IoT security: what you need to know

Iain Davidson at Wireless Logic outlines the size of the IoT security threat and proposes was that organisations can act to keep themselves safe

European organisations will spend around $227 billion on Internet of Things (IoT) technology this year, according to IDC. It is a phenomenal sum, driven by growth areas including smart buildings and fleet management alongside automation, cost reduction and customer experience initiatives.   

However, with rapid growth comes risk. All IoT solutions, whether they monitor unmanned sites, capture environmental data, or perform any of the other many and varied use cases of the IoT, face security threats.

Companies with IoT solutions, manufacturers of the devices that go into them, and providers involved along the way, must safeguard the security of their installations to protect reputations, revenues, and investments, and ensure they measure up to current and incoming legislation. 

How big is the IoT security threat?

According to a SonicWall report there were 57 million IoT malware attacks in the first half of 2022. The IoT faces very real security threats, yet we know from Kaspersky that 43% of businesses don’t fully protect their solutions. To understand why, over a third (35%) refer to a lack of staff or specific IoT security expertise and 40% cite difficulty finding a suitable solution.

All connected devices, systems and networks face cyber-threats and these evolve at an alarming rate. The only way to mitigate the threat is to build security into every stage of product and process design.  

Is there any IoT security legislation?

Governments and international organisations are acutely aware that unprotected IoT devices and networks can be vulnerable to cyber-threats. Just this year, the World Economic Forum’s ‘State of the Connected World’ report identified cyber-security as the “second-largest perceived governance gap”, while the UK’s National Cyber-Security Strategy 2016-21 acknowledged that, “poor security practice remains commonplace across parts of the (IoT) sector.” 

Action in this area began with guidance and standards. The UK published a Code of Practice for Consumer IoT Security in 2018 containing guidelines for product security design and best practices. This influenced the European Telecommunications Standards Institute (ETSI) standard EN 303 645. IoT solution designers can look to this, and other standards including IEC 62443 4-2 and ISO/SAE 21434, for guidance on meeting cyber-security challenges. 

Then there is a raft of existing and pending legislation, including the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, the EU’s Cyber-Resilience Act, and the USA’s IoT Cyber-security Improvement Act (for devices used by federal government).

The PSTI (Product Security) regime is on the immediate horizon. It comes into effect on 29 April 2024 and will regulate consumer products such as routers, webcams and connected fridges. Impacted products must be free of default passwords, have a vulnerability disclosure policy and be transparent about update support periods. 

Certain businesses must, of course, also look to legislation specific to their sectors. For example, electric vehicle charge points in the UK are bound by security requirements which came into force in December 2022.

Companies must be aware of security legislation relevant to their IoT implementation and act to ensure compliance. However, this can be particularly challenging when, as is often the case, IoT deployments are international or global because legislation will vary from region to region. 

Understandably, businesses look to legislation to understand what they need to do but it shouldn’t take this to spur them into action - the considerable damage that a cyber-security attack can do is more than sufficient motivation. 

How can companies act on IoT security?

Companies must secure their solutions end-to-end. This means taking a holistic approach, one that encompasses processes and people - including those of suppliers - as well as technology. After all, ransomware and malware attacks often target individuals within organisations. These can find their mark if employees aren’t adequately trained in what to look out for and how to raise an alarm.

Comprehensive IoT security defends against, detects and reacts to threats. To defend, unauthorised access to devices, cloud infrastructure and data must be prevented. Defence measures should encompass IoT SAFE, a SIM standard to uniquely identify devices for authentication. It should also include secure communication, resilience against outages, software updates, data security policies and regulatory compliance. 

To detect any breach that occurs, companies must have device monitoring in place and analyse their network traffic. That way, any anomalous activity or behaviour indicative of a breach, such as a changed target URL or unusual data usage, can be picked up. 

To react, companies must be prepared and have automated countermeasures in place. These include threat isolation, quarantining and cleaning affected devices. 

All of that said, companies must also do one more thing. Rehearse. There is no substitute for it. It prepares companies to take swift action should they need to, because they have rehearsed the scenario, they know what it looks like, and they have a plan ready to implement. Rehearsal can also help identify weak areas that, if addressed, could avert a problem occurring in the first place. 

IoT security and compliance cannot be an afterthought. Manufacturers must ensure their devices are secure by design; companies deploying solutions must have 360-degree security in place. If unsure, identifying a partner to support on IoT security can be prudent.

Cyber-attacks will prey on any security weaknesses in technology, processes or employee training which, if successful, can have damaging financial and reputational repercussions.

The only way to protect IoT solutions is to prepare comprehensively, implement security strategies and measures, and rehearse. 

Iain Davidson is senior product manager at Wireless Logic

Main image courtesy of iStockPhoto.com