The Internet of Things (IoT) is a powerful boon to business. But it also represents a massive potential expansion of the cybersecurity attack surface. So far, IoT inclusion in many organizations has been poorly organized, haphazard and poorly planned. This needs to change. After all, IT security depends on IoT security.

Why IoT Security Is Important

The IoT brings myriad benefits, including reducing costs, improving efficiency, improving safety, enhancing customer service and more.

IoT makes dumb, disconnected devices smart and connected — including thermostats and coffee makers. It adds sensors for tracking things like trucking, warehouses and shipping, and connected monitoring for critical infrastructure. And, of course, it makes new business models possible. The IoT systems make up the smart building concept.

By nature, IoT devices connect to the internet. And, by nature, IoT security issues arise when a threat actor or bot accesses those devices, or intercepts or disrupts their connection to the network.

Anything connected to the Internet or to business networks could be a back door into the connected network. If you ignore the processing power of devices and focus only on the fact of connectivity, the IoT increases the number of devices connected to the network tenfold — which is to say, increases the attack surface.

The function of most IoT devices is to capture data of some kind and transmit it somewhere. This grows the amount of data flying around, stored and processed, which further creates potential risk.

To many, the addition of all those tiny, low-powered devices may seem like a small matter. But to security staff, they represent a massive increase in the attack surface, data to be managed, data streaming across networks and potential physical targets for attack.

IoT security is both about the device itself — guarding against physical cyber attacks — and the protection of the networks, systems, applications, and data to which it could provide a doorway.

Notable IoT Attacks

You might be thinking about IoT security while planning for a new range of warehouse sensors, installing tracking on the company fleet or adding a new video monitoring system. In cases like this, it can be difficult to imagine how these tiny sensors might lead to a cyber attack. So it helps to look back at three that really happened.

The Attack That Took Over a Jeep

A team of researchers in 2015 managed to not only gain access to a Jeep’s computer systems but were also able to control the car. They did this by accessing the car’s CAN bus through a firmware update vulnerability. They were able to make the car speed up, slow down or turn off the road into a ditch, all beyond the control of the driver.

The IoT Botnet That Broke the Internet

In 2016, the world’s largest direct denial of service (DDoS) attack ever was launched on a service provider called Dyn using an IoT botnet using malware called Mirai. The Mirai botnet infected PCs, dragooning them into service to hunt for vulnerable IoT devices. Once they found one, they used known default usernames and passwords to log in and infect it with malware. A large number of these devices were cameras. When the DDoS attack happened, it brought down major sites like Netflix, Reddit and CNN.

The Aquarium IoT Security Flaw That Exposed a Casino

The first large-scale and flashy IoT attack came back in 2017 when attackers gained access to a casino’s network via a connected thermometer in a fish tank in the lobby. From there, the attackers gained access to a ‘high-roller’ database. Although the specifics have been kept confidential, reports reveal that attackers took some 10 GB of data to a device in Finland.

Each of these examples shows a very different outcome from a lack of IoT security. The first shows how controlling the IoT devices themselves can cause harm. (This is a special risk with medical devices.) The second shows how attackers can harness IoT devices in large numbers to perform DDoS attacks, and all in an automated way. And the third example — the one of greatest concern to enterprises — is how a single device can serve as a doorway to the company network.

How to Include IoT Security From the Beginning

IoT security solutions are not something you slap on after the fact. Build your IoT infrastructure securely from the ground up. Here are some ways to do so:

  • Choose the right products. Buying secure IoT devices takes some research because the industry still lacks standards and universal certifications. Seek out trustworthy vendors with stellar reputations on security.
  • Avoid needless capabilities and features. If you don’t need USB ports, for example, avoid them. Any function that could provide access to the device, but which you won’t need, should be avoided.
  • Isolate your IoT devices on the network to the greatest extent possible. Consider the use of Wi-Fi networks for only IoT devices. Use perimeter network firewalls. Put up as many roadblocks as possible for would-be attackers.
  • Make sure tampering is difficult and will be detected with alerts.
  • Like the restaurant business, location is everything with IoT security. You may install some IoT devices inside and surround them with physical security; you may place others out in the open where the public has access (and everything in between).
  • Make sure you keep IoT device IDs and their authentication keys physically safe.
  • Make sure you have a clear update schedule and update when new patches are available.
  • Audit devices on a schedule — and after an incident — for security status.
  • Use a centralized approach to give you visibility into all network devices.
  • Always change factory-default passwords and replace them with strong passwords. Or, better yet, embrace Public Key Infrastructure security instead.
  • Use endpoint and network detection tools.
  • Use encryption or digital certificates to keep data streaming from IoT devices secure.
  • Make sure you develop sound cyber security policies around IoT — and enforce them.
  • Document your policies and procedures for what to do in the event of a cyber attack.
  • Use intrusion detection systems and intrusion protection systems.
  • Include your IoT infrastructure in vulnerability scans, penetration tests and red team exercises.

IoT security is a craft and an art. But most of all, it’s about covering all the bases and using the best tools and practices available to us to limit the capability and access of each device to its intended function.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today