21 December 2020
Increasingly, smart devices are making their way into our homes. These may be fridges, thermometers, cameras or speakers. As a result, a staggering 7.0 billion IoT devices are expected to be in the world by the end of 2020. Yet, while IoT technology introduces convenience and benefit to our everyday lives, the devices also make us more vulnerable to cyber criminals.
As IoT technology and its areas of application advance, cyber-attacks are also becoming increasingly sophisticated. Unfortunately for those of us that are living in smart homes, IoT devices are a hacker’s top target, with their many points of access and internal vulnerabilities often open exploit.
To help protect end-users and their data, manufacturers need to implement a number of measures aimed at optimizing device level security.
Recognising key threats
Almost 70% of the IoT devices and deployments in the world today have not been designed with security at the core of the design. This poses a problem, particularly because the firmware, default credentials, operating systems, connectivity options, and application update processes can be an easy target for hackers. Hackers have been show to use these vulnerabilities as access points to spread malware.
As a result, the number of attacks relating to IoT has increased significantly over the last few years. In fact, it has been reported that cyber-attacks on IoT devices surged by 300% in 2019 alone, which equalled a total of more than 2.9 billion events. Most of these attacks were related to devices or systems being compromised due to nefarious activities, such as eavesdropping, interception or hijacking. Poor code development and insecure code libraries usage is also one the most common threats, eventually enabling hacking and malware incidents.
Optimising device-level security
With limited solutions available that can deliver a fully secure end-to-end device security code signing, the onus lies on the IoT device manufacturer to incorporate security – and it is vital that organisations ensure the manufacturers have done so, before moving ahead with purchase or implementation. Some of the main areas of focus should be on cyber hygiene such as secure credentials, X.509 certificates, firmware updates, zero-trust network and data security IoT devices and associated networks should also be assessed for vulnerabilities at a regular cadence to stay ahead of the threat curve.
Further connected devices are only as valuable as the operating systems and applications that they execute. Keeping this purpose in mind, businesses can work with consulting firms to architect IoT security in every layer of the technology stack – from the device to the application to cloud – and create processes that protect data flows from devices, assets, products and places in the cloud.
Striking the right balance with security, cost and complexity
To find balance between security, cost and complexity, it is important that organisations and their IT teams follow some best practice guidelines, including:
1. Ensure you have visibility of the supply chain and external dependencies that are involved in the manufacturing process of IoT device development.
2. Understand the people, processes, and technology that comprise the operational environment.
3. Understand the topology, network and wireless connection points, and connected devices and assets.
4. Identify the key processes and data that need to be protected.
5. Segment the IoT/IT environments to contain and prevent lateral movements.
6. Incorporate secure user stories, threat modelling, secure coding and testing in your DevSecOps cycle.
7. Focus on basic cyber hygiene such as strong credentials, secure protocols, device certificates, IAM, firmware and patch management.
8. Leverage platforms for monitoring through AI and machine learning to track abnormal, suspicious patterns in device, network, data storage and the cloud.
9. Watch critical processes and data for firmware and configuration changes outside the proper change control process.
10. Create and socialise an IoT incident response plan.
All too often, security decisions rely simply on experience and expert advice rather than a structured ‘secure by design’ approach. Building a measurement-oriented security culture, conducting thorough cost-benefit analysis and moving to a more advanced and ever-evolving AI/ML based platform, is a key method to help balance the cost compliance and security coverage aspects.
Working toward a more secure future
We, as consumers, should relish the advantages and convenience that IoT devices are bringing to our lives. However, while cyber actors are still at large and becoming more ambitious in their attack methods and victims, it is vital that manufacturers make device-level security an absolute priority. Although cost and complexity naturally are factors involved in improving the security of these devices, there is a way for businesses to achieve this desired balance so that all goals can be met.
Mohit Mehta, vice president and commercial leader: cloud, infrastructure and security - global growth markets, Cognizant