Ready or not, the Internet of Things (IoT) is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years.

IoT Security Is an Afterthought

History shows that most fast-growth technology solutions focus on solving business problems first; security is an afterthought. Web applications, which have grown dramatically – to hundreds of millions in number over the last decade, still have major security problems, and cybercriminals continue to attack through this low-hanging fruit. Mobile apps, numbering around 4 million and counting, are still easily exploitable, leading to major losses from cyberattacks.

Unfortunately, IoT is following the same trend. Most IoT devices, apps and infrastructure were developed without security in mind and are likely to become targets of cybercriminals.

IoT Will Allow for Attacks We Can’t Even Imagine

To put it bluntly, IoT security concerns are critically serious. According to some security experts, major cyberattacks against IoT devices are looming. From connected cars to connected medical devices to smart buildings and cities, security implications are huge.

Bruce Schneier painted a very gloomy picture in a recent article. Schneier said that “the Internet of Things will allow for attacks we can’t even imagine” and noted that “the next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.” He added that “today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway.”

This may be a dark view of the IoT, but many organizations fear the worst when it comes to their security. Business executives consistently cite security as a major barrier to adopting IoT technology:

IoT Threat Vectors

Today’s IoT software applications are entrusted to securely manage your organization’s health care, transportation and other critical functions without fail. However, IT and security executives must be aware of safety and security risks that connected products pose as they rapidly evolve from unintelligent point objects into fully autonomous, IoT-enabled smart devices. They must also understand that fundamental security protection begins with controls built into devices and applications, and takes the ecosystem in which those devices and applications operate into consideration.

At a very high level, a typical IoT framework consists of edge devices (such as sensors, adapters, beacons, etc.), a gateway to communicate with these devices and a back-end server in the cloud or on-premises. You have to take each section separately and address security issues for each. Conduct a security penetration test, for example, to find out if endpoint devices can be hijacked and exploited.

If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you address application security issues by performing security testing and fixing vulnerabilities. You should also harden binary code to protect your environment. An effective organizational security plan should incorporate basics such as network security protection and data encryption as well.

Watch the on-demand webinar to learn more about IoT Security

Securing IoT Infrastructure, Piece by Piece

Most companies lack the resources to protect every single aspect of the IoT infrastructure, so it’s important to prioritize the various assets based on exposure and liability issues. Fundamentally, it’s about risk management.

A medical device manufacturer, for example might have various IoT initiatives that could include smart buildings with lighting and thermostat controls, security cameras, logistics automation and actual products being sold to medical facilities. Clearly, from a liability perspective, it has to ensure the security of its medical device products that are communicating with each other over the internet before it looks at other internal IoT projects. Similarly, automotive manufacturers would want to make sure their connected car infrastructure can operate securely between the consumer’s mobile device, the dealer’s software and the telematics system.

Governments across the globe need to start taking IoT security seriously and create standards for companies to follow. Some discussions have already begun; Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress last year, warning of these threats, Schneier noted.

Although organizations don’t always welcome new regulations, minimal oversight opens doors and budgets for security teams. CEOs and boards of directors are more inclined to create budgets for compliance-related issues because they don’t have a choice. They might get complacent if there is no regulatory standard with specific deadlines. Many companies naturally tend to wait until they get attacked, which is absolutely the wrong practice to follow.

Get Educated

As a security manager and executive, you have to start by educating yourself on the concepts of IoT, various vulnerable vectors and the solutions available to protect your infrastructure.

Watch the on-demand webinar: Application Security and the Internet of Things

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…