To best understand IoT cybersecurity is to first understand what IoT is all about. Internet of things (IoT) are objects with software, sensors, processing ability, and other technologies that connect and exchange data with systems and other devices over communications networks or the internet. And, as more businesses are adopting IoT devices, cybersecurity has never been more important to protect these devices and prevent data breaches.
Let’s take a closer at why IoT cybersecurity is so important in today’s digital age.
Why is IoT cybersecurity important?
IoT cybersecurity is key in the current cloud landscape due to people’s love of smart devices. The only problem is cybercriminals love them more. The major issue with IoT, operational technology (OT) and industrial control system (ICS) devices is that they make it possible for threat actors to conduct cyberattacks.
Cybersecurity experts highlight how IoT devices increase the attack surface that cybercriminals are able to exploit. But securing IoT devices is difficult for a variety of reasons. Here are the top two:
- As innovators and manufacturers keep up with the demand for new products, cybersecurity is often given a lower priority. This needs to change.
- Organisations are unaware of the vulnerabilities that IoT presents and are more concerned with the convenience that IoT provides and the short-term savings it can offer. Budgets need to be adjusted to adequately secure IoT devices.
Breaking down the IoT data
According to Statista, the number of IoT devices worldwide is forecast to top more than 29 billion by 2030. This jaw dropping figure only underlines the importance of bolstering IoT cybersecurity within your business and ensuring that your devices and assets are protected at all times.
Meanwhile, Gartner expects more than 15 billion IoT devices will connect to the enterprise infrastructure by 2029. The research and consulting firm predicts that IoT devices will be used in more than 25% of enterprise attacks. Corporate, guest, trusted and untrusted devices all pose a risk to the enterprise if business leaders do not properly coordinate when and how they will be connected.
The solution: It is not uncommon for IT organisations to find IoT devices on their networks that they did not install, secure or manage themselves. These are the devices that can be hacked in as little as three minutes, with breaches taking six months or more to discover. By segmenting or isolating devices, Gartner states that enterprises will be less vulnerable to cyberattacks. In fact, through 2023, enterprises that do so will experience 25% fewer successful cyberattacks.
What are the different types of IoT security?
IoT security solutions can be implemented by manufactures and/or device customers. The three main types of IoT security include network security, embedded security and firmware security.
How can an IoT attack occur?
An IoT attack can occur in a variety of ways. The easiest way to pinpoint them is through the Open Web Application Security Project (OWASP) which has published a detailed draught list of areas in IoT applications and systems where vulnerabilities and threats may exist. Let’s take a closer look at IoT attack surface areas:
Devices
Devices are the main means of launching attacks. Firmware, physical interface, memory, web interface, and network services are all areas where vulnerabilities can be found. Malicious actors can also exploit insecure default settings, insecure update mechanisms, obsolete components and more.
Channels of communication
IoT device attacks often originate in the communication channels that connect IoT components. The protocols used in IoT systems tend to have security flaws which can have a knock-on effect on the entire system. IoT systems are also vulnerable to network attacks such as spoofing and DoS.
Software and applications
Vulnerabilities in web applications and software related to IoT devices can compromise systems. For example, web applications can be used to distribute malicious firmware updates or steal user credentials.
Some common IoT threats
IoT cybersecurity vulnerabilities are evident in a wide range of software and web applications. This only goes to underline the importance of superior IoT cybersecurity measures. With that in mind, let’s take a closer look at some of the most common IoT threats:
IoT botnets
Malicious botnet actors find IoT devices an easy target due to the sheer quantity of devices that can be consigned to a botnet used to target an organisation. IoT devices also have weak security configurations. A hacker can infect an IoT device with malware through phishing scams or an unprotected port and co-opt it into an IoT botnet used to initiate cyberattacks.
DNS threats
IoT device connections tend to rely on the DNS decentralized naming system, which can have trouble handling thousands of devices. Malicious actors use vulnerabilities in DNS tunnelling and DDoS attacks to introduce malware or to steal data.
IoT ransomware
IoT ransomware attacks are on the rise. Malicious actors can infect devices with malware to turn them into botnets that search for valid credentials in device firmware or probe access points to enter a network. Once network access has been obtained through an IoT device, hackers can exfiltrate data to the cloud and demand a ransom for its release.
IoT physical security
Malicious actors can steal IoT devices, access ports and inner circuits to break into the network. IT administrators should only allow authorised and authenticated device access and only deploy authenticated devices.
