ink drop - stock.adobe.com
Although a collection of hardware, software and networking components makes up IoT, this connected ecosystem's real value is its ability to generate, move, analyze and respond to data.
Yet, according to security experts and IoT leaders, many organizations do not implement adequate security measures to protect the data within their IoT deployments.
Recent research confirms such assessments.
The IoT and IIoT Security Survey, from security software company Tripwire and Dimensional Research, polled 312 IoT security professionals in early 2021. The survey found that 99% of respondents faced challenges -- such as tracking IoT device inventory, validating compliance with security policies and establishing secure configurations -- when securing their organization's IoT and industrial IoT devices. And 53% of respondents were concerned about the risks associated with those devices.
These figures speak to the security of the overall environment through which the data flows. And that indicates potential trouble for many users.
"There seems to be a common thread in that organizations don't have a fundamental understanding of the dangers and risks inherent in the IoT environment, and they're accepting more risks than they should," said Kriss Warner, practice lead and cybersecurity consultant at Info-Tech Research Group.
What's the danger?
So far, attacks on IoT ecosystems have aimed to disable the devices themselves, with the goal of business disruption or use of the networks to access central systems and data stores.
There have been no notable attacks on the data within the IoT ecosystem … yet.
"Bad actors haven't figured out how to monetize the IoT data yet. Once they figure out a mechanism to leverage, they will go after the IoT data in the future," said Andy Thurai, vice president and principal analyst with Constellation Research Inc.
Michela Menting, digital security research director at ABI Research
Others agreed, explaining that although some of the data generated by endpoint devices might seem mundane, it is useful and therefore valuable to the enterprise. That, in turn, makes it valuable to hackers.
"Data security is important in IoT because it is the data that is the most valuable asset, more so even than the device itself," said Michela Menting, digital security research director at ABI Research.
The value of IoT data varies based on the use cases. For example, some IoT deployments regularly generate temperature data for produce in the grocery supply chain. More complex implementations, such as IoT analytics, might monitor and adjust the operation of an IoT device fleet over time. Healthcare IoT often handles critical patient data. Organizations must also consider privacy laws and other regulations that may protect some types of IoT data, Menting said.
"To threat actors, the value of IoT data is the one ascribed to it by the legitimate user [or] operator of that IoT device. That's what makes it an attractive target for threat actors," she explained. "Therefore, data security is very important because interference or theft of that data could have significant repercussions: loss of business [or] reputation, costs for incident response and more dangerous sometimes, an effect on physical systems and operations."
Even in use cases where IoT data may seem ordinary, organizations or attackers could use the information for concerning or even nefarious purposes, said Robin Duke-Woolley, CEO of Beecham Research Ltd., which specializes in the machine-to-machine and IoT markets. For example, organizations could violate individuals' privacy rights. Bad actors could study the telematics data collected by insurance companies or health data from medical devices to track or even hurt individuals if adequate data protection policies aren't in place.
Menting sees the possibility of even more significant consequences in other scenarios, explaining that "interference with critical infrastructure data could lead to a shutdown of critical services -- power plants, water treatment plants, hospitals. It is possible that this could also affect human lives. Interference with data from a connected car or connected transport infrastructure could have deadly consequences."
How to protect IoT data
Protecting IoT data relies on a multistep, multilayered approach, just as securing enterprise data in general does. Organizations should apply many established enterprise data security best practices in their IoT deployments.
A strong IoT data protection strategy must include six key components.
- Visibility into the flow of data. Organizations can adopt device discovery, monitoring and access control tools to catch malicious data use or to find vulnerabilities where data could be hacked.
- Data classification systems. Enterprise executives should rank and prioritize IoT data based on criticality, sensitivity and value. Security resources must align to the data requiring the most protection, said George Young, chief information security officer and chief technologist for intelligent edge and networking at systems integrator CBT.
- Encryption of data. Organizations must encrypt all data at rest and in transit, regardless of whether the IoT environment uses wired or wireless communications, Young said.
- Security by design. Security teams must get involved early in IoT deployments to ensure they incorporate data privacy and protection strategies and other security protocols from the start. They can develop security measures most effectively at the beginning, rather than as afterthoughts and bolt-ons, Warner said.
- Secure components. Organizations should ensure they implement secure components when available -- such as PSA Certified hardware -- to prove they have met certain security and interoperability standards and will evolve to meet emerging risks and threats, Duke-Woolley said.
- Governance programs. Programs must include log management to ensure visibility into the devices and the IoT environment, strong password policies and a patch management program that ensures updates are implemented in a timely manner, Warner said. Others recommended adding automation, when possible, to governance policies to boost compliance and to add speed and efficiency to these processes.
Challenges to IoT data protection
Organizations face challenges when devising and implementing data protection programs. The IoT environment also creates additional hurdles they must overcome.
"Potentially every layer of the IoT [and operational technology] to IT interconnection can be vulnerable if not designed and implemented properly," Thurai said.
The sprawling nature of IoT deployments, with data coming from various devices on disparate networks and often in large quantities, creates additional difficulties when devising a security strategy, Menting added.
"It can be easy to lose track of what is coming in from where, and protecting each device and transmission effectively," she said.
That's why enterprise leaders must link their IoT data protection strategy with their IoT device and network security process and then layer those into the organization's overall cybersecurity and risk management program. This approach can create the most comprehensive and cohesive data protection program.
"Ideally, organizations should perform thorough risk assessments and develop a comprehensive security plan for their IoT devices. This is often difficult when the imperatives of time-to-market are so strong in the business world. But in the long run, being fully prepared from a security and data protection standpoint will help minimize risks and the associated costs of deploying IoT," Menting said. "An understanding of those risks, the value of the data, and the creation of security and incident response plans will go a long way to ensuring that the value of IoT and their derived data can be maximized."