Best practices for IoT security

The Internet of Things (IoT) is projected to grow significantly over the coming years. Research firm Gartner Inc. has estimated that 8.4 billion connected things were in use worldwide in 2017, up 31% from 2016, and expects the number to reach 20.4 billion by 2020.

This growth is being driven by the promise of increased insight, enhanced customer satisfaction, and greater efficiency. These benefits are made possible as sensor data from devices and the power of Internet-based cloud services converge. One of the key concerns related to the successful adoption of the IoT is having sufficiently strong security mechanisms in place throughout the ecosystem—to mitigate the increased security risks of connecting devices to the Internet.

Consider the sheer number of IoT devices that will be connected to the Internet and how much data will be generated by those devices. By 2025, the IoT is projected to have 75.44 billion connected devices. By that time, nearly a quarter of the world’s projected 163 zettabytes of data will have been created in real-time and 95% of those data will have been created by IoT devices.

The IoT is expected to have a staggering economic impact, as much as $8.9 trillion by 2020. Couple that with the rapidly evolving cyber-threat landscape, and it’s easy to understand why many experts are as concerned about the risks as they are enthusiastic about benefits of the IoT.

Making matters worse is the fact that cybercriminals are incentivized to figure out new and more insidious ways to hack into even the most benign devices because they can provide a convenient gateway to more valuable systems. Your connected rice-cooker might not, at first-blush, appear to present much of a threat to the security of your home if it is compromised by an outside party. But if it can act as a gateway to more important devices on your network it might actually represent your most significant security vulnerability.

Of course, the stakes are exponentially higher for industrial IoT (IIoT). From global manufacturing operations to national power generation and distribution infrastructures, connected devices can dramatically increase operational risk. The recent revelation that Russian hackers penetrated the control systems of U.S. power plants dramatically underscores the need for extreme vigilance.

Fortunately, cybersecurity remains top of mind for companies dabbling with IoT and IIoT or considering such a move. A recent survey by research firm 451 Research found that security continues to be a major concern for IT professionals when deploying IoT projects within their organizations. The firm surveyed more than 600 IT decision-makers worldwide online and supplemented its research with in-depth phone-based interviews.

When asked to rank which technologies or processes their organizations considered for current or planned IoT initiatives, 55% of the survey respondents ranked IoT security as their top priority. Enterprises value security capabilities as the number one reason for choosing a commercial IoT platform, with 58% of survey respondents ranking it the top attribute in choosing a vendor partner.

The nature of IoT deployments make them particularly difficult to secure against cyber threats, the report says. As industrial equipment is increasingly connected to the Internet for data collection and analysis, enterprises open themselves up to the sophisticated world of security intrusions.

According to 451 Research analysts, some business leaders have stayed on the sidelines of IoT because they think the risks are still too high against potential returns. But for those that do initiate IoT projects, security must be a top priority.

To ensure strong security for IoT and IIoT, organizations would be wise to implement several best practices, as recommended by IEEE in a 2017 report.

Device security

One is to secure the devices themselves. Some devices or pieces of equipment might operate continuously unattended, and therefore not subject to the security implied by frequent, direct observation. Making these devices tamper-proof or tamper-evident might be advantageous because this type of endpoint hardening can help block potential intruders from reaching data, the report says. It might also defend against a hacker or other cybercriminal buying and then weaponizing devices.

As a best practice, secure endpoint hardening likely means deploying a layered approach that requires attackers to circumvent multiple obstacles designed to protect the device and its data from unauthorized access and use. Companies should protect known vulnerabilities, such as open TCP/UDP ports, open serial ports, open password prompts, places to inject code such as web servers, unencrypted communications, and radio connections.

Another good practice to protect devices is to upgrade them or deploy security patches as needed. But keep in mind that many device vendors are not focused on security when building and selling devices. As the study notes, many IoT devices are unpatchable, and as such, cannot be made secure. Before investing in devices that will be connected via IIoT, evaluate the security capabilities of the devices, and ensure that the vendors have subjected devices to thorough testing for security.

It is also critical to carefully manage the identities of IoT devices to ensure trust when devices attempt to attach to a network or service. Public key infrastructure (PKI) and digital certificates provide a secure underpinning for device identity and trust.

Network security

In addition to devices, companies need to ensure that the networks they use for IoT and IIoT are secure. This includes the use of strong user authentication and access control mechanisms to make sure only authorized users can gain access to networks and data.

Passwords must be sophisticated enough to resist educated guessing and so-called brute force methods, IEEE notes. Wherever possible organizations should use two-factor authentication (2FA), which requires users to enter a password as well as use another authentication factor such as a random code generated via SMS text messaging.

For IoT applications, it’s a good idea to use context-aware authentication (or adaptive authentication). This involves the use of contextual information and machine-learning algorithms to constantly evaluate risks without impacting the user’s experience.

The use of strong encryption to secure protocols is another good network security practices. Any communications between devices can potentially be hacked, and both IoT and IIoT involve a multitude of network protocols used at various layers. The use of both network layer and transport layer encryption can provide multiple obstacles to network-based attacks.

Protecting the data

Companies also need to secure the IoT and IIoT data itself. Many connected devices will be storing and transmitting sensitive, personally identifiable information, and this data needs to be strongly protected. Companies that fail to protect this data may not only face adverse business impact, but also regulatory penalties. Application and user data should be encrypted both in-flight and at-rest.

Good security also means having strong security operations policies in place as well as comprehensive training programs for anyone who is or will be involved in the IoT/IIoT environment. Granular audit trails, endpoint anomaly detection, and a responsive forensic security capability are also critical elements to ensuring that any breach is detected, and effective and timely remedial steps are taken before contagion spreads.

Much of this may seem like common sense cyber security protocol, but many organizations lack the resources and discipline to implement these measures effectively. Given the massive scope and breadth of these highly connected infrastructures, organizations will need to bring their security programs to a whole new level in order to prepare to reap the benefits of the IoT.