Current threats and risks

Current threats pertaining to IoT can be divided into two categories: threats that leverage IoT devices and direct threats to the devices themselves.

As IoT devices become more established in enterprises, factories and organizations, there’s a growing fear that these devices will be leveraged to launch an attack on the organizations’ networks, with the aim of stealing information or money.

The main challenge is that an IoT device could be brought into the organization and connected to local networks without the knowledge of the IT department (this is sometimes known as “Shadow IoT”), thereby creating a breach. However, this internal IoT threat can be mitigated through means similar to what organizations use today, and eventually IoT security solutions will be fully integrated into IT security departments.

The second threat is to the IoT devices themselves. These devices are deployed on the streets, in people’s homes and in enterprises, often without supervision or monitoring. Being so exposed, they are vulnerable to cyberattacks. An infected IoT device can be utilized to mine cryptocurrencies, launch denial of service attacks, recruit other devices to a botnet, or even steal the video and audio information that the device is recording and interfere with its operation. When an IoT device is infected, it is overworked, leading to overall degradation in performance. This means that the device consumes excess power and bandwidth and disconnects and breaks more often, creating a substantial commercial impact on the IoT service provider.

Securing such devices is a much more complicated problem than securing enterprises from IoT threats. The complexity is because of the great diversity of IoT devices as well as their deployment in an enormous number of places. Additionally, it’s not always clear who is responsible for securing them, and—to add one more layer to the equation—traditional security mechanisms are insufficient.

Let’s take, for example, a smart city deployment. The municipality is the end client of the project, but the project is owned and maintained by an integrator who sells it to the municipality as a managed service. In this scenario, who is in charge of securing the device? And who should bear the cost? Moving beyond the responsibility question, providing security for devices by adopting traditional security mechanisms isn’t practical. It would require deploying multiple firewalls and network monitoring equipment, which is much more expensive than the IoT devices themselves.

Mitigation

The mitigation of IoT threats must happen on several levels. On the device itself, information must be collected to allow real-time monitoring. In some cases, automatic mitigation—wherein the device is blocked from searching for other devices and trying to infect them—needs to be put into place as well.  An additional layer of security should reside in the cloud, with big data analytics and machine learning algorithms looking for anomalies that indicate infection, account hijacks and malicious use by insiders. A centralized security operations center should be put in place to monitor all these activities and intervene in the case of a severe alert. This is crucial because most companies today don’t have the necessary manpower to manage their cybersecurity operations, and it is highly unlikely that they will be able to manage the IoT security side with such limited personnel. Moreover, IoT security is novel and unique and requires a skill set that touches upon hardware, software, cloud and analytics—a comprehensive expertise which can be very hard to find in one security person. Just as with IT security, the option of using an outsourced, managed security service is probably preferable for most companies and IoT service providers.   

Summary

With great power comes great responsibility. IoT is a technological advancement with unlimited potential to improve the quality of life for consumers and businesses alike. However, if we don’t succeed in securing it, it could very well be our downfall.