Although the definition is ever-evolving due to the influx of new technologies and widespread convergence, in general, the internet of things (IoT) is a massive infrastructure comprising countless interrelated computing devices. We encounter the IoT in a myriad of forms as we go about our daily routine, from sensors and actuators to complex products such as smart vehicles. In fact, new industrial equipment added to the production environment is more and more IoT-enabled, connecting to cloud services and backend IT systems via the internet.

Like traditional IT systems, IoT deployments are susceptible to a host of cyberthreats, such as phishing campaigns, exploited vulnerabilities and ransomware attacks, to name a few. However, due to their interconnected nature, the impact of a compromised IoT device, depending on the use case, could be much more significant and farther-reaching. For example, while a disabled household appliance might be an inconvenience, a connected car under an attacker’s control could cause serious physical harm.

3 Common Barriers to Effective IoT Security

IoT security gaps arise from multiple areas. Let’s explore three of the most common challenges security teams face when protecting IoT deployments from sophisticated cyberthreats.

1. Device Life Cycle

Put simply, if your laptop or smartphone is 10 years old, it belongs in a museum — not connected to enterprise networks that house highly sensitive data. Vendors do not support such devices for that long, and outmoded devices quickly become incompatible with operating systems and applications employees need to perform their jobs.

For IoT devices, however, the life cycle is often much longer or even indeterminate. Organizations may not upgrade their equipment or update the software running on IoT systems with the same regularity, putting devices — and, ultimately, enterprise data or entire IoT infrastructure — at risk.

2. Vulnerability Management

For traditional devices, most organizations have processes firmly in place to regularly update operating systems and applications. There are widely followed security frameworks and best practices to help manufacturers and organizations detect, analyze and fix vulnerabilities. IoT products are governed by no such standards, which leads to vulnerabilities going undiscovered and unpatched for long periods of time — or even forever.

3. Security Controls

It’s easy to think of security measures such as multifactor authentication (MFA), closed operating systems and restricted applications as invasive, annoying and unnecessary, but they all reflect vital lessons learned from past security incidents. Because the IoT is still in its infancy, connected devices often lack these basic security measures. In many cases, these products were not designed to connect to the internet in the first place. The automobile, for example, evolved over many decades, starting long before the dawn of the internet.

How Can Businesses and Manufacturers Achieve IoT Security?

What, exactly, does it mean to secure the internet of things? Where do you start?

A good first step is to review recommendations and frameworks from cybersecurity authorities such as the National Institute for Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). Keep in mind, however, that these frameworks were largely designed for classical IT, not IoT infrastructures, which vary widely depending on the use case and are rarely homogeneous in terms of security.

For example, some newer solutions might be able to support identity and access management (IAM), while others may not. During a product’s life cycle — even in the time it takes to perform a regular update — uses cases are added and changed, which dramatically impacts risk. Data that is insignificant under one set of circumstances could lead to unacceptable levels of risk when set to automatically trigger decisions.

In classical IT, manufacturers typically support their products during operation or offer operation as a service integrated within the company’s security organization. Aftersales for IoT devices and infrastructure often involve maintenance, not functional operations or security. Ideally, a device operator should know that a) they are obligated to operate the device and b) the device has the ability to operate. In practice, however, it is often more complex, since different entities tend to design, produce, install, deliver and operate these devices. As you might imagine, it is difficult to unify all parties involved under the same IoT security strategy and ramp them all up to a similar level of maturity.

Given these challenges, the guiding principle for IoT security today is to adopt security by design and by default. Since different use cases call for vastly different strategies, this principle will not look the same across IoT deployments. But this much is clear: Now that IoT adoption is the norm across enterprises, it’s time for businesses, governing bodies and device manufacturers to come together and define the appropriate controls to satisfy the ever-increasing need for IoT security.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read