The Internet of Things (IoT) is a powerful boon to business. But it also represents a massive potential expansion of the cybersecurity attack surface. So far, IoT inclusion in many organizations has been poorly organized, haphazard and poorly planned. This needs to change. After all, IT security depends on IoT security.

Why IoT Security Is Important

The IoT brings myriad benefits, including reducing costs, improving efficiency, improving safety, enhancing customer service and more.

IoT makes dumb, disconnected devices smart and connected — including thermostats and coffee makers. It adds sensors for tracking things like trucking, warehouses and shipping, and connected monitoring for critical infrastructure. And, of course, it makes new business models possible. The IoT systems make up the smart building concept.

By nature, IoT devices connect to the internet. And, by nature, IoT security issues arise when a threat actor or bot accesses those devices, or intercepts or disrupts their connection to the network.

Anything connected to the Internet or to business networks could be a back door into the connected network. If you ignore the processing power of devices and focus only on the fact of connectivity, the IoT increases the number of devices connected to the network tenfold — which is to say, increases the attack surface.

The function of most IoT devices is to capture data of some kind and transmit it somewhere. This grows the amount of data flying around, stored and processed, which further creates potential risk.

To many, the addition of all those tiny, low-powered devices may seem like a small matter. But to security staff, they represent a massive increase in the attack surface, data to be managed, data streaming across networks and potential physical targets for attack.

IoT security is both about the device itself — guarding against physical cyber attacks — and the protection of the networks, systems, applications, and data to which it could provide a doorway.

Notable IoT Attacks

You might be thinking about IoT security while planning for a new range of warehouse sensors, installing tracking on the company fleet or adding a new video monitoring system. In cases like this, it can be difficult to imagine how these tiny sensors might lead to a cyber attack. So it helps to look back at three that really happened.

The Attack That Took Over a Jeep

A team of researchers in 2015 managed to not only gain access to a Jeep’s computer systems but were also able to control the car. They did this by accessing the car’s CAN bus through a firmware update vulnerability. They were able to make the car speed up, slow down or turn off the road into a ditch, all beyond the control of the driver.

The IoT Botnet That Broke the Internet

In 2016, the world’s largest direct denial of service (DDoS) attack ever was launched on a service provider called Dyn using an IoT botnet using malware called Mirai. The Mirai botnet infected PCs, dragooning them into service to hunt for vulnerable IoT devices. Once they found one, they used known default usernames and passwords to log in and infect it with malware. A large number of these devices were cameras. When the DDoS attack happened, it brought down major sites like Netflix, Reddit and CNN.

The Aquarium IoT Security Flaw That Exposed a Casino

The first large-scale and flashy IoT attack came back in 2017 when attackers gained access to a casino’s network via a connected thermometer in a fish tank in the lobby. From there, the attackers gained access to a ‘high-roller’ database. Although the specifics have been kept confidential, reports reveal that attackers took some 10 GB of data to a device in Finland.

Each of these examples shows a very different outcome from a lack of IoT security. The first shows how controlling the IoT devices themselves can cause harm. (This is a special risk with medical devices.) The second shows how attackers can harness IoT devices in large numbers to perform DDoS attacks, and all in an automated way. And the third example — the one of greatest concern to enterprises — is how a single device can serve as a doorway to the company network.

How to Include IoT Security From the Beginning

IoT security solutions are not something you slap on after the fact. Build your IoT infrastructure securely from the ground up. Here are some ways to do so:

  • Choose the right products. Buying secure IoT devices takes some research because the industry still lacks standards and universal certifications. Seek out trustworthy vendors with stellar reputations on security.
  • Avoid needless capabilities and features. If you don’t need USB ports, for example, avoid them. Any function that could provide access to the device, but which you won’t need, should be avoided.
  • Isolate your IoT devices on the network to the greatest extent possible. Consider the use of Wi-Fi networks for only IoT devices. Use perimeter network firewalls. Put up as many roadblocks as possible for would-be attackers.
  • Make sure tampering is difficult and will be detected with alerts.
  • Like the restaurant business, location is everything with IoT security. You may install some IoT devices inside and surround them with physical security; you may place others out in the open where the public has access (and everything in between).
  • Make sure you keep IoT device IDs and their authentication keys physically safe.
  • Make sure you have a clear update schedule and update when new patches are available.
  • Audit devices on a schedule — and after an incident — for security status.
  • Use a centralized approach to give you visibility into all network devices.
  • Always change factory-default passwords and replace them with strong passwords. Or, better yet, embrace Public Key Infrastructure security instead.
  • Use endpoint and network detection tools.
  • Use encryption or digital certificates to keep data streaming from IoT devices secure.
  • Make sure you develop sound cyber security policies around IoT — and enforce them.
  • Document your policies and procedures for what to do in the event of a cyber attack.
  • Use intrusion detection systems and intrusion protection systems.
  • Include your IoT infrastructure in vulnerability scans, penetration tests and red team exercises.

IoT security is a craft and an art. But most of all, it’s about covering all the bases and using the best tools and practices available to us to limit the capability and access of each device to its intended function.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…