Information security for IoT 101

Haven’t we got more important things to talk about than information security for IoT? Perhaps, but only because IoT has so far largely flown under the radar of many attackers. At least, apart from hacked IP cameras, pacemakers and baby monitors. IoT devices are generally small, inconspicuous and at best, transparent to users. But they are already having an immense impact on our daily lives. The average household in a developed country today has around ten devices on their home network. More tech-savvy families can easily reach 40 or 50 devices. Many of these devices communicate not only locally on the home network but also with their manufacturer. In the worst case scenario, they can be reached directly from the Internet and are either not protected by a password or the default password has not been changed.

Nobody wants to be the one to blame

Unfortunately, nobody seems to want to take responsibility. The end user may switch on and use IoT devices, but they can hardly be held responsible for security. After all, car airbags are not maintained and adjusted by the driver. Even if they were interested, 99% of users would likely lack the necessary knowledge. As long as product liability is not enforced, manufacturers will continue to see security as a nuisance that can be ignored. Whenever something happens, nobody wants to be the one to blame.

Eight steps to securing IoT devices for businesses

In the consumer market, only the legislator will ultimately be able to ensure a reasonable level of security. But the situation is different for the commercial and industrial use of IoT devices. Numerous compliance requirements that apply in companies also apply to IoT devices. In commercial scenarios, there is an IT department or at least an external service provider who has the knowledge and time to implement security requirements. And at least on an abstract level, basic IT security measures are no different to those which apply to standard IT.

1. Shared responsibility applies to both IoT and other IT devices. Manufacturers, partners and end-users play a role in information security and everyone should be aware of where their responsibilities lie.
2. Like standard IT, identity is key. Experts aren’t wasting their breath when they say Identity is the new perimeter, identity really is one of the key elements of Zero Trust concepts. If you can’t define separate roles for tasks and implement authentication, you can’t have least privilege and separation of duty.
3. Without monitoring, administrators have absolutely no sense of what is happening within their networks. Most IoT devices generate logs that should be collected and fed into a suitable SIEM.
4. Just like onions, the more layers you have in a security strategy, the better the core is protected. This is also a step towards Zero Trust. Central protection, for example at the gateway, is not sufficient, damage should be limited even if an attacker gets through the firewall. Segmentation, hardening, role-based access control – with these measures the impact of an attack can be kept at bay.
5. People make mistakes, machines less so. Information security starts off manually in the strategy and planning phase, and many aspects can be automated later. Especially, when cloud infrastructures are used, concepts such as infrastructure-as-code (IaC) help to simplify repetitive tasks and execute them quickly and consistently without human error creeping in.
6. Encrypt, encrypt, encrypt. Encryption protects organizations at many levels. A VPN connection cannot be tapped as encrypted data is worthless for attackers. Not every bit needs to be encrypted, but companies that encrypt vulnerable areas such as network access points and critical data will have already done well.
7. IoT devices are often used in environments that are difficult to protect from physical access. Padlocks won’t get you far here and technicians often need to open up devices for maintenance. However, IoT devices can trigger alarms when enclosures are opened or physical interfaces on the device are activated.
8. Getting hacked is pretty much inevitable these days. That’s why its so important to have a damage limitation strategy and an emergency plan from the outset. If you know what you need to do, you can respond quickly and efficiently. Remember that emergency plans are not static, they need to be updated frequently and tested from time to time.