The Internet of Things (IoT) is a powerful boon to business. But it also represents a massive potential expansion of the cybersecurity attack surface. So far, IoT inclusion in many organizations has been poorly organized, haphazard and poorly planned. This needs to change. After all, IT security depends on IoT security.

Why IoT Security Is Important

The IoT brings myriad benefits, including reducing costs, improving efficiency, improving safety, enhancing customer service and more.

IoT makes dumb, disconnected devices smart and connected — including thermostats and coffee makers. It adds sensors for tracking things like trucking, warehouses and shipping, and connected monitoring for critical infrastructure. And, of course, it makes new business models possible. The IoT systems make up the smart building concept.

By nature, IoT devices connect to the internet. And, by nature, IoT security issues arise when a threat actor or bot accesses those devices, or intercepts or disrupts their connection to the network.

Anything connected to the Internet or to business networks could be a back door into the connected network. If you ignore the processing power of devices and focus only on the fact of connectivity, the IoT increases the number of devices connected to the network tenfold — which is to say, increases the attack surface.

The function of most IoT devices is to capture data of some kind and transmit it somewhere. This grows the amount of data flying around, stored and processed, which further creates potential risk.

To many, the addition of all those tiny, low-powered devices may seem like a small matter. But to security staff, they represent a massive increase in the attack surface, data to be managed, data streaming across networks and potential physical targets for attack.

IoT security is both about the device itself — guarding against physical cyber attacks — and the protection of the networks, systems, applications, and data to which it could provide a doorway.

Notable IoT Attacks

You might be thinking about IoT security while planning for a new range of warehouse sensors, installing tracking on the company fleet or adding a new video monitoring system. In cases like this, it can be difficult to imagine how these tiny sensors might lead to a cyber attack. So it helps to look back at three that really happened.

The Attack That Took Over a Jeep

A team of researchers in 2015 managed to not only gain access to a Jeep’s computer systems but were also able to control the car. They did this by accessing the car’s CAN bus through a firmware update vulnerability. They were able to make the car speed up, slow down or turn off the road into a ditch, all beyond the control of the driver.

The IoT Botnet That Broke the Internet

In 2016, the world’s largest direct denial of service (DDoS) attack ever was launched on a service provider called Dyn using an IoT botnet using malware called Mirai. The Mirai botnet infected PCs, dragooning them into service to hunt for vulnerable IoT devices. Once they found one, they used known default usernames and passwords to log in and infect it with malware. A large number of these devices were cameras. When the DDoS attack happened, it brought down major sites like Netflix, Reddit and CNN.

The Aquarium IoT Security Flaw That Exposed a Casino

The first large-scale and flashy IoT attack came back in 2017 when attackers gained access to a casino’s network via a connected thermometer in a fish tank in the lobby. From there, the attackers gained access to a ‘high-roller’ database. Although the specifics have been kept confidential, reports reveal that attackers took some 10 GB of data to a device in Finland.

Each of these examples shows a very different outcome from a lack of IoT security. The first shows how controlling the IoT devices themselves can cause harm. (This is a special risk with medical devices.) The second shows how attackers can harness IoT devices in large numbers to perform DDoS attacks, and all in an automated way. And the third example — the one of greatest concern to enterprises — is how a single device can serve as a doorway to the company network.

How to Include IoT Security From the Beginning

IoT security solutions are not something you slap on after the fact. Build your IoT infrastructure securely from the ground up. Here are some ways to do so:

  • Choose the right products. Buying secure IoT devices takes some research because the industry still lacks standards and universal certifications. Seek out trustworthy vendors with stellar reputations on security.
  • Avoid needless capabilities and features. If you don’t need USB ports, for example, avoid them. Any function that could provide access to the device, but which you won’t need, should be avoided.
  • Isolate your IoT devices on the network to the greatest extent possible. Consider the use of Wi-Fi networks for only IoT devices. Use perimeter network firewalls. Put up as many roadblocks as possible for would-be attackers.
  • Make sure tampering is difficult and will be detected with alerts.
  • Like the restaurant business, location is everything with IoT security. You may install some IoT devices inside and surround them with physical security; you may place others out in the open where the public has access (and everything in between).
  • Make sure you keep IoT device IDs and their authentication keys physically safe.
  • Make sure you have a clear update schedule and update when new patches are available.
  • Audit devices on a schedule — and after an incident — for security status.
  • Use a centralized approach to give you visibility into all network devices.
  • Always change factory-default passwords and replace them with strong passwords. Or, better yet, embrace Public Key Infrastructure security instead.
  • Use endpoint and network detection tools.
  • Use encryption or digital certificates to keep data streaming from IoT devices secure.
  • Make sure you develop sound cyber security policies around IoT — and enforce them.
  • Document your policies and procedures for what to do in the event of a cyber attack.
  • Use intrusion detection systems and intrusion protection systems.
  • Include your IoT infrastructure in vulnerability scans, penetration tests and red team exercises.

IoT security is a craft and an art. But most of all, it’s about covering all the bases and using the best tools and practices available to us to limit the capability and access of each device to its intended function.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…