How to Secure Your Internet of Things Devices

Internet of Things devices are everywhere. By one estimate, there were 10 billion connected IoT devices in 2021, such as sensors, networked security cameras, microphones, and RFID transmitters in use by organizations around the globe. In fact, 90 percent of enterprises say IoT is central to their digital transformation. But the widespread use of IoT solutions comes with a price to pay. Security is often not a priority when companies deploy these tools, which can make them vulnerable. Cybercriminals can use unprotected IoT devices as springboards for corporate networks. As businesses look to expand their IoT deployments, certain steps need to be taken to protect their devices and data.

The Nature of IoT Device Security

IoT devices typically collect data and send it for collection and analysis. Because of their compact design, they often have limited storage capacity, which makes them unable to use security tools like anti-malware and firewalls. Patching IoT devices can be a challenge, so security holes are sometimes left unpatched. For these reasons, IoT devices often represent a weak link in the security chain. To exacerbate the situation, many IoT networks have grown over time to incorporate numerous devices, often deployed in uncontrolled and unsecured environments. IoT networks are complex, presenting a much larger attack surface than a typical network. The more connections there are, the more opportunities there are for cybercriminals to attack. Even a minor vulnerability on a single device could expose an entire network.

Threats to IoT Devices

IoT devices face a variety of threats. Firmware (software on all IoT devices that operates the hardware) may be exploited, and even if vulnerabilities are known, patches may not be available or applied. Attackers also may break into a network using default usernames and passwords that customers have not changed or cannot change. This vulnerability was exploited by the Mirai malware, which utilized 61 common default credentials to launch devastating distributed denial of service attacks. Devices also may be vulnerable to on-path attacks, in which an attacker is positioned between an IoT device and a server for example, between a security camera and its cloud server and intercepts communications between them. The risk of data exposure in these scenarios is high since many devices do not encrypt communications by default. Because IoT devices connect to the internet, attackers can exploit known vulnerabilities and take over devices as a first step in conducting attacks that allow them to move laterally through an enterprise network, stealing data, implanting malware, or accessing sensitive information.

IoT Risks

IoT devices can be risky for two reasons: They are easy to exploit, and once exploited, they can wreak serious havoc. Many devices are not designed with security as a top consideration: They may have poor internal controls, come with default passwords that are difficult to change, be unable to encrypt data or have known vulnerabilities for which the manufacturer has not issued a timely patch. Once an IoT device is exploited, the harm cyberattackers can do can be severe. Compromised IoT devices that provide physical access, such as card reader systems, could allow unwanted visitors to enter a facility with no audit trail. IoT-based HVAC systems without adequate security could enable cyberattackers to take remote control of a building’s temperature and humidity, damaging inventory or disrupting work.

What Steps Can IT Leaders Take?

Ultimately, organizations should work to secure every device or node on an IoT network. Following these steps below should help IT leaders improve their IoT security. IT teams should make sure devices are sufficiently authenticated (with an authentic TLS certificate, for example) so requests to applications, services and protocols come from authorized devices.

1. Know what you have: Many IT professionals are unaware of all the IoT devices on their networks. A 2020 Infoblox study found that over a 12-month period, 80 percent discovered unknown IoT devices on their networks. IoT device management platforms can provide teams with visibility into their entire inventory and potential security issues. A device management system can identify and profile all devices and monitor them regularly.
2. Choose the right devices: Organizations should acquire only IoT devices designed with effective security features, and only from manufacturers who release timely security updates. California and Oregon laws require devices sold in those states to be fitted with reasonable security features, such as unique passwords, regular security updates and vulnerability disclosures. Organizations should avoid devices without an external interface or with unchangeable credentials, and they should turn off any unneeded features such as microphones and ports.
3. Secure your device access: Cybercriminals access devices in uncontrolled environments, or via stolen credentials, to upload malware, access unencrypted data or incorporate the devices in botnets. IT professionals should change default credentials when installing an IoT device and should avoid the reuse of the same credentials across multiple similar devices.
4. Secure the data: Encryption helps protect data at rest and in transit, even if it were to be accessed or stolen by an unauthorized entity. Encryption is essential to preventing eavesdropping, which is especially prevalent in industrial espionage.
5. Patch, patch, patch: When a manufacturer releases a security update for a discovered vulnerability, IT teams should update devices in the field immediately. Waiting even a couple of days can mean that hackers can exploit the vulnerability.

The convenience and functionality of IoT networks are game changers for the industry. But it’s worth taking the time to make sure IoT networks have not also opened the door to cybercriminals. There are several additional actions organizations can take to protect IoT workloads and data, including network segmentation, monitoring, and analyzing network traffic. But taking these five steps will give you a head start on addressing the most common risks.