, which, if not addressed, can compromise the security of your entire network, whether you are a government agency, a manufacturing facility, or a utility provider.
What are the cybersecurity vulnerabilities of connected technologies, and what can you do to address them? This is what we are going to discuss today.
IoT cybersecurity vulnerabilities
IoT technologies are increasingly utilized in a variety of sectors: equipment monitoring and patient care in the healthcare vertical; smart buildings and waste management in infrastructure; speed, temperature, and pressure sensors in industrial systems; the list goes on. Global IoT spending is predicted to exceed $1 trillion in 2022 and reach $1.1 trillion in 2023. Discrete manufacturing, process manufacturing, and transportation will be responsible for nearly a third of that spending.
5G will only accelerate the adoption of IoT devices – think smart cities, telemedicine, robotics, etc.
“To attack IoT devices, cyber criminals often probe the devices for security vulnerabilities and then install malicious software (“malware”) to surreptitiously control the device, damage the device, gain unauthorized access to the data on the device, and/or otherwise affect the device’s operation without permission,” explains the Cybersecurity Unit of the Justice Department. These are some of the most common vulnerabilities that hackers can exploit:
- Lack of a strict password management system. Users often make the mistake of keeping a device’s factory settings, including its default password. Or they assign a weak password to a device. Or the same password for multiple devices.
- Failure to customize the network setting of a device. Smart devices may have unnecessary or exposed network services running on them without you even knowing. Since IoT devices communicate amongst other endpoints in the network. This is typically (and hopefully) done over a secure internet connection. However, if a device is running insecure network services in parallel, the entire secure network can be compromised.
- Failure to ensure a secure environment around IoT devices. IoT technologies can be controlled remotely; they communicate with other devices and systems inside a network – the benefits of IoT are also its threats. These devices come with their own ecosystem – mobile applications, computer software, APIs, etc. The entire ecosystem of a device needs to be integrated securely into the existing network.
- Unpatched vulnerabilities. As the number of smart devices and their complexity increase, IT departments struggle to keep their underlying firmware and the patch version up to date. For example, the fixes to the vulnerabilities identified in the Cisco Discovery Protocol were delivered in 2019. Yet, in 2020, 80% of IoT devices affected by the vulnerabilities remained unpatched.
- Failure to physically secure IoT devices. Cyberattacks do not always happen remotely. If the physical access to your devices is compromised, chances are that the rest of your network will get compromised.
- Insecure data storage and transmission. IoT devices collect and transmit data. Often, IT departments fail to extend their data privacy, storage, and transmission practices, which include encryption, to the IoT technologies, compromising the security of the data.
All of these vulnerabilities can be used as a window of opportunity for hackers to infect your devices with malware and launch a large-scale botnet attack, bringing down part or the entirety of your network and gaining unauthorized access to data. Furthermore, hackers, especially nation-state actors, can use their access to IoT devices to launch stealth long-term attacks – turning a device into a microphone and listening in on the conversations, monitoring email communication, etc.
How to protect your IoT ecosystem
The different ways to protect your IoT ecosystem and, by extension, the rest of your network are to address the vulnerabilities identified above: change the default settings, keep the devices up to date, physically secure the devices, encrypt data, and secure the applications associated with the devices.
However, the most effective way to minimize risk is to switch to a zero-trust architecture. Zero-trust models operate under the assumption that nothing and no one can be trusted by default – not outside and not inside a network – irrespective of whether they are connected to a managed corporate network or have been verified in the past. Every user, every IoT device, and every request must first be verified before being granted access. This will both reduce the risk of a successful breach and significantly reduce the scope of the damage as multiple suspicious requests will quickly alarm the IT department, who will then be able to swiftly shut down the infected area of a network.
Furthermore, switching to a Secure Access Service Edge (SASE) model is ideal and goes hand-in-hand with the zero-trust infrastructure. Introduced by Gartner in 2019, SASE is a cloud-native network architecture. It is “the future of network security in the cloud,” as described by Gartner. SASE networks are distributed globally across multiple points of presence, thus offering a fast and seamless experience to users, applications, and devices. They are identity-driven, which ensures secure access.
The expansion of the IoT market is unavoidable. As 5G adoption increases, we will see increasingly complex connected systems, which will allow companies and individuals across various verticals to significantly improve their productivity. However, there are currently no overarching regulatory standards that organizations need to adhere to. As a result, each organization has to identify its own best practices for IoT cybersecurity.