The IoT is growing at extraordinary pace. Gartner has forecast that the number of IoT endpoints worldwide will grow to 5.8 billion this year, a 21% increase from 2019. From behind-the-scenes applications in manufacturing, utilities, transport, retail and myriad other sectors, to consumer-facing applications such as fitness trackers and health wearables, the IoT is touching almost every business sector on the planet.
And with growing numbers of connected endpoints comes the growing risk of cyberattack. IoT devices offer cybercriminals a vastly increased number of potential points of vulnerability, whether for stealing data directly, for gaining access to a wider organisational network, or simply causing widespread damage and disruption. Forbes estimated that data breaches exposed 4.1 billion records in the first six months of 2019, a truly extraordinary figure, and security researchers from F-Secure found that the major increase in cyberattack traffic throughout this period was largely due to IoT-related traffic.
All this means that if you are undertaking a new IoT project – whether you are developing new IoT products or services, or deploying a system of IoT devices throughout your own organisation – integrating robust security from the ground up is absolutely essential. But how to achieve this?
IoT security: trends and predictions
First, let’s take a closer look at the broader concept of IoT security, and consider some of the major trends which are preoccupying security managers’ thoughts.
5G is a powerful example. As deployments continue throughout 2020, it is likely that specialised cyberattacks will follow. The more mainstream the protocol becomes, the greater the volume of sensors and devices which will be connected via that protocol – particularly when it comes to smart city ecosystems. Could this offer cybercriminals the means to paralyse whole neighbourhoods or city services? Time will tell, but it is worth underlining that 5G, like other wireless connectivity protocols, can be particularly vulnerable to distributed denial of service (DDoS) attacks.
Another significant area of IoT security concern is smart building security. Given that smart buildings account for a significant proportion of overall IoT endpoints, it is no surprise that they are a tempting target for cybercriminals. Furthermore, the large number of different vendors and manufacturers involved in a typical smart building can introduce specific challenges in relation to ensuring the security of third-party suppliers. In 2013, Target lost 40 million credit card numbers thanks to a cyberattack which targeted its refrigeration contractor – such events could become far more common in the smart building era.
Principles of IoT security
What, then, are the core principles for integrating security into your IoT project?
Secure by design
It’s a well-established principle outside of the IoT world, but worth underlining again here. Contrary to what you might expect, a secure by design approach was not always top of the agenda for IoT developers and designers. Mindsets are changing, particularly when it comes to considering the entire lifecycle of IoT devices and sensors, and the provisioning of accessible updates. Whether you are developing or deploying IoT products, a secure by design approach should be at the forefront of your mind.
IoT cybersecurity starts with trusted identity. That is, it starts with being able to identify every device, service and user across an IoT network, and being sure that they are who they claim to be. This might sound obvious or straightforward, but given the extraordinary scale and complexity of typical IoT deployments, it is a challenging proposition. Organisations like Device Authority are completely rethinking how identity works in the IoT era, building solutions which enable the secure registration and provisioning of IoT devices at scale.
Data encryption in transit and in storage
As we have discussed previously, the IoT is fundamentally all about data – generating it, analysing it, turning it into tangible insights and harnessing it. That means that a huge amount of information is being transmitted throughout a typical IoT ecosystem, both between endpoint devices, and to and from centralised analytics platforms.
It is therefore essential that this data is encrypted throughout those journeys, using industry-standard, peer-reviewed cryptographic functions. From the moment of creation, throughout every journey and at any points where it sits in storage, data must be protected with robust encryption.
Patch devices automatically over-the-air
A critical aspect of any element of IT security is the upgrade and repair of hardware and software as new vulnerabilities are discovered or new tools and techniques developed by bad actors. Patching was already a logistic challenge before the IoT era – the vastly increased number of endpoint devices introduced by the IoT means that an entirely different approach needs to be taken.
Once an IoT device reaches the field, there absolutely must be a secure update mechanism in place. That is, the device must receive a cryptographically signed update from the vendor when an upgrade it due, and it must check the signature of the update to ensure that it is valid and truly from that vendor. From there, that update must take place automatically over-the-air, with no manual interaction required by end users.
Manage and update open-source software
A related point is the management and updating of any open-source software which has been used to underpin your IoT project. Assuming that every element of said project has not been custom-written, you need to keep up to speed on the vulnerabilities identified in its open-source components, and ensure that someone has responsibility for updating your software, testing the integration, and re-assessing risk each time a vulnerability is published.
Pay careful attention to web applications
Most IoT devices are administered using web applications – which means, in turn, that any security vulnerabilities associated with those applications are carried over to the IoT deployment. Your developers should use vetted frameworks for all web development.
Integrating IoT security from the outset
Above all, IoT projects, whether brand-new design and development projects or deployments of existing technology, need to consider security from the ground up. IoT security is not something which can be added on at the end of a project, or outsourced to an entirely separate individual or team. It needs to be thoroughly integrated into the project from day one, revisited throughout, assessed at the end and then re-considered on an ongoing basis.
The threat landscape around the Internet of Things is extraordinarily dynamic. Cybercriminals and vandals have been quick to understand that the enormous increase in the number of connected devices worldwide, as well as the number of third parties involved in a typical organisation’s infrastructure, offer them a wealth of new opportunities for vandalism, theft, infiltration and ransom. No matter what part of the IoT your organisation is involved with – whether you are offering new connected products and services to market, or using other businesses’ IoT products to drive efficiencies and innovation in your own operation – security should be a critical concern.