November 13, 2019 By Arndt Kohler 3 min read

Although the definition is ever-evolving due to the influx of new technologies and widespread convergence, in general, the internet of things (IoT) is a massive infrastructure comprising countless interrelated computing devices. We encounter the IoT in a myriad of forms as we go about our daily routine, from sensors and actuators to complex products such as smart vehicles. In fact, new industrial equipment added to the production environment is more and more IoT-enabled, connecting to cloud services and backend IT systems via the internet.

Like traditional IT systems, IoT deployments are susceptible to a host of cyberthreats, such as phishing campaigns, exploited vulnerabilities and ransomware attacks, to name a few. However, due to their interconnected nature, the impact of a compromised IoT device, depending on the use case, could be much more significant and farther-reaching. For example, while a disabled household appliance might be an inconvenience, a connected car under an attacker’s control could cause serious physical harm.

3 Common Barriers to Effective IoT Security

IoT security gaps arise from multiple areas. Let’s explore three of the most common challenges security teams face when protecting IoT deployments from sophisticated cyberthreats.

1. Device Life Cycle

Put simply, if your laptop or smartphone is 10 years old, it belongs in a museum — not connected to enterprise networks that house highly sensitive data. Vendors do not support such devices for that long, and outmoded devices quickly become incompatible with operating systems and applications employees need to perform their jobs.

For IoT devices, however, the life cycle is often much longer or even indeterminate. Organizations may not upgrade their equipment or update the software running on IoT systems with the same regularity, putting devices — and, ultimately, enterprise data or entire IoT infrastructure — at risk.

2. Vulnerability Management

For traditional devices, most organizations have processes firmly in place to regularly update operating systems and applications. There are widely followed security frameworks and best practices to help manufacturers and organizations detect, analyze and fix vulnerabilities. IoT products are governed by no such standards, which leads to vulnerabilities going undiscovered and unpatched for long periods of time — or even forever.

3. Security Controls

It’s easy to think of security measures such as multifactor authentication (MFA), closed operating systems and restricted applications as invasive, annoying and unnecessary, but they all reflect vital lessons learned from past security incidents. Because the IoT is still in its infancy, connected devices often lack these basic security measures. In many cases, these products were not designed to connect to the internet in the first place. The automobile, for example, evolved over many decades, starting long before the dawn of the internet.

How Can Businesses and Manufacturers Achieve IoT Security?

What, exactly, does it mean to secure the internet of things? Where do you start?

A good first step is to review recommendations and frameworks from cybersecurity authorities such as the National Institute for Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). Keep in mind, however, that these frameworks were largely designed for classical IT, not IoT infrastructures, which vary widely depending on the use case and are rarely homogeneous in terms of security.

For example, some newer solutions might be able to support identity and access management (IAM), while others may not. During a product’s life cycle — even in the time it takes to perform a regular update — uses cases are added and changed, which dramatically impacts risk. Data that is insignificant under one set of circumstances could lead to unacceptable levels of risk when set to automatically trigger decisions.

In classical IT, manufacturers typically support their products during operation or offer operation as a service integrated within the company’s security organization. Aftersales for IoT devices and infrastructure often involve maintenance, not functional operations or security. Ideally, a device operator should know that a) they are obligated to operate the device and b) the device has the ability to operate. In practice, however, it is often more complex, since different entities tend to design, produce, install, deliver and operate these devices. As you might imagine, it is difficult to unify all parties involved under the same IoT security strategy and ramp them all up to a similar level of maturity.

Given these challenges, the guiding principle for IoT security today is to adopt security by design and by default. Since different use cases call for vastly different strategies, this principle will not look the same across IoT deployments. But this much is clear: Now that IoT adoption is the norm across enterprises, it’s time for businesses, governing bodies and device manufacturers to come together and define the appropriate controls to satisfy the ever-increasing need for IoT security.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today