In the course of reading this article, you’ll likely interact with several connected devices. And you probably wouldn’t have even given it a second thought if we hadn’t just called it out.
That behavior is just one of many signs that prove without a doubt the long-promised Internet of Things (IoT) has not only arrived but become deeply ingrained in our everyday lives.
This is a good thing: The IoT carries enormous potential. We’re already reaping the benefits in so many areas, like better medical information and proactive maintenance in devices that can help improve safety while saving us time and money.
But for all these benefits, the IoT also brings with it profound security risks. And as this darker side of connected devices emerges, the organizations building and issuing these devices have found themselves unprepared in many cases.
As we continue to barrel forward into the age of the IoT, end-to-end security must become a prominent part of the discussion. We need to put these considerations front and center to ensure no stone goes unturned.
With the IoT security imperative top of mind, we recently brought together a panel of experts for a roundtable on the current state of IoT security and what’s required to ensure security going forward.
Here’s a look at some of the top takeaways from this discussion.
1) IoT security presents unique challenges in scale and volume
One of the biggest roadblocks to start is the sheer scale and volume that the IoT has reached in such a short period of time. Specifically, IDC reports that there will be 55.7 billion connected devices by 2025 and a 300% increase in data generated from IoT devices from 2019 to 2025. The sheer size of that universe is unlike anything we’ve ever seen from a security standpoint.
At this point, security professionals know how to build architectures to protect hundreds or thousands of devices, maybe even millions. But when we start talking about tens of billions of devices, the current standard of accepted security processes starts to unravel. Determining the best way to apply modern security practices at this larger scale will be one of the first significant hurdles we must overcome to deliver a fully secure connected world.
Many of the following takeaways provide a closer look at all of the different elements of IoT devices that will require security.
2) Protecting who can talk to and control IoT devices has real consequences
One of the most critical elements of securing IoT devices involves locking down who can talk to and control these devices in the field. This piece of security is always important to make sure that devices don’t fall into the hands of malicious parties. Still, it’s crucial in cases like connected medical devices and vehicles that directly impact personal health and safety.
Offering the necessary level of protection in this area starts with unique identity provisioning that dictates who can communicate with a device, what updates they can send it, and what they can do to control the device throughout its entire lifetime. This conversation is where authentication through capabilities like public key infrastructure (PKI) becomes essential to verifying identities and granting (or denying) certain access accordingly.
3) There’s no such thing as an “innocent” IoT device
As more and more devices become connected, it’s easy to write off many of them as “innocent.” Yes, a medical device that’s connected to a patient poses a more severe and direct safety risk if it were hacked than something like a connected air conditioning unit -- but that doesn’t mean the air conditioning unit is “innocent.”
No matter how innocent it might seem, any connected device can become a weapon if access falls to the wrong hands. In fact, instances have already happened in which malicious parties gain access to sensitive data by first posing as these “innocent” devices (like HVAC units) to breach firewalls. This situation makes it essential to pay close attention to securing every single IoT device (e.g., via authentication and regular security updates), regardless of its intended use.
4) There’s no such thing as “mundane” IoT data
Along the same lines, it’s equally as essential to protect the data that IoT devices collect -- no matter what it is and how trivial it might seem -- because there’s no such thing as “mundane” IoT data. Consider the case of a connected tractor that reports data on crop patterns and harvesting for the field in which it runs. At face value, that data certainly seems mundane and largely useless to all but a few people. However, if someone could gain access to that kind of data from hundreds or thousands of tractors, all of a sudden, they can start predicting crop yields and have themselves a strong futures market.
This is just one example of many that illustrate how data flow from the IoT can become extremely disruptive and must remain under tight management. Diving deeper, one of the best ways we’ve seen to put the right trust boundaries around this data and ensure only the appropriate parties can access it is through certificate-based authentication. And this authentication must be strong, no matter how “mundane” the data coming from a device seems.
5) Every IoT device needs a plan for updates throughout its lifetime
The IoT devices released today may very well be out in the field for a good 10-15 years, particularly in the industrial and vehicle space. There’s no doubt that flaws will surface, weaknesses will be exposed, and technology overall will advance significantly in the course of this time. And for as long as those devices are out there, manufacturers will need a way to update them accordingly if there’s any hope that they’ll remain secure over their lifetime.
Importantly, manufacturers need to develop a plan for these updates before devices first get released. This plan should include a way to push firmware updates securely, update crypto-libraries on which authentication is based, revoke authentication if needed, and re-enroll certificates as they expire over time. Additionally, the plan also needs to consider how manufacturers can deliver these updates when necessary, even as devices go offline or move locations (i.e., in the EU, where traveling across countries frequently leads to roaming charges).
6) Regulations and competition will only make IoT security even more important
To date, the IoT has been a bit of a “wild west” when it comes to security, but that’s changing quickly. First, governments and industry groups are starting to enact guidelines and regulations that dictate the minimum of what’s required from a security perspective regarding access to devices, updates delivered, and use of data. Second, the end-users of these devices are paying attention and looking beyond the sheer benefits and innovation of the IoT to ensure the proper security is present, which has started to turn protection into a competitive advantage in this space.
While there’s certainly a long way to go in terms of security expectations and regulations, the tides are starting to turn in the right direction. For example, the FDA has started to issue guidelines around cyber-security best practices for medical devices (these have mainly focused on authentication through unique keys and certificates and the ability of devices to receive updates), and vehicle manufacturers are now collaborating on similar guidelines. Going forward, we can expect to see more regulations hit the market, and their presence will make a deep focus on IoT device security even more important than it already is.
7) IoT security best practices may never be standardized
Despite the rise in regulations we can expect to see over the coming years, it’s important to recognize that IoT security best practices may never be fully standardized. This is because every IoT device is different: They’re manufactured differently and have different use cases. These differences pose unique challenges to developing a standard set of best practices that everyone can follow.
We do see common threads across use cases from a security perspective, including the importance of unique credentials for authentication on each device and secure practices for delivering updates. However, anyone in the IoT security space needs to dig deeper into what exactly these threads mean for each unique device rather than simply running with generalized advice.
8) Getting IoT security right requires a step-by-step approach
Finally, given all these nuances, the greenfield of regulations, and an overall lack of standardization, getting IoT security right is not straightforward. This is especially true. IoT security is quite different from traditional enterprise security and a new area even for deep domain expertise from building these devices.
The best way forward is to take it step-by-step, first looking closely at the type of security architecture that will work best for your devices, company, and customers’ unique needs. From there, you can start evaluating the different technologies available for key elements like authentication, encryption, code signing, and so on. Along the way, one best practice to keep in mind is to use already-built solutions that can help with the fundamental lifecycle stages of IoT devices wherever possible, as that allows you to tap into a wealth of knowledge and experience versus building something on your own.
Hear from the experts: What else you need to know about IoT device security
There are massive rewards for getting the IoT right. Still, there are also many pitfalls along the way, and those pitfalls can be extremely damaging to an organization's reputation and revenue.
As a result, the IoT is not something to be taken lightly, and it needs to be treated differently than any other security endeavor you’ve taken on in the past.
With that in mind, what else do you need to know as you think through IoT device security for your organization? Watch our roundtable discussion with experts from Keyfactor, Tata Communications, and Telus to learn more.