Securing the modern world of IoT

John Linford at The Open Group explores the unique vulnerabilities around IoT devices and networks

The Internet of Things (IoT) has woven itself into the fabric of our lives. From wireless ATMs, introduced in the 1990s, through to modern smart traffic management solutions, IoT is everywhere.

The benefits are clear; connected devices bring undeniable convenience and efficiency. But as the use of connected devices has grown, so too have concerns and incidences of cyber-security attacks and vulnerabilities. 

Cyber-security vulnerabilities

IoT devices are attractive for attackers seeking access to corporate networks and personal data as too many devices lack default encryption, creating a significant vulnerability that can be exploited. In these cases, sensitive information can be exposed, taken and manipulated, as it is transmitted between devices. 

Furthermore, unsecured interfaces and a lack of physical security measures make IoT devices susceptible to malware injection and other cyber-attacks.

Distributed denial-of-service (DDoS) attacks, for example, can leverage botnets to overwhelm and disrupt unsecure IoT devices. Physical or identity theft can be used to grant attackers access to compromised systems, meanwhile unpatched security vulnerabilities in firmware and software present additional opportunities for attack. Hackers take advantage of these to disrupt operations, gain unauthorised access and even launch ransomware attacks – a growing threat particularly for critical industrial and infrastructure systems.

Indeed, in 2023, research found a 400% increase in IoT and OT malware attacks year-over-year. That’s a frighteningly rapid trajectory. 

One reason why this seemingly clear issue isn’t dealt with is that affordability and a streamlined user experience are attractive to buyers. This leads many manufacturers to prioritise these aspects over robust security features, but it has also created a breeding ground for vulnerabilities that attackers can exploit with ease.

A final point of note is the difficulty IoT devices encounter because of patch management. While patch management is critical for maintaining the security and functionality of any networked device, the range of IoT devices makes it a challenge. Each product may require a unique patch, complicating the task for administrators who must track and apply numerous updates across vast networks.

Unpatched vulnerabilities in IoT devices can be exploited by malicious actors, leading to security breaches, data theft, and compromised networks. The challenge with managing patches leads to a greater window of exposure, making IoT devices, once again, attractive targets for cyber-attacks.

However, it’s not all gloom for IoT security; far from it. There are now several effective methods and technologies being used to enhance the security of IoT networks and devices. 

AI will be increasingly important

Real-time threat detection and response (TDR) is being made possible using artificial intelligence (AI) and machine learning (AI-ML); by analysing vast quantities of data at speed, trends, abnormalities, and possible security breaches can be identified.

AI-driven security solutions for IoT networks can monitor and possibly even control connected devices, which can speed up threat identification and mitigation. It is important to note, though, that AI tools should not be relied upon on their own.

Zero Trust 

A major step is putting a comprehensive Zero Trust strategy in place; that is a strategy which secures an organisation by removing implicit trust and instead asking for validation at each stage of a digital interaction. Blockchain is built on the principles of Zero Trust and offers a lot of security potential for the IoT market; enabling coordination between devices, it can track these devices, and process transactions efficiently. 

A well designed Zero Trust strategy will take consideration of all IoT devices and internet connected systems across a business as well as including a clear delineation of responsibilities for management of said technologies. Done properly, it provides a security framework for organisations plus flexibility, agility, and adaptability in addition to the traditional security assurances.

In short, Zero Trust offers a decentralised solution that, combined with biometric authentication and strong passwords, adds an extra layer of protection and reduces the risk of unauthorised access. 

It’s important to note that Zero Trust relies on collaboration. Only through collaboration can we promote increased communication across entire organisations and industries, as well as the efficient, deliberate use of new tools.

Collaboration is key

At The Open Group, we strongly believe that the responsibility for securing the IoT landscape doesn’t and shouldn’t lie with a single entity but be a collaborative effort.

At the top, governments should aim to be developing and enforcing regulations that mandate minimum security standards for IoT devices, but that responsibility must then trickle down. At the point of design and manufacture, security features and encryption protocols can be designed and baked into products; this must become the norm, not the exception. 

Finally, businesses should focus on implementing secure network architectures and enforcing regular software updates. Cyber-attackers are constantly adapting and evolving their methods, so maintaining up-to-date firmware and software on IoT devices is crucial to block emerging threats. Regular updates also ensure vulnerabilities are patched, maintaining the integrity and security of the entire IoT network. 

What we know, and what we see when each layer of the chain comes together to collaborate, it becomes possible to create and implement standardised data formats and communication protocols which can then streamline security measures across an industry.

By acknowledging the vulnerabilities of IoT and working together, businesses, manufacturers, and policymakers can ensure that the benefits of IoT are not compromised through lax security. 

John Linford is Security Portfolio Forum Director at The Open Group

Main image courtesy of iStockPhoto.com and metamorworks