It seems like it was only a few years ago when we thought of computers, laptops, and smartphones as the only devices that used the Internet — maybe that’s because they were. Now, thanks to the massive explosion of IoT (Internet of Things) devices, staying connected has never been easier.
Everything from your smartwatch and car to the light bulbs and smoke alarms in your home can be IoT devices. Although this technology has made life easier for its users, it has also made a hacker’s job easier too. This increased risk has made it essential for businesses and personal users to ensure they implement the necessary IoT security to protect their data.
This article will cover a variety of important IoT security topics that include…
- The history of IoT devices
- What is IoT security?
- 4 security breaches to learn from
- The first IoT security legislation
- 6 company-wide strategies for your security model
- 9 IoT tools and solutions to secure your business
The history of IoT devices
According to IBM, the first IoT device was invented in 1982 when David Nichols, a Carnegie Mellon computer science grad student, was craving a Coke. Nichols didn’t want to make the long trek to see if there were any cold ones left in the vending machine, so he and his friends came up with the idea of installing micro-switches — connected to the department’s main computer via ARPANET — in the machine to notify them if any cold sodas were available.
Although Nichols’s invention and John Romkey’s 1990 Internet-connected toaster were some of the first to be reported, the term “Internet of Things” wasn’t coined until Kevin Ashton gave a presentation in 1999 where he referred to this technology as a connection of several devices via radio-frequency identification (RFID) tags. While this term has persisted, the IoT industry has expanded over the years to include a wide range of Internet- and network-based devices.
What is IoT security?
IoT security refers to the various modes of protection used to secure devices connected to the Internet and their associated networks. These safety measures are typically geared toward reducing vulnerabilities, preventing cyberattacks, addressing breaches, and eliminating any potential threats.
Although it may sound like a simple task to add protections to network-connected devices, several IoT security layers need to be accounted for, like sensors, data, servers, cloud platforms, and more. With a wide variety of devices, the framework of each may not look the same — there may be different physical barriers, network applications, protocols, and more. Nonetheless, your business needs to identify these components, functions, and operational procedures to ensure each is secure.
While IoT device architecture is not universal, here are some commonly accepted layers of security you may need to address:
- Application layer: This is where the user will interact with the device and its services.
- Network layer: This is where collected data is transmitted and processed. This layer connects devices to other servers and network devices.
- Perception (physical) layer: This is where devices and their sensors gather data for each operation or action taken.
Each layer leaves the possibility for malicious activity to occur, which is why businesses must build a comprehensive IoT security plan that addresses every device and network component.
IoT security benefits and challenges
There are always pros and cons of any technology or software, and network-connected devices are no different. With this industry expanding from everyday devices found in your home to extensive machinery used in major factories, there are an array of IoT security challenges and benefits that go along with it.
As new devices are introduced into the market every year, businesses certainly have their work cut out for them when addressing IoT security challenges.
Some of the most common IoT security challenges include:
- Rapidly evolving trends, technology, and advanced threats
It’s extremely difficult to keep up with this fast-paced industry, evolving threats, and advanced viruses and breaches, especially when it comes to updating hardware and software in time. New technology like AI/machine learning, the cloud, and smart vehicles also open the door to attacks (stolen data, malware, ransomware, etc.) and can even put users in physical danger.
- Remote work as the new normal
With remote work comes remote access, which means the potential of unsecured home networks and public Wi-Fi for hackers to tap into.
Human errors are one of the biggest IoT security challenges and cause the majority of breaches. Although it may be a hassle, scheduling consistent training on proper security protocols and updates will be crucial to reduce errors. Prioritizing device access to specific departments or staff will help too.
While there are many challenges involved in implementing new Internet-connected devices into your business, there can also be many IoT security benefits with the right foundation.
Some of the most notable IoT security benefits include:
- Reduced operational costs
Secure IoT devices may be a little pricey to initially install, but they typically result in long-term savings for the business. This technology can reduce labor, improve production volumes and quality, and help teams put more focus on high-priority projects — all of which can save you money over time.
- Increased brand reputation, trust, and sales
Consumers want to do business with companies they trust to protect their information and produce top-notch products. By applying the necessary IoT security measures to your devices and communicating those efforts to your customers, you’re ensuring they can trust you. This trust can result in enhanced brand reputation by organic word-of-mouth recommendations and increased (new and return) sales.
- Security standards and requirements met
Your business can automatically meet other industry-specific or national security requirements and PCI compliance standards with the right IoT security. This is because many of these protocols overlap with the safety measures that go along with protecting these devices.
The importance of IoT security
Statista projects that the IoT market will amass 75 billion devices worldwide by 2025, therefore strong security protocols and software have become a necessity for both businesses and private citizens.
Here are some of the important assets and operations IoT security can help protect:
- Sensitive customer data (credit card, home address, phone numbers, etc.)
