Although the definition is ever-evolving due to the influx of new technologies and widespread convergence, in general, the internet of things (IoT) is a massive infrastructure comprising countless interrelated computing devices. We encounter the IoT in a myriad of forms as we go about our daily routine, from sensors and actuators to complex products such as smart vehicles. In fact, new industrial equipment added to the production environment is more and more IoT-enabled, connecting to cloud services and backend IT systems via the internet.

Like traditional IT systems, IoT deployments are susceptible to a host of cyberthreats, such as phishing campaigns, exploited vulnerabilities and ransomware attacks, to name a few. However, due to their interconnected nature, the impact of a compromised IoT device, depending on the use case, could be much more significant and farther-reaching. For example, while a disabled household appliance might be an inconvenience, a connected car under an attacker’s control could cause serious physical harm.

3 Common Barriers to Effective IoT Security

IoT security gaps arise from multiple areas. Let’s explore three of the most common challenges security teams face when protecting IoT deployments from sophisticated cyberthreats.

1. Device Life Cycle

Put simply, if your laptop or smartphone is 10 years old, it belongs in a museum — not connected to enterprise networks that house highly sensitive data. Vendors do not support such devices for that long, and outmoded devices quickly become incompatible with operating systems and applications employees need to perform their jobs.

For IoT devices, however, the life cycle is often much longer or even indeterminate. Organizations may not upgrade their equipment or update the software running on IoT systems with the same regularity, putting devices — and, ultimately, enterprise data or entire IoT infrastructure — at risk.

2. Vulnerability Management

For traditional devices, most organizations have processes firmly in place to regularly update operating systems and applications. There are widely followed security frameworks and best practices to help manufacturers and organizations detect, analyze and fix vulnerabilities. IoT products are governed by no such standards, which leads to vulnerabilities going undiscovered and unpatched for long periods of time — or even forever.

3. Security Controls

It’s easy to think of security measures such as multifactor authentication (MFA), closed operating systems and restricted applications as invasive, annoying and unnecessary, but they all reflect vital lessons learned from past security incidents. Because the IoT is still in its infancy, connected devices often lack these basic security measures. In many cases, these products were not designed to connect to the internet in the first place. The automobile, for example, evolved over many decades, starting long before the dawn of the internet.

How Can Businesses and Manufacturers Achieve IoT Security?

What, exactly, does it mean to secure the internet of things? Where do you start?

A good first step is to review recommendations and frameworks from cybersecurity authorities such as the National Institute for Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). Keep in mind, however, that these frameworks were largely designed for classical IT, not IoT infrastructures, which vary widely depending on the use case and are rarely homogeneous in terms of security.

For example, some newer solutions might be able to support identity and access management (IAM), while others may not. During a product’s life cycle — even in the time it takes to perform a regular update — uses cases are added and changed, which dramatically impacts risk. Data that is insignificant under one set of circumstances could lead to unacceptable levels of risk when set to automatically trigger decisions.

In classical IT, manufacturers typically support their products during operation or offer operation as a service integrated within the company’s security organization. Aftersales for IoT devices and infrastructure often involve maintenance, not functional operations or security. Ideally, a device operator should know that a) they are obligated to operate the device and b) the device has the ability to operate. In practice, however, it is often more complex, since different entities tend to design, produce, install, deliver and operate these devices. As you might imagine, it is difficult to unify all parties involved under the same IoT security strategy and ramp them all up to a similar level of maturity.

Given these challenges, the guiding principle for IoT security today is to adopt security by design and by default. Since different use cases call for vastly different strategies, this principle will not look the same across IoT deployments. But this much is clear: Now that IoT adoption is the norm across enterprises, it’s time for businesses, governing bodies and device manufacturers to come together and define the appropriate controls to satisfy the ever-increasing need for IoT security.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…