BACKGROUND IMAGE: iSTOCK/GETTY IMAGES

This content is part of the Essential Guide: IoT analytics guide: Understanding Internet of Things data
Definition

IoT security (internet of things security)

IoT security is the technology area concerned with safeguarding connected devices and networks in the internet of things (IoT).

IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. Each "thing" is provided a unique identifier and the ability to automatically transfer data over a network. Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected.

IoT security has become the subject of scrutiny after a number of high-profile incidents where a common IoT device was used to infiltrate and attack the larger network. Implementing security measures is critical to ensuring the safety of networks with IoT devices connected to them.

IoT security challenges

A number of challenges prevent the securing of IoT devices and ensuring end-to-end security in an IoT environment. Because the idea of networking appliances and other objects is relatively new, security has not always been considered top priority during a product's design phase. Additionally, because IoT is a nascent market, many product designers and manufacturers are more interested in getting their products to market quickly, rather than taking the necessary steps to build security in from the start.

A major issue cited with IoT security is the use of hardcoded or default passwords, which can lead to security breaches. Even if passwords are changed, they are often not strong enough to prevent infiltration.

Another common issue facing IoT devices is that they are often resource-constrained and do not contain the compute resources necessary to implement strong security. As such, many devices do not or cannot offer advanced security features. For example, sensors that monitor humidity or temperature cannot handle advanced encryption or other security measures. Plus, as many IoT devices are "set it and forget it" -- placed in the field or on a machine and left until end of life -- they hardly ever receive security updates or patches. From a manufacturer's viewpoint, building security in from the start can be costly, slow down development and cause the device not to function as it should.

Connecting legacy assets not inherently designed for IoT connectivity is another security challenge. Replacing legacy infrastructure with connected technology is cost-prohibitive, so many assets will be retrofitted with smart sensors. However, as legacy assets that likely have not been updated or ever had security against modern threats, the attack surface is expanded.

In terms of updates, many systems only include support for a set timeframe. For legacy and new assets, security can lapse if extra support is not added. And as many IoT devices stay in the network for many years, adding security can be challenging.

IoT security is also plagued by a lack of industry-accepted standards. While many IoT security frameworks exist, there is no single agreed-upon framework. Large companies and industry organizations may have their own specific standards, while certain segments, such as industrial IoT, have proprietary, incompatible standards from industry leaders. The variety of these standards makes it difficult to not only secure systems, but also ensure interoperability between them.

The convergence of IT and operational technology (OT) networks has created a number of challenges for security teams, especially those tasked with protecting systems and ensuring end-to-end security in areas outside their realm of expertise. A learning curve is involved, and IT teams with the proper skill sets should be put in charge of IoT security.

IoT security

Organizations must learn to view security as a shared issue, from manufacturer to service provider to end user. Manufacturers and service providers should prioritize the security and privacy of their products, and also provide encryption and authorization by default, for example. But the onus does not end there; end users must be sure to take their own precautions, including changing passwords, installing patches when available and using security software.

Notable IoT security breaches and IoT hacks

Security experts have long warned of the potential risk of large numbers of unsecured devices connected to the internet since the IoT concept first originated in the late 1990s. A number of attacks subsequently have made headlines, from refrigerators and TVs being used to send spam to hackers infiltrating baby monitors and talking to children. It is important to note that many of the IoT hacks don't target the devices themselves, but rather use IoT devices as an entry point into the larger network.

In 2010, for example, researchers revealed that the Stuxnet virus was used to physically damage Iranian centrifuges, with attacks starting in 2006 but the primary attack occurring in 2009. Often considered one of the earliest examples of an IoT attack, Stuxnet targets supervisory control and data acquisition (SCADA) systems in industrial control systems (ICS), using malware to infect instructions sent by programmable logic controllers (PLCs).

Attacks on industrial networks have only continued, with malware such as CrashOverride/Industroyer, Triton and VPNFilter targeting vulnerable OT and industrial IoT systems.

In December 2013, a researcher at enterprise security firm Proofpoint Inc. discovered the first IoT botnet. According to the researcher, more than 25% of the botnet was made up of devices other than computers, including smart TVs, baby monitors and household appliances.