Shadow IoT
Shadow IoT is when unknown devices connect to a network, which creates the IoT cybersecurity threat. Devices that have their own IP address – such as digital assistants, fitness trackers or wireless printers – can help improve business processes but don’t always meet an organisation’s security standards. Always ensure that devices meet cybersecurity standards.
Examples of IoT attacks
Unfortunately, IoT attacks are becoming more and more common and there are a number of ways breaches can affect your business. Hacker’s methods are becoming more sophisticated and the rewards they can reap from their attacks are increasing, just look at the cost of data breaches. Let’s take a look at the top IoT attacks of recent years:
Mirai
The Mirai malware searches the internet for IoT devices that use the ARC processor. This central processing unit runs a simplified version of the Linux operating system. Mirai infects a device if the default username and password has not been changed.
Stuxnet
Stuxnet is a computer worm devised to detect specific nuclear machinery. Stuxnet’s aim is to cause software damage as opposed to infiltrating systems. Stuxnet was first discovered in 2010 when five Iranian companies involved in industrial automation became victims. Stuxnet is thought to have been devised by the US and Israel to target Iran’s nuclear program.
Tasmanian casino attack
Tasmanian casino operator Federal Group was the subject of a cyberattack in 2021when their hotel booking systems and pokies/slot machines began to malfunction. Millions of customers data was affected during the ransomware attack, and it is still not known whether the group paid a ransom to the attackers.
Jeep attack
Security researchers Charlie Miller and Chris Valasek managed to hack a Jeep while it was driving along a highway at 70 mph. They managed to hack its engine, entertainment system, and even the brakes. The scary thing is the pair managed to hack into the Jeep’s control panel from the comfort of their very own home.
Medical device attack
In March 2019, Medtronic revealed a serious security issue in some of its implantable devices. The Department of Homeland Security also identified a “major cybersecurity hole” in one of the firm’s cardiac devices. Due to the possibility of attack, the FDA recalled 465,000 implantable pacemakers manufactured by St. Jude Medical, another medical operator affected by an attack. Patients who had the implants received a software upgrade instead of having them removed.
Most common IoT cybersecurity vulnerabilities
There are a number of IoT cybersecurity vulnerabilities to look out for. Once you are familiar with what they are, the easier it will become to improve your cybersecurity measures. Let’s take a closer look:
Weak passwords
Weak passwords always pose a security threat. Before connecting an IoT device to a network, ensure that the device is secured, and the password is strong.
Insecure networks
Secure networks by installing and monitoring firewall performance, filter and delete spam emails, adopt the use of a VPN, encrypt files, and lean on advanced endpoint detection.
Insecure ecosystem interfaces
Always make sure that you are using secure web or mobile interfaces, secure backend API, and a secure overall ecosystem outside of the device.
Insecure or outdated components
Remove unused dependencies, unnecessary features, files, outdated components and documentation. Updating software and versions goes a long way to improving cybersecurity measures and narrowing your attack surface.
Insecure data transfer & storage
Never store or transfer data unless it is absolutely necessary. Always encrypt your data and implement the least privilege access model which ensures employees only have the privileges they need to carry out their tasks.
A lack of physical hardening
The absence of surveillance could allow malicious actors to access IoT devices. IoT devices will become vulnerable once they lack the necessary built-in security to counter cybersecurity threats.
IoT cybersecurity improvement act 2020
Although the IoT cybersecurity improvement act is only relevant to the federal government, the principles can be applied to many organisations around the world to help improve their cybersecurity measures. The act was enacted in 2020 to establish minimum security standards for IoT devices owned and controlled by the federal government. This law gives authority to the CIO to prohibit the head of any agency from “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if they find through a mandatory review process that the use of the device prevents compliance with NIST standards and guidelines. Read up on the NIST cybersecurity framework to find out more.
IoT cybersecurity services by RiskXchange
RiskXchange offers a whole host of IoT cybersecurity services to ensure that your organisation is safe and secure at all times. Cybersecurity is a company-wide initiative, and our cybersecurity consulting service ensures that your organisation has the right practices, procedures, and tools to protect your data.
Improve website security using a data-driven, quantitative risk-rating platform so you can respond better to cyber threats. The RiskXchange platform can help your company better protect your website data and ensure you are following best practices in cybersecurity.
Our platform can audit your systems, compare them against compliance requirements, and help you create a cybersecurity roadmap that will improve your cybersecurity defences.
RiskXchange is a leading information security technology company that helps companies of all sizes anywhere in the world fight the threat of cyberattacks. RiskXchange was founded and is led by recognised experts within the cybersecurity industry, who have held leading roles within companies such as IBM Security.
Get in touch with RiskXchange to find out everything you need to know about IoT cybersecurity.