How to Make Sure IoT Devices Don’t Compromise Security
The Internet of Things (IoT) has revolutionised the way we live, work, and interact with our surroundings. However, the proliferation of IoT devices has also introduced new security risks and vulnerabilities.
Forescout’s The Riskiest Connected Devices in 2024 report, found that devices containing vulnerabilities surged by 136% compared to the previous year.
IoT devices include wireless access points, routers, printers, voice over Internet Protocol (VoIP) and IP cameras, all of which were Forescout found to have vulnerabilities.
Rik Ferguson, VP Security Intelligence at Forescout, previously told Infosecurity that threat actors primarily target IoT devices connected to the enterprise stack, such as IP cameras and building management systems, ahead of consumer smart products.
“There are tutorials shared in underground forums about how to compromise and use them for lateral movement, exfiltration and command and control, because they are invisible in most cases to the enterprise security stack,” noted Ferguson.
Research by Irdeo found that cyber-attacks on IoT devices could cost the UK economy over £1bn each year. As well as causing downtime, attacks on IoT devices can compromise data.
Manufacturer Responsibilities on IoT Security
Many argue that the responsibility for securing these devices must be placed on the manufacturers. Vulnerabilities are often present in devices because those making them have not develop them to high enough security standards.
“The market for IoT devices is characterised by rapid innovation and short product cycles. Manufacturers are under pressure to get new products to market quickly to stay ahead of competitors,” noted Nikki Webb, Global Channel Manager at Custondian360. “This rush can lead to security being an afterthought, as speed to market often takes precedence over comprehensive security testing.”
In order to tackle this, there have been a number of attempts to design standards and pass legislation to enhance the security of IoT devices.
These include:
- UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill which aims to strengthen the security of IoT devices. This came into effect in April 2024 and requires manufacturers of UK consumer connectable products to comply with the relevant obligations set out in the Act, which include ensuring they and their products meet the relevant minimum security requirements.
- The US 2019 IoT Cybersecurity Improvement Act, passed in 2020, sets minimum security standards for connected devices the federal government uses.
- The EU Cyber Resilience Act introduces specific obligations for products with digital elements, aiming to embed cybersecurity into their entire lifecycle.
- NIST’s IoT Cybersecurity Program, launched in 2016, which aims to supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of IoT systems and the environments in which they are deployed.
Despite these efforts, Webb commented that in many regions there are still few stringent regulations specifically addressing IoT security.
“Without regulatory requirements or penalties for non-compliance, manufacturers might not feel compelled to prioritise security,” she said.
She also noted that the IoT industry overall lacks uniformed security standards, leading to inconsistencies in how security is implemented.
One way to overcome this challenge, Webb argued, is to promote the concept of security by design, inserting security into the design phase of product development. She also argued that offering tax incentives, subsidies, or other financial benefits to manufacturers that implement robust security measures could be an effective solution.
Register for Europe’s leading cybersecurity event
Join us at London ExCeL, 3-5 June, for three days of learning, networking, discovering and exploring all things Infosecurity.
Advice for CISOs on Approaching IoT Security
Regulations and standards are just one part of the puzzle when it comes to security surrounding IoT devices, there is a lot that CISOs and cybersecurity leaders can do to ensure that they are not left vulnerable by the devices connected to their networks.
Know your Supply Chain
The IoT supply chain is complex with multiple vendors contributing different components and software to a single device. Security gaps can emerge when devices are integrated without sufficient oversight.
“Organisations must adopt auditing of their supply chains, make sure you have the right documentation from the supply. Don’t cut corners, only buy from reputable providers,” Webb commented.
Secure Password Practices
Many devices, most obviously routers, come with a pre-programmed default password which are often weak and easy to hack.
These should be changed as soon as possible, ideally the first time the device is connected to the network and where applicable two-factor authentication (2FA) integrated.
Regularly Update Devices
Patching and software updates on devices should be done regularly. Updates frequently release software updates that will address vulnerabilities, but these must be implemented.
If there are devices that are no longer supported by the manufacturer and do not receive updates, consider swapping these out for newer IoT devices that can be updated and patched regularly.
Network Segmentation
Reducing the attack surface can be done by eliminating unnecessary internet connections to IoT devices. Zero trust practices can be useful here but may not provide a silver bullet.
Consider IoT device identification systems that can detect and isolate IoT from the network and other devices if necessary.
By having a segmented network your network is divided into partitions so if an IoT device vulnerability was to cause issues it would not disrupt your entire system.
Isolating certain devices on a separate network also helps prevent them from secretly collecting data and limits their access to only the information and devices necessary for their operation.
Education
Train employees on best practices for using IoT devices and recognising potential security threats. By ensuring your staff have the knowledge to identify potential risks they can be part of the solution to stop risky devices being connected to the network and help you identify issues with those that may already be in use within your organisation.
ADVERTISEMENT
Conclusion
IoT has become a firm fixture in our lives, but its rapid growth has also introduced significant security risks.
Vulnerabilities in IoT devices have increased, making them prime targets for cybercriminals.
Organisations must prioritize IoT security to protect their networks and data.
While regulations and standards play a role, CISOs and cybersecurity leaders must take proactive measures to assess, manage, and mitigate the risks associated with IoT devices.
“Addressing these issues requires a concerted effort from manufacturers, consumers, industry bodies, and regulators to elevate the importance of security in the IoT ecosystem,” Webb commented.
Enjoyed this article? Make sure to share it!
Latest Articles
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?
Tags
ADVERTISEMENT
ADVERTISEMENT