The prolific adoption of internet of things (IoT) technologies across industries in recent times is resulting in an agile, smarter, and more connected world. With the introduction of 5G cellular networks and high bandwidth internet access across geographies, including remote areas hitherto deprived of stable internet connectivity, the adoption of IoT devices and solutions is likely to witness unprecedented growth in the coming years.
In fact, the International Data Corporation (IDC) predicts the IoT global market revenue to reach approximately $1.1 trillion by 2025. Global IoT connections are predicted to increase at 17% compound annual growth rate (CAGR) from approximately $7 billion to $25 billion from 2017 to 2025.
The key challenge to securing IoT
While IoT devices drive business value, they also present a particularly large attack surface due to their internet-supported connectivity. According to research conducted by Palo Alto Networks' threat intelligence research arm, 57% of IoT devices are vulnerable to attacks of medium to high severity. 41% of respondents said they need to make a lot of improvements to the way they approach IoT security, and 17% said that a complete overhaul is needed.
Securing the IoT device and thereby reducing cyber risk to organizations due to adoption of IoT use cases requires due diligence during vendor selection, secure deployment of devices, and integrated internet technology (IT) and operational technology (OT) security operations. Therefore, organizations must develop a security framework for their IoT solutions which includes IoT risk management aligned with their enterprise cyber risk strategy.
Best practices for choosing an IoT solution
Organizations should look for basic security assurance from their IoT vendor. Prior to vendor finalization, an organization should evaluate the vendor’s IoT solutions against essential security parameters by:
- Assessing if the vendor’s solution adheres to the company’s security policy and processes in design, development, operations; and ensures compliance of their device to security and applicable privacy statutory regulations.
- Ensuring vendors have comprehensive and transparent policies and standards for security and privacy of IoT solution encompassing hardware, firmware, communication and storage of data, application and its platform, data retention, and business continuity.
- Verifying how the IoT vendor keeps their security policy and processes updated in the dynamic technological landscape, privacy regulations regime, and emerging security threats.
- Determining the IoT vendor’s ability to respond to notified security vulnerability in hardware, firmware, or application.
- Finding out if the vendor uses third party or open source firmware and hardware with minimum customization. If so, the vendor may have inadequate insight into the security of the hardware or firmware. Furthermore, lack of the vendor’s direct control over hardware and firmware security is likely to affect response time to threats or vulnerabilities.
- Ensuring availability of solution from vendor for security management of IoT devices through deployment of security fixes or patches locally or remotely over the air (OTA) and monitoring of devices for security threats.
- Ensuring security assurance of IoT devices, gateways, applications, and platforms through vulnerability assessment and penetration testing.
Common pitfalls to avoid when deploying IoT solutions
Firstly, do not assume that an IoT hardware - running custom firmware or light weight service - would be immune to attacks or breaches because they have not been exploited yet. There have been instances where IoT devices were exploited because there were no proactive measures to detect and fix vulnerabilities.
Secondly, do not solely rely on generic vulnerability scanner tools meant for IT systems to detect vulnerability in IoT devices. On the contrary, conform to testing methodology tailored for IoT devices and use specialized tools meant for IoT to ensure robust IoT security.
The proactive approach to ensuring IoT security
The threats to cybersecurity of IoT systems are real and on the rise. Therefore, it becomes imperative for IoT device vendors to introduce enhanced security features in their devices. Such features need to be consistent with the intended use, perceived threat, and the impact to the business, user or environment, if the device is compromised. Furthermore, the onus of ensuring that robust cybersecurity protocols are in place lies with the government as well.
In February 2019, the European Telecommunications Standards Institute released the first globally applicable standard for consumer IoT security. In the US, one such protocol is the Internet of Things Cybersecurity Improvement Act of 2020, directing the National Institute of Standards and Technology to create minimum cybersecurity standards for those IoTs controlled or owned by the United States government.
Implementing and enforcing such protocols would help countries across the globe to foster growth and ensure seamless connectivity for a better future. However, the onus of adherence to these regulations and ensuring IoT security cannot lie with the government or regulatory bodies alone. The IoT value chain is very intricate with a high degree of interdependence between all stakeholders. Every link in the chain, including the end-user, the IT team, IoT vendors and organizational stakeholders all represent potential vulnerability and are together responsible in ensuring IoT security.