How to Win the IoT Cybersecurity War
By Enrico Milanese
August 1, 2024
By Enrico Milanese
August 1, 2024
Estimated reading time: 9 minutes
Cybercrime has a significant impact on operations and your bottom line. Statista predicts that the global cost of cybercrime will increase from $9.22 trillion in 2024 to $13.82 trillion by 2028.
What are the reasons for this rise, and how can organizations prepare for and respond to evolving IoT cybersecurity risks? Keep reading to discover the causes of the cybersecurity war and how your organization can win.
Several matters are considered regarding the Internet of Things (IoT). Priority requirements for adopting IoT have changed, and cybersecurity is chief among them.
According to a survey by McKinsey & Company, 32% of enterprise buyers cite cybersecurity as their top concern and an impediment to IoT adoption. A successful cybersecurity strategy requires consideration and implementation at each level. To avoid pitfalls, organizations need to be aware of security risks and the most efficient ways to overcome them.
IoT security threats aren’t just theoretical. Real-world attacks demonstrate the potential for disruption and harm. For example, vulnerabilities in smart meters and grid infrastructure could allow hackers to:
Recent public warnings from government security agencies showcase these risks. The U.S. National Security Agency released a report on cyber actors targeting utility infrastructure that supports national economies.
In addition, the Czech Republic’s National Cyber and Information Security Agency identified security issues with certain smart meters. It warned that breaches could “include interruptions and mass disconnections of thousands of consumption points” and cause widespread blackouts.
Medical devices are another area of concern. Compromised devices could be manipulated to administer inappropriate and dangerous drug doses or report inaccurate vital signs data. The scenario is troubling enough that the U.S. Food and Drug Administration recently enacted new cybersecurity requirements for medical device manufacturers.
These are only a few examples that spotlight IoT risks. The potential threats increase as more industries and people connect to more devices.
Threat actors have differing motivations when breaching IoT ecosystems. Some look to steal data they can monetize directly. Others want to infiltrate business networks through unsecured IoT devices as an initial attack vector. More advanced hackers turn consumer IoT devices into botnets to enable distributed denial of service (DDoS) attacks that overwhelm their ultimate targets.
Recognizing these motives allows organizations to add the right protections. For example, a company concerned about data theft would invest in access controls, encryption and software integrity checking. These measures would prevent information compromise above all else.
A critical national infrastructure operator like an electric utility may emphasize measures to prevent mass device hijacks to avoid outages. Understanding threat actor incentives guides smart security decisions.
Though IoT devices are becoming popular, they remain challenging to secure. Let’s examine the most common reasons behind IoT cybersecurity issues.
There is no single standard operating system or set of communication protocols. Different devices operate on varying requirements. How those devices connect and communicate with clouds, servers and each other can also vary. It’s challenging to implement functional security solutions with so many moving parts involved.
You must overlay security measures in older equipment or legacy systems to secure IoT. Some systems can’t be upgraded. You can upgrade others incrementally, but it’s a slow process.
When adding devices to your IoT deployment, you must ensure the manufacturer builds security from the ground up. Read more in our white paper, “IoT Security: Empowering the Evolution of IoT.”
Third-party dependencies play a critical security role. You have little to no control over what a third-party provider does or to make specific changes. These dependencies make it difficult to know and trust that data will be managed securely.
Another overlooked essential security consideration is the limited resources within IoT devices. Compared to other devices, these tend to have lower computing power, battery power and storage capacity. These limitations can restrict the device security measures you can implement.
We can’t discuss IoT cybersecurity without vulnerability management. More code is involved in device functions than before, which leads to more vulnerabilities. There has been exponential growth in deployed devices with high variance and diversity. Organizations must then contend with enormous amounts of new code and IoT vulnerabilities.
Companies pay a high price to discover and mitigate vulnerabilities, then patch and update. Global Market Insights says the vulnerability management market was worth $14.5 billion in 2022. It predicts a compound annual growth rate (CAGR) of 10% between 2023 and 2032.
