By the end of 2020, of the 21.7 billion active connected devices worldwide, over 50% were Internet of Things (IoT) device connections. By 2025, there will be more than 30 billion IoT connections. That’s almost 4 IoT devices per person on average.
While consumer IoT is growing rapidly, enterprises are, as always, on the cutting edge of technology’s early adoption. Today, IoT devices are being deployed in the office, on the manufacturing floor, in smart grids and are driving growth across industries and sectors.
IoT devices introduce numerous security issues that present a significant threat to the security of enterprise data and networks, and over half of organizations expect to be compromised by an attack originating from an endpoint or IoT device. However, most organizations lack the knowledge and ability to secure their existing IoT infrastructure, a problem that will only worsen over time.
Top 5 Enterprise IoT Security Challenges
While IoT security should be a core component of an enterprise cybersecurity strategy, many organizations struggle with securing their IoT networks and devices. Below, we look at the top five challenges for securing the IoT in the enterprise.
1. Standards gap and manufacturer noncompliance
Currently, no global standard exists for IoT cybersecurity. While some regional recommendations exist, the lack of a unified standard or global regulations leaves IoT manufacturers to their own devices with regard to security.
As a result, many IoT manufacturers fail to comply with basic cybersecurity best practices. This means that these Internet-connected devices often create security holes within enterprise networks. Cybersecurity best practices for IoT security users include:
- Employee Awareness: Cybersecurity awareness programs should cover the risks of IoT devices and how to use them securely. This includes avoiding “shadow IT” where unapproved devices are connected to company networks.
- Access Management: Access to IoT devices and IoT devices’ access to other systems should be limited based on the least privilege. This helps to minimize the risk and impact of a compromised IoT device.
- Network Segmentation: When possible, IoT devices should be deployed on a separate network segmented from other IT systems. This limits the risk posed by insecure, Internet-connected devices.
- Security Patching: Security updates for IoT devices should be applied promptly when they become available. Cybercriminals commonly target recently-released vulnerabilities when building IoT botnets.
2. Bad password hygiene and IoT network access control
Poor password security is an issue for all IT systems, but this is especially true for IoT devices. Often, these devices are designed to be “plug and play,” so users take the minimum actions required to get the devices working.
Often, IoT manufacturers will include hardcoded, embedded, and default credentials on their IoT devices. In some cases, the intent is for the user to change these credentials on first use (which rarely happens), but others are designed to be permanent. These default credentials are commonly exploited by cybercriminals as demonstrated by the Mirai IoT botnet which compromised IoT devices by logging into them with a shortlist of common passwords.
Mitigating the risks of insecure – and potentially malicious – IoT devices requires strong user and network access control strategies. These include:
- Secure default settings: IoT devices should be designed to minimize the risk of weak passwords by default. This includes eliminating hardcoded passwords, forcing a password change during device setup, and enforcing the use of strong, random passwords. In addition, secrets scanners or SAST solutions should be employed to make sure the source code is not leaking out secrets.
- Multi-factor authentication: When possible, organizations should enforce the use of multi-factor authentication (MFA) for access to their IoT devices. This makes it more difficult for attackers to exploit default or weak passwords on these devices. However, as our previous research has shown, 2FA can also be vulnerable to attack.
- Network access control: Vulnerable or malicious IoT devices place the enterprise and its employees at risk. Organizations should have visibility into devices on their network and the ability to restrict network access and block traffic to unnecessary ports based on business needs.
- Least privilege: User permissions on IoT devices and IoT devices’ access to other IT resources should be limited to the minimum required for business needs. This makes it more difficult for an attacker to access these systems and minimizes the impact of a breach.
3. Weak update mechanisms and policies
IoT device manufacturers commonly release software containing unpatched vulnerabilities. However, even devices released with up-to-date software commonly have vulnerabilities discovered during their operational lifecycles.
Many IoT devices are deployed with a “set it and forget it” mentality. Even when updates are released for newly discovered vulnerabilities, IoT device users and network administrators rarely apply these patches. As a result, these devices are vulnerable to attackers who scan for these vulnerabilities and use them to add devices to their botnets. For example, the Mēris botnet is an IoT botnet that is breaking records for DDoS attacks and was built by exploiting a 2018 vulnerability in MikroTik routers.
Corporate IoT device and network administrators must implement and enforce a strong device update policy. This includes regularly scanning for unpatched systems and monitoring manufacturers’ websites for newly available updates. It is also wise to deploy a solution that offers virtual patching of vulnerabilities, such as a web application firewall (WAF) or runtime application self-protection (RASP) solution.
4. IoT security skill gap
Security best practices and basic cybersecurity hygiene for traditional IT systems are fairly well known and established. However, IoT is a relatively new and rapidly expanding technology.
Many IoT users do not understand the full capabilities of their devices, which means that they do not understand their security risks and how they can be abused by an attacker. Without this understanding, it is difficult to properly secure these devices, making them a major hole in an organization’s cybersecurity defenses. Over three-quarters of organizations lack the IoT expertise necessary to operate and secure their existing IoT infrastructure, and the IoT is only growing.
Closing the IoT security skills gap requires a concerted effort to train IoT users and security staff on the security risks and best practices for these devices. IoT security must be a component of an organization’s risk management strategy with training that specifically targets the types of devices that are authorized and used in the workplace.
5. Data privacy
Most IoT devices are designed to collect and process massive amounts of data. This data can create significant privacy concerns if not properly managed and protected.
IoT devices’ generally poor security also extends to their protection of sensitive information. It is not uncommon for IoT devices to transmit data unencrypted or to store it without appropriate protections. IoT device vulnerabilities can also lead to the exposure of other sensitive information that is improperly protected on corporate networks. In 2017, a casino lost its high-roller database when an IoT fish tank thermometer was hacked and used as a foothold to access other systems on the network.
Data encryption and access control are essential to protecting data privacy both on IoT devices and in other corporate IT systems. Data should be encrypted both at rest and in transit, and access to this data should be limited based on business requirements.
Securing corporate IoT devices
Many of the challenges associated with IoT security require significant changes in how IoT manufacturers design, build and maintain these devices. However, enterprise IoT users can also take steps to mitigate their IoT security risks.
Network security is essential to IoT security. However, many IoT devices are connected to mobile networks and directly access cloud-based resources. Securing the IoT requires the ability to secure these mobile networks. One of the things CISOs can do to strengthen the robustness of their systems is ensuring that IoT connectivity is secured throughout, including cellular, LAN, WLAN, Bluetooth, and IoT-specific radio communications protocols.
FirstPoint is a proven SIM-based security solution for cellular IoT deployments. FirstPoint solutions work at the network level, detecting, managing, and preventing threats for cellular IoT devices. Learn more about how FirstPoint can help to mitigate the security risks posed by your organization’s IoT devices.