The IoT industry does not have one clear set of security standards for developers and manufacturers to build in consistent security, but there are security best practices. IT admins might find it difficult to keep track of and update devices, which can remain in the field for many years.
Hackers scan networks for devices and known vulnerabilities and increasingly use nonstandard ports to get network access. Once they have device access, it is easier to avoid detection through fileless malware or software memory on the device.
What is the IoT attack surface?
At its basic level, an attack surface is the total number of entry points for unauthorized system access. An IoT attack surface goes beyond entry points and includes all possible security vulnerabilities for IoT devices, connected software and network connections.
The growing concern around IoT device security includes the fact that threat actors can not only damage the network and software that support IoT devices but also the devices themselves. Furthermore, IoT device adoption is advancing at a rate faster than the processes and protocols that can provide secure, reliable connections.
There are steps that organizations can take to secure the IoT attack surface, but these require the staff and technical expertise to set policies in place that can proactively detect threats and also reactively apply measures to reduce the size of the attack surface.
Top 5 IoT security threats organizations must address
1. IoT botnets
After major botnet attacks such as Mirai in 2016, IoT developers, admins and security officers won't forget to take measures to prevent this type of attack. Botnet orchestrators find IoT devices an attractive target because of weak security configurations and the quantity of devices that can be consigned to a botnet used to target organizations.
An attacker can infect an IoT device with malware through an unprotected port or phishing scams and co-opt it into an IoT botnet used to initiate massive cyber attacks. Hackers can easily find malicious code on the internet that detects susceptible machines or hides code from detection before another code module signals devices to launch an attack or steal information. IoT botnets are frequently used for distributed denial-of-service (DDoS) attacks to overwhelm a target's network traffic.
Botnet attack detection is not easy, but IT admins can take several steps to protect devices, such as keeping an inventory of every device. Organizations should follow basic cybersecurity measures, such as authentication, regular updates and patches, and confirmation that IoT devices meet security standards and protocols before admins add them to the network. Network segmentation can wall off IoT devices to protect the network from a compromised device. IT admins can monitor network activity to detect botnets and must not forget to plan for the whole device lifecycle, including end of life.
2. DNS threats
Many organizations use IoT to collect data from older machines that weren't always designed with more recent security standards. When organizations combine legacy devices with IoT, it can expose the network to older device vulnerabilities. IoT device connections often rely on DNS, a 1980s decentralized naming system, which might not handle the scale of IoT deployments that can grow to thousands of devices. Hackers can use DNS vulnerabilities in DDoS attacks and DNS tunneling to get data or introduce malware.
IT administrators can ensure DNS vulnerabilities do not become a threat to IoT security with Domain Name System Security Extensions (DNSSEC). These specifications secure DNS through digital signatures that ensure data is accurate and unmodified.
When an IoT device connects to the network for a software update, DNSSEC checks that the update goes where it is supposed to without a malicious redirect. Organizations must upgrade protocol standards, including MQ Telemetry Transport, and check the compatibility of protocol upgrades with the entire network. IT administrators can use multiple DNS services for continuity and an additional security layer.
3. IoT ransomware
As the number of unsecured devices connected to corporate networks increases, so do IoT ransomware attacks. Hackers infect devices with malware to turn them into botnets that probe access points or search for valid credentials in device firmware that they can use to enter the network.
With network access through an IoT device, attackers can exfiltrate data to the cloud and threaten to keep, delete or make the data public unless paid a ransom. Sometimes payment isn't enough for an organization to get all its data back and the ransomware automatically deletes files regardless. Ransomware can affect businesses or essential organizations, such as governmental services or food suppliers.
4. IoT physical security
While it may seem unlikely that attackers will physically access an IoT device, IT administrators must not forget this possibility when they plan an IoT security strategy. Hackers can steal devices, open them up and access the inner circuits and ports to break into the network. IT administrators must only deploy authenticated devices and only allow authorized and authenticated device access.
5. Shadow IoT
IT admins can't always control what devices connect to their network, which creates an IoT security threat called shadow IoT. Devices with an IP address -- such as fitness trackers, digital assistants or wireless printers -- can add personal convenience or assist employees with work, but they don't necessarily meet an organization's security standards.
Without visibility into shadow IoT devices, IT admins can't ensure the hardware and software have basic security functionalities or monitor the devices for malicious traffic. When hackers access these devices, they can use privilege escalation to access sensitive information on the corporate network or co-opt the devices for a botnet or DDoS attack.
IT admins can put policies in place to limit the threat of shadow IoT when employees add devices to the network. It is also important for admins to have an inventory of all connected devices. They can then use IP address management tools or device discovery tools to track any new connections, enforce policies and isolate or block unfamiliar devices.
How to defend against IoT security risks
IT teams must take a multilayered approach to IoT security risk mitigation. There are broader best practices and strategies that organizations can put in place, but admins should also have specific defenses in place for the differing types of IoT attacks.
IoT security is a combination of policy enforcement and software to detect and address any threats. IT teams that oversee IoT devices should have strong password policies for any devices on the network and use threat detection software to anticipate any potential attacks. The more visibility that an IT team has into what data is on IoT devices, the easier it will likely be to proactively detect security risks and threats.
Basic strategies IT administrators can use to prevent security attacks include device vulnerability assessments, disablement of unneeded services, regular data backups, disaster recovery procedures, network segmentation and network monitoring tools.
Data protection strategies are another way to boost IoT security. Though IoT deployments can be tough to deploy due to their decentralized nature, it helps to have an extra layer of security. IT teams can keep data secure with visibility tools, data classification systems, data encryption measures, data privacy measurements and log management systems.
For physical security measures, organizations should place devices in a tamper-resistant case and remove any device information that manufacturers might include on the parts, such as model numbers or passwords. IoT designers should bury conductors in the multilayer circuit board to prevent easy access by hackers. If a hacker does tamper with a device, it should have a disable function, such as short-circuiting when opened.