With device-level security not improving fast enough, the responsibility falls upon governments and IT teams to secure the organization at scale.
The proliferation of IoT devices has enhanced connectivity and automation capabilities for businesses and consumers alike. At the same time, the increased use of IoT devices across critical industries is also raising concerns about the risks of IoT security.
Especially when more employees are working remotely, cyber adversaries now have more avenues to access and exploit sensitive business data. Any embedded security in IoT devices may also be insufficient. to safeguard their IoT devices.
For instance, certain IoT devices do not have sufficient storage or processing power to support logging or cryptographic abilities that protect sensitive information from being processed, making them vulnerable. To make matters worse, the billions of already-deployed legacy devices cannot be retroactively designed for security and pose a significant threat to the network.
Even if an IoT device is built securely, vulnerabilities could be inserted—intentionally or otherwise–into devices from any one node within a manufacturer’s diverse supply chain, and these may not be visible when the device is shipped.Variables in real-world deployments can also lead to different risk profiles.
IoT security: three key practices
It is clearly not enough for users of IoT devices—including companies, governments and consumers—to rely solely on embedded security features.
Instead, organizations should adopt network-level IoT security based on a zero trust approach, using three key security practices.
- Firstly, organizations need full visibility of IoT devices on their network at any given time to help them understand the ‘attack surface’ and important interdependencies:
Once fully visible to the organization, IoT devices must be identified and assessed for risk when they connect to the network. Device visibility and identification can eliminate critical blind spots that attackers could otherwise exploit.
a. where IoT devices are located
b. which applications they are using
c. how they are interconnected
- In addition, organizations need to practice continuous device and risk monitoring, in order to identify abnormal behavior patterns and threats. As IoT devices are designed for a fixed set of functionalities, their intended pattern of behavior is often predictable, making it easier to monitor for abnormalities.
- Finally, the first two practices must lead to sound security policies, taking enforcement actions vis-à-vis their IoT devices in real time to thwart cyberattacks. Such policies may include network segmentation, which creates ‘least access’ zones for IoT devices by their function; reducing risk; and limiting lateral movement of threats in case a device zone gets compromised.
Prevention is better than cure
When it comes to zero-day threats, prevention is better than cure. With adversaries getting savvier than ever, the implementation of prevailing technologies in Machine Learning have made it an essential approach for IoT cybersecurity.
ML models leverage an extensive, data-driven understanding of an IoT device’s expected behavior on a network. This enables ML to easily learn patterns at scale and in real time, ultimately to automate device identification, proactively detect malicious deviations, and automatically prevent attacks.
Additionally, as more organizations extend their networks to hybrid cloud models, network-level IoT security should also leverage cloud capabilities to deliver updated controls instantly, and even scale up or down based on the computational needs necessary to counter sophisticated, automated cyberattacks.
IoT security via government mandates
Many government bodies have been exploring regulations or codes of practice to improve IoT security. These have largely focused on mandating new measures for device manufacturers to take when building or maintaining devices, and implementing device certifications or labeling schemes for consumer IoT devices.
However, as IoT devices are increasingly applied across varied use-cases, governments may also consider policies that promote network-level security in addition to embedded device security.
Governments can take the following approaches to promote effective network-level IoT security:
- Encourage businesses, government agencies and the public to take steps to have a full inventory of all IoT devices on their networks, continuously monitor those devices for anomalous behavior and threats, and take automated security policy enforcement actions vis-à-vis their IoT devices
- Promote the adoption of automated approaches to cybersecurity, specifically those that leverage machine learning
- Promote the use of the cloud and cloud-based security throughout economies
Finally, given the pervasive use of IoT across industries as well as by government agencies themselves, close public-private partnerships will be crucial to obstruct cyberattackers from exploiting vulnerabilities in IoT devices.