The internet of things (IoT) is expanding — rapidly. Research from IoT Analytics puts the number of connected IoT devices at over 7 billion as enterprises look to expand their reach, drive better data collection and improve strategic decision-making. But speedy uptake is creating new IoT security concerns, from inherent flaws that put data at risk to the “weaponization” of connected devices. And these risks don’t discriminate: Enterprises just getting started with IoT adoption, looking to expand their current network or looking to get ahead of the curve on connected devices all face similar challenges to manage, monitor and secure IoT environments.

While it’s easy to find gloom-and-doom think pieces on the worrisome state of IoT evolution, it’s harder to track down actionable information on what’s really at stake, who bears responsibility and how companies can embrace end-to-end IoT defense. If you need a solid starting point, continue reading for a practical, purposeful primer on enterprise IoT security.

Unpacking the Internet of Things

Search for “IoT threats” and you’ll find hundreds of the-sky-is-falling security blogs that expound on the pervasive nature of connected device risks. The problem is that most skip the ground floor: What is the internet of things? How does it work? Why does it matter?

At its most basic, the internet of things is “the concept of connecting any device to the internet and to other connected devices.” An IoT platform is then used to collect and manage data from multiple device sensors and deliver business insight.

Typically, IoT devices are limited in scope and functionality: A connected camera is an IoT device because it performs a single function, while a smartphone isn’t — but could be used to power an IoT platform. By aggregating billions of data points in real time across previously inaccessible environments, organizations stand to gain the strategic upper hand when it comes to uncovering key trends, identifying potential problems and enhancing brand value.

There’s massive potential in IoT networks: As noted by Forbes, more than 70 percent of executives say the IoT already delivers increased revenue, and 94 percent expect it to boost profits by 5–15 percent over the next year.

IoT Security — A Tale of Speed and Scale

Cyberattackers aren’t interested in hard-fought battles to compromise corporate networks. This is why phishing attacks are still one of the most prevalent — and profitable — threat vectors. Users remain weak points in enterprise security, making them easy targets for threat actors.

The emerging narrative of IoT security, meanwhile, is shaped by two key forces: speed and scale. As noted by Internet of Business, the rush to deliver market-ready IoT devices means that security is often skipped in favor of functionality, opening the door for botnet and distributed denial-of-service (DDoS)-type attacks that leverage connected (and unprotected) devices. Both device makers and users contribute to this concerning security landscape: As the IoB piece pointed out, just 28 percent of organizations say IoT-specific security strategies are “very important” despite plans to adopt these devices in greater numbers.

The scale of IoT network interaction is also problematic for security. Beyond the traditional requirements of confidentiality, integrity and availability, effectively securing IoT devices demands real-time authentication and authorization. As a result, expanding IoT networks quickly ramp up security complexity, providing opportunities for threat actors to carry out physical attacks such as man-in-the-middle (MitM), network attacks such as spoofing or cloning, software attacks that leverage stolen access credentials, or encryption attacks that target key algorithm implementation.

BYOD 2.0?

While it’s tempting to see IoT security as a unique corporate challenge, it bears striking similarities to another recent IT issue: bring-your-own-device (BYOD). Just like mobile devices leveraging the corporate network, IoT technologies often arrive without corporate vetting or IT oversight. Combined with rapidly improving technical capabilities such as data transfer and interdevice communication, IoT components and their mobile counterparts bear similar risks.

The critical difference is that IoT devices earn their BYOD 2.0 moniker because they’re often hidden in plain sight, either embedded in larger products or flying under the radar as one-off data collecting tools. Recent survey data shows that 48 percent of enterprises can’t detect all connected devices on their network, which creates a paradox: They must protect what they can’t see, even though they’re not sure how to find or secure devices at scale. As a result, just like first-generation BYOD deployments, companies are trying — but often failing — to secure critical IoT networks.

Risk: It’s Your Business

The state of IoT security is constantly evolving, but there’s enough data available to articulate five indisputable facts:

  1. As data accumulates, exposures will increase.
  2. Weak IoT configurations will persist.
  3. Shared secrets won’t stay secret.
  4. Software security will degrade over time.
  5. Devices will operate in both safe and hostile environments.

What does this mean for enterprises looking to safeguard devices and data? That managing risk is now everyone’s business. It starts with device manufacturers and developers building hardware- and software-level security controls by design to reduce potential compromise. Security firmware and software that’s nonexistent (or can’t be updated) is no longer an option.

End users also bear responsibility for sensible operation of IoT devices, which includes controlling access to sensitive data and ensuring account details remain secure. IT administrators, integrators and C-suite executives, meanwhile, must deploy intelligent solutions capable of defending endpoints at scale.

Take a Multilayered Management Approach

There’s no easy fix for end-to-end IoT security. The sheer number of devices, scope of complexity, and speed of adoption makes it difficult for companies to keep pace with emerging threats, let alone get ahead of potential issues. As noted above, IoT risk is now a shared corporate responsibility, but making the leap from conceptual recognition to in-practice efficacy means adopting a new approach: multilayered management.

This requires three key components:

  1. Better blueprintsDesign matters. IoT devices with firmware that can’t be updated or default username/password combinations that can’t be changed are inherently unsafe. By designing IoT technologies and networks around the concept of security — rather than attempting to build it in after the fact — enterprises can establish a security-first IoT framework.
  2. Ongoing integration — IoT devices are at their most vulnerable when they’re beyond IT and user oversight. As a result, companies must prioritize device interoperability, employee education and IoT security integration across existing infosec management programs to maximize visibility.
  3. Proactive protection — The evolving nature of IoT environments demands a proactive approach to device design and security. By anticipating future needs, such as granular data analysis and real-time event tracking, enterprises can drive enhanced IoT value.

Forging a 5G Future

It’s also worth noting the increasing impact of 5G communications on IoT security. While businesses shouldn’t expect widespread 5G rollouts yet, ZDNet noted the benefits of this standard in handling massive data volumes at high transaction rates to significantly boost IoT value. The caveat is that this means more data in transit for attackers to compromise, along with increased traffic bandwidth for IoT-based DDoS attacks. Similar to the IoT itself, 5G is equal parts promising and problematic.

The IoT Takeaway

Just like the internet of things, IoT security is rapidly evolving. Speed and scale conspire to increase attacker efficacy, and safeguarding critical enterprise assets requires a cultural responsibility shift combined with better design, deployment and defensive capabilities.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read