Balbix Announces New Integrations with ServiceNow to Further Automate and Improve Cyber Risk Quantification

The internet of things (IoT) is the vast network of connected physical objects (i.e., things) that exchange data with other devices and systems via the internet. While it refers to the actual devices, IoT is commonly used as an overarching term to describe a highly-distributed network that combines connectivity with sensors and lightweight applications, which are embedded into tools and devices. These are used to exchange data with other devices, applications, and systems for everything from smart plugs and power grids to connected cars and medical devices.

IDC defines an IoT solution as “a network of uniquely identifiable endpoints (or things) that communicate without human interaction using IP connectivity—whether locally or globally. IoT brings meaning to the concept of ubiquitous connectivity for businesses, governments, and consumers with its innate management, monitoring, and analytics.”

Driven by low-cost computing and the cloud, IoT has become one of the most ubiquitous connected technologies with billions of instances around the world. IoT bridges the digital and physical worlds with seamless, streaming communications for everyday consumer products and complex industrial systems.

What Is IoT Security?

IoT security is an umbrella term that covers the strategies, tools, processes, systems, and methods used to protect all aspects of the internet of things. Included in IoT security is the protection of the physical components, applications, data, and network connections to ensure the availability, integrity, and confidentiality of IoT ecosystems.

Security challenges abound, because of the high volume of flaws regularly discovered in IoT systems. Robust IoT security includes all facets of protection, including hardening components, monitoring, keeping firmware updated, access management, threat response, and remediation of vulnerabilities. IoT security is critical as these systems are sprawling and vulnerable, making them a highly-targeted attack vector. Securing IoT devices from unauthorized access ensures that they do not become a gateway into other parts of the network or leak sensitive information.

IoT security vulnerabilities are found in everything from vehicles and smart grids to watches and smart home devices. For example, researchers found webcams that could be easily hacked to gain access to networks and smartwatches containing security vulnerabilities that allowed hackers to track the wearer’s location and eavesdrop on conversations.

“We found that the general security posture of IoT devices is declining, leaving organizations vulnerable to new IoT-targeted malware as well as older attack techniques that IT teams have long forgotten.”

Unit 42 IoT Threat Report

The Importance of IoT Security

IoT is widely believed to be one of the most significant security vulnerabilities that impact nearly everyone—consumers, organizations, and governments. For all of the convenience and value derived from IoT systems, the risks are unparalleled. The importance of IoT security cannot be overstated, as these devices provide cybercriminals with a vast and accessible attack surface.

IoT security provides the vital protections needed for these vulnerable devices. Developers of IoT systems are known to focus on the functionality of the devices and not on security. This amplifies the importance of IoT security and for users and IT teams to be responsible for implementing protections.

IoT Security Challenges

As noted above, IoT devices were not built with security in mind. This results in myriad IoT security challenges that can lead to disastrous situations. Unlike other technology solutions, few standards and rules are in place to direct IoT security. In addition, most people do not understand the inherent risks with IoT systems. Nor do they have any idea about the depth of IoT security challenges. Among the many IoT security issues are the following:

  • Lack of visibility
    Users often deploy IoT devices without the knowledge of IT departments, which makes it impossible to have an accurate inventory of what needs to be protected and monitored.
  • Limited security integration
    Because of the variety and scale of IoT devices, integrating them into security systems ranges from challenging to impossible.
  • Open-source code vulnerabilities
    Firmware developed for IoT devices often includes open-source software, which is prone to bugs and vulnerabilities.
  • Overwhelming data volume
    The amount of data generated by IoT devices make data oversight, management, and protection difficult.
  • Poor testing
    Because most IoT developers do not prioritize security, they fail to perform effective vulnerability testing to identify weaknesses in IoT systems.
  • Unpatched vulnerabilities
    Many IoT devices have unpatched vulnerabilities for many reasons, including patches not being available and difficulties accessing and installing patches.
  • Vulnerable APIs
    APIs are often used as entry points to command-and-control centers from which attacks are launched, such as SQL injection, distributed denial of service (DDoS), man-in-the-middle (MITM), and breaching networks
  • Weak passwords
    IoT devices are commonly shipped with default passwords that many users fail to change, giving cyber criminals easy access. In other cases, users create weak passwords that can be guessed.

Addressing IoT Security Challenges

A holistic approach is required to implement and manage IoT security effectively. It must encompass a variety of tactics and tools as well as take into consideration adjacent systems, such as networks.

Three key capabilities for a robust IoT security solution are the ability to:

  1. Learn
    Take advantage of security solutions that provide network visibility to learn what the ecosystem encompasses at what the risk profiles are for each group of IoT devices.
  2. Protect
    Monitor, inspect, and enforce IoT security policies commiserate with activities at different points in the infrastructure
  3. Segment
    In the same way that networks are segmented, use segmentation based on policy groups and risk profiles to segment IoT systems.

