Last updated on July 30th, 2021 at 08:06 pm
Since the creation of IoT devices in 1999, organizations are continually adopting more and more IoT devices inside their work environments. IoT devices are profoundly improving and are integrated with advanced capabilities to real-world applications from industrial technology to smart water meters.
The average enterprise network consists of hundreds to thousands of IoT devices which account for close to 15%-25% of the IT networks. According to Gartner, the amount of IoT devices in enterprises is growing rapidly at 21% per year (doubling every 4 years). However, as organizations continue to adopt more IoT devices it’s simple to overlook the endless amount of security challenges that are inherent connected to IoT.
The newly connected devices are more vulnerable to incoming cyber attacks. Industrial devices from sensors to PLCs are opening new capabilities for data storage, remote monitoring which is creating more risks for enterprises and their products. The process that industrial IoT devices and systems are designed makes them an attractive target for cyber criminals due to their ease to compromise. On top of these security challenges, IoT devices rarely have direct end-user interactions which means that many different types of IoT devices are likely to be untouched and undetected which results in attackers easily being able to compromise the devices and the network.
Additionally, the increasing deployment of IoT devices has created a growing management challenge for security teams. Most IoT devices were not designed with security and enterprise policies in mind. Typical IoT devices are not supported by proper management tools, while some devices tend to be managed by third-party management tools.
This lack of visibility and security into IoT devices has created the issue of not being able to successfully track IoT devices connected to the network while keeping them secure. With minimized visibility into IoT devices, it has resulted in leaving IT and IoT security in an unsecured state.
IoT Devices More Susceptible to Security Flaws
The industrial industries have reaped the benefits of IoT devices with the advancement of industrial sensors, artificial intelligence and machine learning capabilities. However, the lack of built-in security in the devices is putting a toll on their security practices.
By far the biggest security risk that IoT devices are pertaining to is being prone to exploitation. According to the Department of Justice’s Cybersecurity Unit, “once infected, IoT equipment can be used to launch large-scale botnet attacks that threaten the stability and performance of private networks”. To avoid becoming victims of an IoT attack, enterprises need to have a better understanding of the various security risks of adopting IoT devices and enforce new company-wide policies to secure the potentially vulnerable endpoints.
Here are my five reasons which are accounting for the insecurity of IoT devices:
Lack of Manageability – According to Gartner, “IoT Manageability is a throwback to IT of 20 years ago”. When comparing IoT devices to IT equipment they are unmanaged or have limited to no support for centralized management. Meaning companies are using different vendors within their own systems and not communicating with other systems. This leads to IoT devices being unmanaged and increases the number of different security risks on the company’s IT network without the enterprise knowledge of them.
Inherent Insecurity – Far too often IoT devices contain vulnerabilities in their built-in firmware and in some instances there are no available patches or they can’t be applied on many devices. The lack of visibility into an IoT device can result in end-users not being aware that they have a vulnerable device.
No Device Is Alike– Similar to different IT systems, not too often is an IoT device identical to another device. In most cases, each IoT device is made with different hardware from CPU to chipsets and could have different operating systems. With each device having different hardware and systems the security requirements will be different for each device. This is why it’s a challenge to find one simple solution that fits all IoT devices.
Price & User Friendliness – While most enterprises like to save money when purchasing large amounts of technology. However, in the case of secure IoT devices, it usually is more expensive because they’re more difficult to develop and support. Additionally, adopting IoT devices that have security built-in could be more difficult to deploy and maintain but the security features are worth the price tag and knowing the device is secure and up to date.
Legacy Equipment – While the issue of IoT devices’ security has only become a considerable problem recently, IoT devices have already been in use for many years, with many large-scale deployments already in place. Achieving inherent security requires radical changes to the entire ecosystem, which has taken years to decades in the case of PCs and servers, and are likely to require a similar time scale in the case of IoT devices. It is bound to happen eventually, but we still have a long way to go.
What Can Enterprises Do To Secure IoT Devices
There is no quick fix for IoT security. The massive amount of devices that are complex and time-consuming to deploy make it a challenge for enterprises to stay a step ahead of the different emerging security threats and potential issues. To ensure better security within a company’s IoT environment, IT and OT teams need to implement the right security strategy in place. This requires five key components:
- Isolation isn’t the simple answer- Traditional IoT security solutions mitigate attacks by integrating with firewall and Network Access Control (NAC) products in order to isolate compromised devices from the network. While this approach is effective in the sense of preventing a breach, it has the side effect of disrupting the normal operation of the device which can result in an easy entry point for attackers.
- Updating Devices Regularly – Often the manufacturers of IoT devices release periodic security features to protect the device from cyber attacks. End-users must not ignore these updates and update the device regularly to protect their data from the evolving cyber attack methods.
- Automate Risk Exposure – Enterprises need to allow their system administrators to perform device operations at scale, such as upgrading to the latest firmware, as well as changing passwords and configurations. This dynamic protection approach allows security teams to discover and address risk exposures as they arise before they emerge into an actual threat by adversaries. This security-minded approach reduces both the total amount of incident responses and the cost of each incident.
- Ongoing Device Management – IoT devices tend to be the most vulnerable to attacks when there is a lack of device visibility. By getting a better understanding of the devices in your network with proper management, it will allow security teams to protect devices before any incidents occur. In the case of an incident that does occur, properly managing IoT devices from one place will allow you to detect them quickly and react instantly.
- Proactive Approach – IoT technology is constantly advancing and this demands enterprises to have a more proactive approach to device security. By understanding the security needs for IoT devices such as real-time event tracking, enterprises can prepare ahead of time that their devices will be more secure against incoming attacks.
As IoT technology continues to advance and mature, the need for IoT security solutions will continue to enforce changes on how different industries will use IoT devices in their environments. By enterprises understanding the different security challenges and risks that IoT devices come with it will allow them to be better positioned to reap the benefits of IoT technology.
Michael brings 15 years of marketing creativity and out-of-the-box thinking to SCADAfence. Before joining the team, Michael was the Director of Marketing at TrapX Security, where he was famous for thought leadership and for turning a small, declining startup into a successful, profitable world-leading vendor in their vertical. Prior to that, Michael was the VP of Marketing at AMC and rebuilt their entire marketing architecture, bringing in strong revenue figures that the firm has’t seen in decades. Michael studied at Harvard Business School, at Bar Ilan University for his MBA & Lander College for his BS degrees in Marketing and Business Management.