Aug 04 2022

Internet of Things Security: How To Protect Your IoT Devices

As Internet of Things networks grow, these steps can help organizations protect their systems and data.

Internet of Things devices are everywhere. By one estimate, there were 10 billion connected IoT devices in 2021 — such as sensors, networked security cameras, microphones and RFID transmitters — in use by organizations around the globe. In fact, 90 percent of enterprises say IoT is central to their digital transformation, according to an Omdia survey

But the widespread use of IoT solutions comes at a cost. Security is often not a primary focus as businesses deploy these tools, which can leave them vulnerable. Cybercriminals can use unprotected IoT devices as springboards into corporate networks. As businesses look to expand their IoT deployments, there are steps they should take to protect their devices and data.

The Nature of Internet of Things Security

IoT devices typically collect data and send it on for collection and analysis. Because they are compact by design, they often have limited storage capacity, which prevents them from using security tools such as anti-malware software and firewalls. Patching IoT devices can be a challenge, so vulnerabilities sometimes are not remediated. For these reasons, IoT devices often represent a weak link in the security chain.

To exacerbate the situation, many IoT networks have grown over time to incorporate numerous devices, often deployed in uncontrolled and unsecured environments. IoT networks are complex, presenting a much larger attack surface than a typical network. The more connections there are, the more opportunities there are for cybercriminals to attack. Even a minor vulnerability on a single device could expose an entire network.

Click the banner to unlock exclusive cloud content when you register as an Insider.

Threats to IoT Devices

IoT devices face a variety of threats. Firmware (software on all IoT devices that operates the hardware) may be exploited, and even if vulnerabilities are known, patches may not be available or applied.

Attackers also may break into a network using default usernames and passwords that customers have not changed — or cannot change. This vulnerability was exploited by the Mirai malware, which utilized 61 common default credentials to launch devastating distributed denial of service attacks.

Devices also may be vulnerable to on-path attacks, in which an attacker is positioned between an IoT device and a server — for example, between a security camera and its cloud server — and intercepts communications between them. The risk of data exposure in these scenarios is high, since many devices do not encrypt communications by default.

Because IoT devices connect to the internet, attackers can exploit known vulnerabilities and take over devices as a first step in conducting attacks that allow them to move laterally through an enterprise network, stealing data, implanting malware or accessing sensitive information.

DISCOVER: Find out the latest trends and tactics being employed by cybercriminals.

IoT Risks

IoT devices can be risky for two reasons: They are easy to exploit, and once exploited, they can wreak serious havoc.

Many devices are not designed with security as a top consideration: They may have poor internal controls, come with default passwords that are difficult to change, be unable to encrypt data or have known vulnerabilities for which the manufacturer has not issued a timely patch.

Once an IoT device is exploited, the harm cyberattackers can do can be severe. Compromised IoT devices that provide physical access, such as card reader systems, could allow unwanted visitors to enter a facility with no audit trail. IoT-based HVAC systems without adequate security could enable cyberattackers to take remote control of a building’s temperature and humidity, damaging inventory or disrupting work.

READ MORE: Find out how small businesses can fund their ransomware protection.

What Steps Can IT Leaders Take?

Ultimately, organizations should work to secure every device or node on an IoT network. Following these steps below should help IT leaders improve their IoT security.

IT teams should make sure devices are sufficiently authenticated (with an authentic TLS certificate, for example) so requests to applications, services and protocols come from authorized devices.

  1. Know what you have: Many IT professionals are unaware of all the IoT devices on their networks. A 2020 Infoblox study found that over a 12-month period, 80 percent discovered unknown IoT devices on their networks. IoT device management platforms can provide teams with visibility into their entire inventory and potential security issues. A device management system can identify and profile all devices and monitor them regularly.
  2. Choose the right devices: Organizations should acquire only IoT devices designed with effective security features, and only from manufacturers who release timely security updates. California and Oregon laws require devices sold in those states to be fitted with reasonable security features, such as unique passwords, regular security updates and vulnerability disclosures. Organizations should avoid devices without an external interface or with unchangeable credentials, and they should turn off any unneeded features such as microphones and ports.
  3. Secure your device access: Cybercriminals access devices in uncontrolled environments, or via stolen credentials, to upload malware, access unencrypted data or incorporate the devices in botnets. IT professionals should change default credentials when installing an IoT device and should avoid the reuse of the same credentials across multiple similar devices.
  1. Secure the data: Encryption helps protect data at rest and in transit, even if it were to be accessed or stolen by an unauthorized entity. Encryption is essential to preventing eavesdropping, which is especially prevalent in industrial espionage.
  2. Patch, patch, patch: When a manufacturer releases a security update for a discovered vulnerability, IT teams should update devices in the field immediately. Waiting even a couple of days can mean that hackers can exploit the vulnerability.

The convenience and functionality of IoT networks are game changers for the industry. But it’s worth taking the time to make sure IoT networks have not also opened the door to cybercriminals. There are several additional actions organizations can take to protect IoT workloads and data, including network segmentation, monitoring and analyzing network traffic. But taking these five steps will give you a head start on addressing the most common risks.

Nitat Termmee/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.