In 2015, security researchers Charlie Miller and Chris Valasek executed a wireless hack on a Jeep, changing the radio station on the car's media center, turning its windshield wipers and air conditioner on, and stopping the accelerator from working. They said they could also kill the engine, engage the brakes and disable the brakes altogether. Miller and Valasek were able to infiltrate the car's network through Chrysler's in-vehicle connectivity system, Uconnect.

Mirai, one of the largest IoT botnets to date, first attacked journalist Brian Krebs' website and French web host OVH in September 2016; the attacks clocked in at 630 gigabits per second (Gbps) and 1.1 terabits per second (Tbps), respectively. The following month, domain name system (DNS) service provider Dyn's network was targeted, making a number of websites, including Amazon, Netflix, Twitter and The New York Times, unavailable for hours. The attacks infiltrated the network through consumer IoT devices, including IP cameras and routers.

A number of Mirai variants have since emerged, including Hajime, Hide 'N Seek, Masuta, PureMasuta, Wicked botnet and Okiru, among others.

In a January 2017 notice, the Food and Drug Administration (FDA) warned the embedded systems in radio frequency-enabled St. Jude Medical implantable cardiac devices, including pacemakers, defibrillators and resynchronization devices, could be vulnerable to security intrusions and attacks.

IoT security tools and legislation

Many IoT security frameworks exist, but there is no single industry-accepted standard to date. However, simply adopting an IoT security framework can help; they provide tools and checklists to help companies creating and deploying IoT devices. Such frameworks have been released by GSM Association, the IoT Security Foundation, the Industrial Internet Consortium and others.

In September 2015, the Federal Bureau of Investigation released a public service announcement, FBI Alert Number I-091015-PSA, which warned about the potential vulnerabilities of IoT devices and offered consumer protection and defense recommendations.

In August 2017, Congress introduced the IoT Cybersecurity Improvement Act, which would require any IoT device sold to the U.S. government to not use default passwords, not have known vulnerabilities and offer a mechanism to patch the devices. While aimed at those manufacturers creating devices being sold to the government, it set a baseline for security measures all manufacturers should adopt.

Also in August 2017, the Developing Innovation and Growing the Internet of Things (DIGIT) Act passed the Senate, but is still awaiting House approval. This bill would require the Department of Commerce to convene a working group and create a report on IoT, including security and privacy.

While not IoT-specific, the General Data Protection Regulation (GDPR), released in May 2018, unifies data privacy laws across the European Union. These protections extend to IoT devices and their networks and IoT device makers should take them into account.

In June 2018, Congress introduced the State of Modern Application, Research and Trends of IoT Act, or SMART IoT Act, to propose the Department of Commerce to conduct a study of the IoT industry and provide recommendations for the secure growth of IoT devices.

In September 2018, California state legislature approved SB-327 Information privacy: connected devices, a law that introduced security requirements for IoT devices sold in the country.

What industries are most vulnerable to IoT security threats?

IoT security hacks can happen in any industry, from smart home to a manufacturing plant to a connected car. The severity of impact depends greatly on the individual system, the data collected and/or the information it contains.

An attack disabling the brakes of a connected car, for example, or on a connected health device, such as an insulin pump hacked to administer too much medication to a patient, can be life-threatening. Likewise, an attack on a refrigeration system housing medicine that is monitored by an IoT system can ruin the viability of a medicine if temperatures fluctuate. Similarly, an attack on critical infrastructure -- an oil well, energy grid or water supply -- can be disastrous.

Other attacks, however, cannot be underestimated. For example, an attack against smart door locks could potentially allow a burglar to enter a smart home. Or, in other scenarios such as the 2013 Target hack or other security breaches, an attacker could pass malware through a connected system -- an HVAC system in Target's case -- to scrape personally identifiable information, wreaking havoc for those affected.