- Medical devices and records
- Government classified information
- Industrial machinery
- Personal residences (home Wi-Fi networks, alarm detection systems)
- Transportation (cars, planes, etc.)
By failing to secure these devices and address IoT security vulnerabilities, you’re exposing your business to preventable damages and costly fines.
4 IoT security breaches to learn from
No organization wants to experience an IoT security breach, as it can be extremely detrimental to profits, consumers, and long-term success. Businesses that don’t properly secure their devices are putting their staff and customers at greater risk.
Teams would be wise to educate themselves on past mistakes to ensure they don’t repeat them. To help your business better protect its assets, here are four major IoT security breaches to learn from:
- SolarWinds Orion 2020 supply chain attack
- IoT malware and Ryuk ransomware attacks during COVID-19
- Mirai botnet attacks: hundreds of thousands of IoT devices accessed
- Stuxnet attack: IoT devices used to damage Iran’s nuclear program
1. SolarWinds Orion 2020 supply chain attack
SolarWinds is a Texas-based software provider that services many well-known organizations worldwide, including 425 of the Fortune 500 businesses and U.S. government agencies like the Pentagon, Department of Defense, and all military branches. It’s also home to one of the most recent large-scale attacks that compromised thousands of companies in 2020.
Orion, a network management system (NMS), is one of SolarWinds’ most widely used products. It monitors and manages professional systems like servers and IoT devices. This supply chain attack, which U.S. officials believe was carried out by groups tied to the Russian government, planted malware using a trojan software update that was distributed to users in March 2020. Once distributed, it gave hackers backdoor access into roughly 18,000 private networks.
The 2020 Solarwinds Orion supply chain attack left a huge impact on the world of IoT security, as well-known, compromised organizations like Microsoft, Deloitte, the National Nuclear Security Administration, and even the Department of Homeland Security were forced to rethink their cybersecurity strategies to better protect their devices and networks.
The response to this breach has been felt on a global scale. The U.S. government took legal actions against the hackers and imposed sanctions against Russia. SolarWinds has since removed the software and released emergency patches for affected companies to remove this malicious code and identify additional threats.
Private businesses should vet all third-party providers — even large corporations — to ensure their services are up to date with the newest precautions. The zero-trust approach (discussed below) will be highly useful in evaluating the different players involved. To prevent future attacks and address the top IoT security threats, you can also implement a data exfiltration prevention program and a supply chain risk management system.
2. IoT malware and Ryuk ransomware attacks during COVID-19
The 2021 SonicWall Cyber Threat Report found a 66% increase in IoT malware attacks in 2020 alone. Much of this rise is attributed to the pandemic, which forced businesses to work remotely and use home devices. This public health crisis gave hackers a better opportunity to access corporate networks through unsecured connections.
The healthcare sector bore the brunt of these attacks throughout the year, as the Department of Health & Human Services (HHS) reported a 50% increase in breaches within this industry. Over 100 of these incidents targeted network servers, desktop computers, laptops, email, and electronic medical record (EMR) systems.
Hackers also accessed healthcare networks using phishing emails, which can be seen in the spike in Ryuk ransomware aimed at hospitals involved in the COVID-19 response.
A Ryuk ransomware attack targets specific high-profile organizations that will pay larger sums of money, rather than going after multiple businesses for less. These attacks are usually carried out via phishing emails, using a BazarLoader trojan or Trickbot or Emotet botnets. The hackers gain access to private networks and encryption to block companies out of these systems until they pay the ransom requested.
Although Ryuk ransomware surfaced back in 2018, the pandemic brought a huge wave of these attacks against hospitals and healthcare organizations. In October 2020, U.S. ransomware attacks increased by 71% in the healthcare sector, with Ryuk being responsible for 75% of these attacks. This increase in activity prompted the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and HHS to issue a joint warning for this industry.
One of the most notable Ryuk ransomware attacks during this timeframe was against 250 United Healthcare sites and hospitals. The affected hospitals immediately shut down their systems, redirected ambulances, and relocated surgery patients to nearby locations.
IoT security certainly has its work cut out for it, as the impacts of this past year are still being felt on a global scale. Some ways to prepare for these kinds of attacks in the future include:
- Secure email gateways
- Access control solutions
- Work from home risk models
- Regularly scan for shadow IoT devices
- Virtual patching
Cyber Talk also recommends that hospitals enhance their security by implementing cybersecurity products and services that offer full visibility into IoT devices, strong leaders to address vulnerabilities with device manufacturers, and zero trust identity and access management policies.
3. Mirai botnet attacks: hundreds of thousands of IoT devices accessed
The Mirai botnet is one of the largest known breaches and distributed denial-of-service (DDoS) attacks. It used hundreds of thousands of IoT devices to breach well-known networks and even caused an Internet outage across much of the East Coast.