Specific features required for securing IoT devices include the following:

  • API security
  • Broader and deep IoT device inventory
  • Continuous software updates
  • DNS filtering
  • Education and training staff, vendors, and partners
  • Encryption for data at rest and in transit
  • Honeypot decoy programs
  • Multi-factor authentication
  • Network security
  • Network traffic monitoring analysis
  • Password management
  • Patch management
  • Security gateways
  • Unauthorized IoT device scans

Enhance IoT Security to Realize Increased Benefits

IoT devices are increasingly being used by individuals and across the enterprise. They are not only here to stay, but proliferating exponentially in more and more forms. The result is increasing complexity, which hampers efforts to manage IoT systems security successfully.

IoT security challenges range from deflecting malicious insiders to defending against nation-state attacks. Because of the inherent vulnerability of IoT devices and the scale of their deployment, attacks continue to grow in scale and scope.

Securing IoT devices is well worth the investment despite the IoT security challenges. The value realized with IoT devices can only be increased with enhanced security to be on par with other technology. It will mitigate risks and increase rewards.

IoT Security Best Practices

The very first step in securing IoT is knowing what is connected. This includes using a device identification and discovery tool that automates three critical IoT security functions.

  1. Automatically and continuously detects, profiles, and classifies IoT devices on the network
  2. Maintains a real-time inventory of devices
  3. Provides relevant risk insights for each of these asset classes by continuously monitoring across attack vectors.

By following these industry best practices for IoT security and adopting leading-edge solutions, you can understand, manage, and secure your complete asset inventory, including IoT.

Learn how to gain comprehensive visibility into the cybersecurity posture and secure your non-traditional assets like cloud, SaaS, IoT, and OT systems with AI and search

Frequently Asked Questions

What are examples of attacks on IoT systems and IoT devices?

When considering IoT security, it is important to understand the types of attacks that are commonly deployed. This informs the kind of security protocols that should be put in place. Five types of attacks directed at IoT devices are:

  1. Attacks that target communications between IoT devices and servers to compromise or steal data.
  2. Firmware vulnerability exploits that take advantage of weaknesses in an IoT device’s operating system, commonly known vulnerabilities, some of which cannot be patched.
  3. Credential-based attacks that use IoT devices’ default administrator usernames and passwords to gain unauthorized access.
  4. Man-in-the-middle (MITM) attacks where the attacker “sits” between two trusted entities (e.g., a sensor and the cloud where data is being sent) and intercepts unencrypted communications.
  5. Physical hardware-based attacks that focus on the chip in the IoT system to take over the device to steal data, use it as a launchpad for other attacks, or gain access to the network.
How are IoT devices used in DDoS attacks?

Some of the biggest botnet-driven DDoS attacks have used IoT devices. Because of the vulnerabilities in IoT security, cybercriminals target and take over IoT systems to quickly assemble and build botnets. With so many IoT devices easily accessible and often invisible to administrators, IoT-based DDoS attacks are much more difficult to trace and stop. The Mirai botnet, considered the largest ever, was composed primarily of IoT devices.

What is the 2020 IoT Cybersecurity Improvement Act?

Public Law 116 – 207 – Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020 or the IoT Act, passed the U.S. House and Senate with overwhelming bipartisan support and was approved on December 4, 2020. The IoT Act aims to address IoT security issues in the federal government by requiring agencies to increase IoT device security. Because of its scope, the IoT Act has had a significant impact on IoT device manufacturers by incentivizing them to secure their IoT systems. The IoT Act also directs the National Institute of Standards and Technology (NIST) to create a new set of guidelines for the use, development, patching, identification, and configuration management of IoT devices as well as reporting issues related to IoT devices. It also directs NIST to develop new standards and guidelines to regulate IoT cybersecurity. All federal agencies, vendors, and contractors, who use or supply IoT systems, must meet the minimum standards determined by NIST no later than December 2022.

What is California’s IoT Security Law?

Enacted in 2018 and going into effect on January 1, 2020, California passed SB 327, known as the Internet of Things Security Law or California’s IoT Security Law. It was the first law of its kind—focused on improving IoT security. The California IoT Security Law requires manufacturers to actively promote security in IoT devices. This includes:

  • Protecting the IoT device from any unauthorized attempts to access or modify the information contained within the device.
  • Providing “reasonable cybersecurity measures” that are appropriate to the nature of the IoT device and what type of information it collects.
  • Requiring authentication outside a local network using either a unique preprogrammed password or having users implement an alternate form of authentication before initial access.