How to protect IoT systems and devices

IoT security methods vary depending on your specific IoT application and your place in the IoT ecosystem. For example, IoT manufacturers -- from product makers to semiconductor companies -- should concentrate on building security in from the start, making hardware tamper-proof, building secure hardware, ensuring secure upgrades, providing firmware updates/patches and performing dynamic testing. A solution developer's focus should be on secure software development and secure integration. For those deploying IoT systems, hardware security and authentication are critical measures. Likewise, for operators, keeping systems up to date, mitigating malware, auditing, protecting infrastructure and safeguarding credentials are key.

Common IoT security measures include:

  • Incorporating security at the design phase. IoT developers should include security at the start of any consumer-, enterprise- or industrial-based device development. Enabling security by default is critical, as well as providing the most recent operating systems and using secure hardware.
  • Hardcoded credentials should never be part of the design process. An additional measure developers can take is to require credentials be updated by a user before the device functions. If a device comes with default credentials, users should update them using a strong password or multifactor authentication or biometrics where possible.
  • PKI and digital certificates. Public key infrastructure (PKI) and 509 digital certificates play critical roles in the development of secure IoT devices, providing the trust and control needed to distribute and identify public encryption keys, secure data exchanges over networks and verify identity.
  • API security. Application performance indicator (API) security is essential to protect the integrity of data being sent from IoT devices to back-end systems and ensure only authorized devices, developers and apps communicate with APIs.
  • Identity management. Providing each device with a unique identifier is critical to understanding what the device is, how it behaves, the other devices it interacts with and the proper security measures that should be taken for that device.
  • Hardware security. Endpoint hardening includes making devices tamper-proof or tamper-evident. This is especially important when devices will be used in harsh environments or where they will not be monitored physically.
  • Strong encryption is critical to securing communication between devices. Data at rest and in transit should be secured using cryptographic algorithms. This includes the use of key lifecycle management.
  • Network security. Protecting an IoT network includes ensuring port security, disabling port forwarding and never opening ports when not needed; using antimalware, firewalls and intrusion detection system/intrusion prevention system; blocking unauthorized IP addresses; and ensuring systems are patched and up to date.
  • Network access control. NAC can help identify and inventory IoT devices connecting to a network. This will provide a baseline for tracking and monitoring devices.
  • IoT devices that need to connect directly to the internet should be segmented into their own networks and have access to enterprise network restricted. Network segments should be monitoring for anomalous activity, where action can be taken, should an issue be detected.
  • Security gateways. Acting as an intermediary between IoT devices and the network, security gateways have more processing power, memory and capabilities than the IoT devices themselves, which provides them the ability to implement features such as firewalls to ensure hackers cannot access the IoT devices they connect.
  • Patch management/continuous software updates. Providing means of updating devices and software either over network connections or through automation is critical. Having a coordinated disclosure of vulnerabilities is also important to updating devices as soon as possible. Consider end-of-life strategies as well.
  • IoT and operational system security are new to many existing security teams. It is critical to keep security staff up to date with new or unknown systems, learn new architectures and programming languages and be ready for new security challenges. C-level and cybersecurity teams should receive regular training to keep up with modern threats and security measures.
  • Integrating teams. Along with training, integrating disparate and regularly siloed teams can be useful. For example, having programing developers work with security specialists can help ensure the proper controls are added to devices during the development phase.
  • Consumer education. Consumers must be made aware of the dangers of IoT systems and provided steps they can take to stay secure, such as updating default credentials and applying software updates. Consumers can also play a role in requiring device manufacturers to create secure devices, and refusing to use those that don't meet high security standards.

With any IoT deployment, it is critical to weigh the cost of security against the risks prior to implementation.

This was last updated in October 2018

Continue Reading About IoT security (internet of things security)

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation

7 comments

Send me notifications when other members comment.

Please create a username to comment.