A survey from the IEEE Computer Society shows that developers spend about 30% of their time finding and fixing bugs. Consider an IoT environment where thousands or millions of devices stream data across infrastructure with several integration touchpoints. The defects and debugging time will only continue to grow.
A vulnerability enabling one compromised IoT device to execute code on peer equipment could require a large-scale redeployment of updated firmware. Unlike patching one server or database, this redeployment must occur simultaneously across all assets.
As investment in IoT expands, so does the need for security at a foundational level across hardware and software components. Otherwise, billions spent on these fixes may be wasted while more costly business disruptions arise.
How do you protect your organization from these threats and avoid the consequences of breaches? Take these steps to improve your security posture in the IoT landscape.
If a third party suffers a breach or lacks segmentation and access controls, hackers may gain access to the sensitive data your systems transmit and store with those providers. Outsourcing aspects of an IoT ecosystem can relinquish visibility and control over your data at multiple junctions unless explicitly outlined in vendor agreements.
Some providers treat privacy and protective measures as an afterthought. Due diligence around a partner’s security posture ensures that your information remains protected when engaging external services.
IT architects should conduct detailed assessments on elements, including:
Requiring access to audit logs and limiting data replication outside geographic or legal boundaries also reduces exposure from mismanaged vendor ecosystems. Knowing key partners take data confidentiality seriously reduces lapses that create breaches.
IT leaders need an enterprise-wide connected device inventory to gauge their exposure. Understanding the reach of IoT and properly segmenting access is essential to contain threats.
While convenient for collecting and analyzing data, integrations also introduce risk in the form of “shadow IoT.” If attackers access IoT devices on a corporate network, they may pivot to exploit vulnerabilities in adjacent business systems with which the devices interact daily.
Few IT teams have full visibility into all the IoT gear spread across their environment or what vulnerabilities old equipment may contain. Not patching or updating IoT gear with the same rigor as a server or laptop leaves easy openings for lateral movement across networks.
Organizations must also implement a security strategy to mitigate present and future attacks based on the most common patterns. You must leverage technologies to reduce continuous security patching. Software updates can be challenging and costly in IoT. You don’t want to increase the risk of security issues if high or unexpected costs catch you off guard.
Operational awareness is crucial, as you must know the state of your deployment and if or when you are under attack. It’s the only way to prevent or lessen the impact. You must consider security as early as possible.
Security can’t be an afterthought when implementing an IoT system. Instead, organizations must make security an integral ingredient across their entire IoT value chain through security by design.
Security by design means considering potential vulnerabilities, threats and safeguards during a project’s research and planning phases. It goes beyond considering these while configuring devices or cloud servers. It also means partnering with device manufacturers that engineer security measures into their products from the start.
Furthermore, organizations must acknowledge when they lack the in-house security expertise to evaluate and strengthen an IoT deployment. Seek outside guidance by partnering with an experienced IoT solutions provider. Build in security from the start through thoughtful design choices and collaboration.
What does this concept look like in practice? Specific examples include:
For those building new IoT projects, prioritizing fundamental security hygiene is the best place to start. Measures to address common attack vectors include:
Organizations without in-house security expertise can engage partners like Telit Cinterion, which has proven methodologies and implementation experience. Such a partner can set projects up for success from the start instead of reactively bolting on protection measures.
Telit Cinterion is a global leader in IoT enablement. We are trusted by thousands of direct and indirect customers worldwide. Our extensive solutions portfolio powers millions of connected devices to date.
For over 24 years, we have been a leader in global IoT solutions because we believe in your business’s potential. You’ve done the challenging work of digital transformation. IoT will empower the next phase of your future, and security will empower IoT.
Our IoT solutions embrace a 360-degree security by design approach. We build security into every layer of your ecosystem, giving you holistic, end-to-end protection. We work with you to find a unique solution and provide the tools and confidence to take the next leap forward.
Speak with our IoT experts about your security approach.
Editor’s Note: This blog was originally published on 14 September 2021 and has since been updated.