|The Importance of Securing IoT Devices|
|Written by Harry Wilson|
|Thursday, 03 November 2022|
IoT devices are usually small gadgets or appliances that perform specific tasks. As such, they are often ignored, and their significance in an organization's IT infrastructure is rarely taken into account. This should not be the case, though, considering that the IoT ecosystem is a broad and delicate attack surface that can expose organizations to serious cyberattacks.
It is understandable that programmers working on IoT gadgets can only do so much to make these interconnected devices more secure. These devices have limited processing power, RAM, and storage to integrate full-fledged security solutions. Also, it would be highly inefficient to equip each of the multitude of IoT devices in use with cybersecurity applications. Statista projects that there will be nearly 31 billion IoT devices worldwide by 2025.
Still, where there’s a will, there’s a way. Cybersecurity teams can always find ways to implement security measures that address IoT and government regulators can impose rules to minimize attack success rates. It is important to recognize how serious the threats on IoT are and to look for the best possible ways to secure the Internet of Things.
The importance of IoT security
IoT security is indubitably essential due to the growing reliance of businesses and other organizations on them. They are used to keep track of resource usage, automate data collection, perform HR functions, manage supply chains, and serve various other purposes. In particular, IoT security is essential for large enterprises, industrial organizations, healthcare facilities, and device manufacturers. These organizations are among the top targets of IoT attacks that numbered 1.5 billion in the first half of 2021.
Many organizations tend to install and forget these devices, failing to realize that they broaden their cyberattack surface significantly and result in greater cyber risk exposure. A study by the Ponemon Institute reveals that less than 25 percent of organizations are confident that they have adequately secured their IoT devices.
IoT attacks are not that different from other kinds of cyberattacks. They result in significant damage to organizations. A 2021 study estimates that an attack on IoT devices costs around $300,000. However, the actual cost likely approximates the overall costs of other cyberattacks when the IoT attack is used as a method to gain access to an organization’s network to steal data or introduce viruses, spyware, ransomware, and other malicious software.
Significant responses to IoT threats
How important is IoT security? The United States government’s action regarding it can be a good gauge. The US treats IoT attacks as a major concern, as evidenced by the passing of the IoT Cybersecurity Improvement Act of 2020, which seeks to set minimum security standards for IoT devices owned or controlled by the Federal Government. The law acknowledges the risks posed by IoT products and elevates the IoT security wariness of the US government.
Also, the White House recently unveiled plans to implement an IoT security labeling program for connected device manufacturers, industry groups, and web-enabled device retailers. This program is similar to the Energy Star labeling system. It provides consumers useful information on the security of the web-enabled devices available to them.
The European Union also has similar plans. The proposed EU Cyber Resilience Act includes a portion aimed at boosting the security of smart and connected devices. The planned law would require device makers to provide ongoing security support and updates. Also, it is set to require device manufacturers to provide consumers with sufficient and accurate security information before and after purchase.
The United Kingdom also has a similar legislative proposal called the Product Security and Telecommunications Infrastructure (PSTI) Bill. It builds upon the best practices set in the Code of Practice for Consumer IoT Security. The law is imposed on device manufacturers, importers, and retailers.
How developers can help
The passage of laws designed to enhance IoT security is a welcome development, as it compels IoT device makers to share the burden of keeping the IoT ecosystem secure. There are three major approaches in IoT security, namely network security, embedded security (through “nanoagents” that provide on-device protection), and firmware security.
The first approach is mainly a user responsibility, while the second and third are shared responsibilities between the user and device manufacturer. Embedded security can be pre-installed by the device maker or added by an organization’s (the user) own cybersecurity and dev team. The firmware needs to be kept secure by the device maker, but the user also has the obligation to scan it for vulnerabilities and ascertain that it is updated to the latest version.
However, it is worth focusing on the role of developers (responsible for the software in IoT devices), because they can indeed contribute to better IoT security. Aside from ascertaining firmware security, they can help make it easy to integrate devices with different operating systems, especially in view of cybersecurity platforms that consolidate security data from different security controls. Additionally, developers can work on light apps for IoT devices to implement security functions especially to ensure secure booting, access control, and firmware update management.
Many of the security weaknesses in IoT devices can be addressed with the help of developers. The problem is that they are not being forced to prioritize security. Many device manufacturers do not pay attention to software-driven security and focus on producing and selling as many products as possible. Some unscrupulous companies even instruct their developers to simply use and slightly tweak freely available open source software.
“Many key security protections are missing as of now. These include strong authentication to devices and networks to make sure only authorized individuals can get data, as well as encryption of data at rest and in transit," says Jason Sabin, CSO of SSL certificate provider DigiCert. Sabin also laments how many devices have not been built with firmware that can be updated to address emerging and evolving threats.
A clear evidence of this issue is the prevalence of so-called smart appliances and web-enabled devices that automatically connect to the nearest Bluetooth devices. Cheap “Smart” and IoT devices with zero security sense have been flooding markets worldwide.
Some IoT manufacturers like Dell, ARM, Microsoft, and Bosch have been collaborating to create IoT platforms that enable devices “speak a common language,” inter-operate, and become secure through common digital authentication and encryption systems. However, most others have not followed suit.
The problem of IoT security is not an easy one to solve. It requires a holistic solution and collaboration among players in the IoT market. Businesses in the IoT market need to accept the need to secure devices, and invest in decent firmware development or mindful open source use.
Developers can produce quality open source IoT frameworks for device makers to freely use, but such an effort will not convince manufacturers to prioritize security. Fortunately, governments are now acknowledging the IoT security challenge, and relevant laws are already being crafted. Hopefully, the rest of the world will become more aware of the IoT security concern and undertake the necessary solutions.