Even if you could keep track of all your IoT devices, keeping them all patched and understanding all the implications around them is impossible. Worse yet, when devices sometimes brick or lose features (such as the PS3 did) when updating, people may choose not to update. Then there is the problem of passwords -- how do you keep a different password for each device? It feels like the ideas behind IoT is about 5 years behind the bad guys and we are falling further and further behind.  A defense is one exploit from being defeated and a patch that blocks an exploit is only a holding action.
Cancel
Thanks for the Margaret. And to think we have a lot of network complexity now! To use past words of the president, it's going to "fundamentally transform" our networks and information security as we know it. I'm not convinced we're ready...hopefully we are!
Cancel
Which IoT security challenges has your enterprise faced? What tools do you use to combat them?
Cancel
What are the options presently available in the market for security in IoT devices?
Cancel
Thanks Author for such great Information and Research work Really like to appreciate it . As we all know that it is a critical issue now a days, every person in the world is traceable, and our resources could easily be exploited easily infact an immature hacker could easily access our credentials so it is recommended for all friends to remain save. Now a days NCSAM is celebrated to create awareness for cyber security in terms of IOT too. Along with, it is also recommended that we should encourage the use of VPNs for using public wifi. There are many VPN providers who provide the best services. One of them is also used by me named PureVPN. It is suggested for all to have a look on its deals for security on public wifi as well as different feattures related to sharing of resources.

https://www.purevpn.com/events/ncsam
Cancel
Thanks for share you knowledge with us. The article is informative and well explained. I am waiting to hear about more tools and technologies that you used for solve IoT security issues.
Cancel
Internet of Things (IoT) security: 9 ways you can help protect yourself
Internet of Things security focuses on protecting your internet-enabled devices that connect to each other on wireless networks. IoT security is the safety component tied to the Internet of Things, and it strives to protect IoT devices and networks against cybercrime.

What’s happening with IoT cybercrime today and tomorrow?
IoT security is a growing concern. Here’s why.

Your connected devices are data collectors. The personal information collected and stored with these devices — such as your name, age, health data, location and more — can aid criminals in stealing your identity.

At the same time, the Internet of Things is a growing trend, with a stream of new products hitting the market. But here’s the problem: When you’re connected to everything, there are more ways to access your information. That can make you an attractive target for people who want to make a profit off of your personal data.

Every connected device you own can add another privacy concern, especially since most of them connect to your smartphone.

Here’s how it works. Whether you need to check the cameras in your home, lock or unlock a door, adjust temperature or lighting, pre-heat the oven, or turn off a TV — you can do it all remotely with just a few taps on your smartphone.

But the more functionalities you add to your smartphone, the more information you store in the device. This could make smartphones and anything connected to them vulnerable to a multitude of different types of attacks.

9 security measures you can take to help secure your devices
IoT technologies pose potential dangers to your internet safety. News reports have ranged from an internet of things companies botnet taking down portions of the Internet to hackers exploiting baby monitors.

That’s why it’s a good idea to protect your digital life by securing your IoT-connected devices. Here are ten ways to do that.

Install reputable internet security software on your computers, tablets, and smartphones. For instance, Norton Security Deluxe can provide real-time protection against existing and emerging malware, including ransomware and viruses.
Use strong and unique passwords for device accounts, Wi-Fi networks, and connected devices. Don’t use common words or passwords that are easy to guess, such as “password” or “123456.”
Be aware when it comes to apps. Always make sure you read the privacy policy of the apps you use to see how they plan on using your information and more.
Do your research before you buy. Devices become smart because they collect a lot of personal data. While collecting data isn’t necessarily a bad thing, you should know about what types of data these devices collect, how it’s stored and protected, if it is shared with third parties, and the policies or protections regarding data breaches.
Know what data the device or app wants to access on your phone. If it seems unnecessary for the app’s functionality or too risky, deny permission.
Use a VPN, like Norton Secure VPN, which helps to secure the data transmitted on your home or public Wi-Fi.
Check the device manufacturer’s website regularly for firmware updates.
Use caution when using social sharing features with these apps. Social sharing features can expose information like your location and let people know when you’re not at home. Cybercriminals can use this to track your movements. That could lead to a potential cyberstalking issue or other real-world dangers.
Never leave your smartphone unattended if you’re using it in a public space. In crowded spaces, you should also consider turning off Wi-Fi or Bluetooth access if you don’t need them. Some smartphone brands allow automatic sharing with other users in close proximity.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close