Internet of Things (IoT) technology is becoming much more common, with the number of connected devices expected to hit 55 billion by 2025, up from 9 billion in 2017. It is also estimated that there will be almost $15 trillion in aggregate IoT investment between 2017 and 2025.
More of this money is being directed towards IoT security as cyber attacks against IoT devices continue to escalate. Gartner estimated that global spending on IoT security will increase to $1.5 billion in 2018, representing a 28 percent increase from the previous year. The research also found that IoT security spending will continue to see a rise, hitting an estimated $3.1 billion by 2021.
IoT security definitely deserves this increased attention. Attacks such as the Target data breach and Mirai botnet have shown that it is all too easy for vulnerabilities in IoT devices—and the networks connecting them—to be exploited.
Apples to oranges: IoT security versus PC security
There are some similarities between IoT security and the more traditional PC security we are more accustomed to. What they have in common is not pretty: Security is often an afterthought in the development process for many IoT devices. The same can be said for a majority of hardware and software development projects. And, of course, this leaves your devices and applications open to attack.
Much of security is hardware-centric. Attempting to incorporate these features near the end of development is far more difficult when hardware is involved, which makes it that much more tempting to skimp on security or dumb it down. Security should be integrated into the design and development process from day one, so you create a secure product that has the necessary features for a safe deployment.
The main difference between IoT and PC security involves the network. With PC networks, software is placed on a computer that (hopefully) already has security and antivirus software installed. By contrast, IoT devices are typically deployed onto unsecure networks. This places a heavier burden on the IoT device itself to provide the necessary security functionality.
There are also physical restrictions on IoT devices, which can create security blind spots. IoT devices usually have low computing power and small memory capacity. This forces developers to pick and choose which security capabilities to build in.
If you’re building a $10 sensor for a smart thermostat, developers will be extremely limited by the security hardware they can add that keeps the price within a reasonable range. This battle between functionality and security often forces security to take a back seat.
The main culprits: The top two IoT security issues
IoT is a prime target for cyber attacks since so many of the devices do not have proper security measures built in. A Symantec report showed a 600 percent increase in IoT attacks between 2016 and 2017. The two most prevalent IoT attack methods are:
1. Ransomware
IoT devices are attacked in a way that prevents them from being used properly. The attacker demands a ransom from the owner (be it a company or an individual) in payment for releasing the device.
Ransomware is becoming more common among smaller companies, and even individual homes. An attacker can enable a camera on a home laptop, for example, to record a private event and demand a ransom to destroy the video.
2. Attacks on cryptocurrency
Cryptocurrencies, such as Bitcoin, use Blockchain technology to operate. Many people believe Blockchain technology is unhackable, giving people a false sense of security. This is not the case.
In fact, attackers frequently target software that is running the Blockchain network, wreaking havoc in two ways:
- Flooding the network with extra coin to devalue the currency.
- Cryptomining attacks (also known as cryptojacking). “Miners” are software that use special algorithms to mine for coin. An attacker can gain access to someone else’s mining software and reroute currency to their own account.
For more information on Blockchain technology, consult this resource.
Protection is golden: Six IoT security solutions
1. IoT authentication
Authentication can range from a simple username and password to a more complex two-factor verification process. IoT authentication is often done through embedded sensors, removing human interaction from the process.
There are many secure IoT authentication methods that are easy to implement. But many, such as Secure Boot and Trusted Platform Module (TPM), require more powerful hardware or special chips.
These capabilities increase the cost of your product, although the risk it eliminates makes it worth the investment. A cheaper product that is easily attacked will cost your business more money in terms of lost customers, legal fees, and a tarnished reputation. A more secure device can be marketed as such, educating buyers to the dangers of the cheaper, less secure alternatives.
2. IoT encryption
Encrypting data between IoT devices and back-end systems keeps data safe from attackers. Encryption, like authentication, requires more computing power. It is worth the extra cost to add more security to your IoT device.
3. IoT network security
The network that connects IoT devices to back-end systems must be secure. IoT devices are often placed on less secure networks that do not provide enterprise-level protection.
There are usually other IoT devices on the same networks, creating security vulnerabilities. One device may be used as a pivot point to get into the network. This is what happened in the case of Target. The HVAC system was on the same network as the Point of Sale system. Attackers were able to get into the POS system through the less secure HVAC system, exposing sensitive customer data.
IoT network security demands in-depth attention, during both design and deployment. Developers need to create more secure IoT devices, but deployment cannot be based on the assumption that the device is secure.
Deployment should actually be based on the understanding that the device may not have been developed in the safest manner. Firewalls and intrusion detection and prevention systems should be used to create a secure IoT network.
If the device is successfully attacked, it should not be able to compromise the entire network. This is how you obtain in-depth, compartmentalized security.
4. IoT PKI
Public Key Infrastructure (PKI) is a digital certificate that provides authentication via a third party. As cloud-based communications and data storage continue to rise, more data is traveling between the cloud and IoT devices.
PKI is needed to make sure the data is encrypted properly. Once again, it is worth the investment for quality security.
5. IoT security analytics
IoT security analytics involves thinking about not only how you will create a secure device, but how you will monitor it and fix it when something goes wrong. This is starting to get more attention at the enterprise level, but it needs to trickle down to commercial devices.
More exploits could be avoided if a greater focus was placed on IoT security analytics. We expect this area to grow in the coming years. Developers need to build in the ability to monitor security so that an alert is generated when something goes awry. Alerts and reports can help developers correct issues and prevent them from happening in the future.
6. IoT API security
Representational State Transfer (REST) APIs connect devices to the internet. APIs are another way for an attacker to connect to your device and access data.
Only authorized devices and applications should be communicating with APIs. An attack (or even a potential threat) needs to be detected immediately. Authentication, encryption, and PKI can all be used to enhance API security.
Tips for IoT device security
The Online Trust Alliance (OTA) is an Internet Society initiative dedicated to improving online trust and user empowerment through best practices relating to ethics, privacy, and data.
OTA developed a checklist to help enterprises more securely manage consumer IoT devices. Key takeaways are:
- Change all passwords to strong passwords and use multi-factor authentication where possible.
- Place IoT devices on a separate network that is firewalled and monitored.
- Disable unnecessary functionality, such as cameras.
- Encrypt data that is being transferred when possible.
- Update firmware and software automatically, or monthly.
The full checklist is available here.
The best protection is prevention. Make security an important part of the design, development, and deployment process so your IoT devices and networks are secure from the start. If your internal team is not well equipped to handle IoT security issues, work with outside experts. This investment will show a strong return, as device security translates to increased revenue and a solid reputation in the marketplace.