September 1, 2016 By Mandeep Khera 3 min read

Ready or not, the Internet of Things (IoT) is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years.

IoT Security Is an Afterthought

History shows that most fast-growth technology solutions focus on solving business problems first; security is an afterthought. Web applications, which have grown dramatically – to hundreds of millions in number over the last decade, still have major security problems, and cybercriminals continue to attack through this low-hanging fruit. Mobile apps, numbering around 4 million and counting, are still easily exploitable, leading to major losses from cyberattacks.

Unfortunately, IoT is following the same trend. Most IoT devices, apps and infrastructure were developed without security in mind and are likely to become targets of cybercriminals.

IoT Will Allow for Attacks We Can’t Even Imagine

To put it bluntly, IoT security concerns are critically serious. According to some security experts, major cyberattacks against IoT devices are looming. From connected cars to connected medical devices to smart buildings and cities, security implications are huge.

Bruce Schneier painted a very gloomy picture in a recent article. Schneier said that “the Internet of Things will allow for attacks we can’t even imagine” and noted that “the next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.” He added that “today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway.”

This may be a dark view of the IoT, but many organizations fear the worst when it comes to their security. Business executives consistently cite security as a major barrier to adopting IoT technology:

IoT Threat Vectors

Today’s IoT software applications are entrusted to securely manage your organization’s health care, transportation and other critical functions without fail. However, IT and security executives must be aware of safety and security risks that connected products pose as they rapidly evolve from unintelligent point objects into fully autonomous, IoT-enabled smart devices. They must also understand that fundamental security protection begins with controls built into devices and applications, and takes the ecosystem in which those devices and applications operate into consideration.

At a very high level, a typical IoT framework consists of edge devices (such as sensors, adapters, beacons, etc.), a gateway to communicate with these devices and a back-end server in the cloud or on-premises. You have to take each section separately and address security issues for each. Conduct a security penetration test, for example, to find out if endpoint devices can be hijacked and exploited.

If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you address application security issues by performing security testing and fixing vulnerabilities. You should also harden binary code to protect your environment. An effective organizational security plan should incorporate basics such as network security protection and data encryption as well.

Watch the on-demand webinar to learn more about IoT Security

Securing IoT Infrastructure, Piece by Piece

Most companies lack the resources to protect every single aspect of the IoT infrastructure, so it’s important to prioritize the various assets based on exposure and liability issues. Fundamentally, it’s about risk management.

A medical device manufacturer, for example might have various IoT initiatives that could include smart buildings with lighting and thermostat controls, security cameras, logistics automation and actual products being sold to medical facilities. Clearly, from a liability perspective, it has to ensure the security of its medical device products that are communicating with each other over the internet before it looks at other internal IoT projects. Similarly, automotive manufacturers would want to make sure their connected car infrastructure can operate securely between the consumer’s mobile device, the dealer’s software and the telematics system.

Governments across the globe need to start taking IoT security seriously and create standards for companies to follow. Some discussions have already begun; Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress last year, warning of these threats, Schneier noted.

Although organizations don’t always welcome new regulations, minimal oversight opens doors and budgets for security teams. CEOs and boards of directors are more inclined to create budgets for compliance-related issues because they don’t have a choice. They might get complacent if there is no regulatory standard with specific deadlines. Many companies naturally tend to wait until they get attacked, which is absolutely the wrong practice to follow.

Get Educated

As a security manager and executive, you have to start by educating yourself on the concepts of IoT, various vulnerable vectors and the solutions available to protect your infrastructure.

Watch the on-demand webinar: Application Security and the Internet of Things

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today