Internet of Things devices are becoming increasingly prevalent in every business and industry. Whether your company is just starting to bring in IoT devices or looking to expand the network with more devices, chances are you’ve struggled with securing IoT. With facilities sometimes running completely with IoT devices, how can you be sure these devices are secure? In today’s blog, we’ll determine how to assess the cybersecurity of your IoT devices and make your facilities more efficient and secure.
What are IoT devices?
Internet of things (IoT) devices are physical devices created to collect and transmit data with the software and processing ability to operate and communicate wirelessly. You are likely reading this blog on an Internet of Things device. IoT devices are our everyday smart devices, such as our smartphones, sensors, smart security cameras, smart refrigerators, and much more. The growing volume of connected IoT devices has completely changed the way companies collect and store data, and greatly improved operational efficiency and productivity. The field of IoT is still relatively new and growing. Due to the constant growth and evolution of this landscape, many believe organizations must recognize typical risk management and cybersecurity measures when it comes to protecting IoT.
Why is IoT device security important?
IoT devices are simply everywhere around us and are in use 24/7, but are not usually designed with cybersecurity in mind from the start. These devices are largely considered to be the weakest link in the cybersecurity chain, as they are increasingly susceptible to cyber attacks due to their internet connectivity and popularity among malicious agents. IoT devices became a favored target due in part to the increasing attack surface that comes with growing numbers of connected IoT devices. Lack of firmware updates is one of the leading causes of IoT hacks. Once deployed, IoT devices are rarely updated. Adding to the increased volume of these devices, we have all too often seen major breaches happen as the result of an attacker accessing a device considered to be insignificant. For example, in 2017 a casino database suffered a data breach when a malicious agent entered through an unsecured internet-connected fish tank sensor. Internet connectivity and remote control are what make these devices desirable for business and operations, but these same characteristics make the devices dangerous if left unsecured. Lost IoT devices can also cause a vulnerability for the company because it can possess sensitive information inside its storage or configuration.
How to assess the cybersecurity of IoT devices
To assess the cybersecurity levels of IoT devices, you must examine the entire IoT ecosystem and IoT infrastructure, not just the connected devices themselves. Vulnerabilities in the IoT infrastructure will bleed into the connected devices, even if the devices themselves have been secured. Before investing in large security solutions, you may want to verify the current cybersecurity status of your devices. It is highly recommended that cybersecurity for IoT is made a priority from the initial design stages and included in IoT implementation plans. For this section, we’re focusing specifically on how to assess the cybersecurity of IoT devices first rather than how to secure IoT devices. This is because these devices are incredibly different from conventional IT devices, thus special care must be taken to ensure these devices and systems are properly secured.
Implement device discovery to identify all connected devices
Before looking into ways to secure IoT devices, companies must identify all of the connected devices on their network. This can be done with a device discovery tool or scan. It may also be called an asset discovery tool. The more connected devices present, the larger the attack surface will be. Device discovery can be done in collaboration with your IT team or in-house cybersecurity team or a trusted cybersecurity vendor or software. These discovery tools will often offer the ability to see the model, current hardware and software, and needed updates for each discovered device. Keeping devices and systems up to date is the key part of assessing IoT cybersecurity. Once every device is discovered, facilities must keep these devices inventoried. An asset inventory solution, or an IoT asset inventory solution, is best to keep track of these devices long-term without using time-consuming manual methods.
Understand your known vulnerabilities and risks
Understanding your facility and industry’s known vulnerabilities and risks will help you determine how to best secure your IoT infrastructure. IoT devices and systems are a popular target for cyber attacks across all industries. The IoT landscape is constantly growing and changing. Managers must understand the company’s current vulnerabilities within its IoT ecosystem and devices, and understand that these vulnerabilities will likely bleed into other systems within the company. The sheer volume of IoT devices present greatly increases the number of potential vulnerabilities. Primary threats to IoT devices include:
- Malware (especially ransomware)
- Phishing and social engineering attacks
- Zero-day exploits
- DOS and DDOS attacks
A network vulnerability assessment can be used to identify current vulnerabilities. Teams can also create a risk profile to get deeper into the company’s specific risks and vulnerabilities.
Perform an IoT-based Risk Assessment
A risk assessment involves identifying and prioritizing specific risks to the company and facility. An IoT-based risk assessment will do this process for the company’s IoT infrastructure while considering the static and dynamic nature of the IoT landscape as a whole. Through this assessment, managers should ask and understand:
- “What are our risks?”
- “How likely is it for this risk to happen?”
- What will be the consequences of this risk happening?”
NIST released a publication in 2019 regarding the management of IoT cybersecurity and privacy risks. However, some researchers believe that even periodic risk assessments and vulnerability scans may not be encompassing enough for the pervasiveness and complexity of modern IoT infrastructure. Some IoT risks may be missed or mistakenly qualified since IoT differs so much from conventional IT devices. A real-time threat intelligence platform can help mitigate this issue.
Identify current operating systems and software
Once the devices are implemented, it’s extremely important to make note of what operating systems and software they are using and ensure all are updated properly. Lack of firmware updates and unpatched security features have been identified as two of the leading causes of data breaches through IoT. Adding to this, once certain IoT devices and systems are deployed, they remain static and very often lack the ability to automatically update like many IT devices. As we’ve seen with the recent Log4j vulnerability, devices and systems may be using recently exploited software that is still in the process of being patched. This is especially true of OT platforms since countless amounts of these platforms were found to be using Log4j code.
Remain up-to-date and flexible for landscape changes
This is perhaps the most important part of assessing IoT cybersecurity within your facility. You must understand the landscape is constantly evolving, and what may work today may not be adequate tomorrow. Assessing the current cybersecurity of your IoT devices is not a one-and-done process. It is something to be done periodically or more and should be done anytime new devices are installed or systems are implemented. It’s a distinct possibility that new systems and devices will be introduced between assessment periods, and may render the results from the previous assessment moot. Teams will have to remain flexible and stay up-to-date with IoT trends and information. Keeping the software updated is especially necessary.
Consider investing in an IoT Security Solution
One of the major points of the NIST publication on IoT cybersecurity and privacy is that “the availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.” This means that companies will have to create separate controls and security measures for IoT devices and be prepared in the event that mitigation for certain threats may not be available. It stands to reason that teams may want to consider separate IoT-specific solutions for security. At the very least, you should invest in a trusted real-time threat intelligence platform to monitor IoT and identify incoming threats. While businesses will of course want to invest in the most cost-reducing solutions, in this case, there may be greater benefit in hiring a professional cybersecurity vendor to oversee this process.
Assessing the cybersecurity of IoT devices can be difficult depending on the volume of devices but with the right tools and knowledge, it is possible to. This assessment is best done periodically, with the timing dependent on your company’s needs. However, it absolutely should be done after implementing new IoT devices and systems.