IoT security: managing the risks

by Yvhan Smal - Junior Security Engineer | minutes read

As we have established in a previous blog post, IoT security doesn’t benefit from the same level of maturity as other areas of cybersecurity. Nevertheless, industrial companies can rely on a number of best practices to improve their management of IoT-based cyber risks.

Do names such as Mirai, BrickerBot, IoTroop or Hide ‘N Seek ring a bell? Those are merely the most famous, or rather notorious, IoT-based cyberattacks of recent years. For, along with an explosive growth in connected devices, comes a real surge in fresh cyber risks.

In the first half of last year, Kaspersky Lab detected 121,588 malware samples targeted at IoT. That is three times more than in the whole of 2017. Most of these attacks take on the form of a botnet or zombie army: a network of compromised computers or servers, controlled by the attacker and connected in a coordinated fashion for malicious purposes, such as distributed-denial-of-service (DDoS) attacks, information theft or transmitting malware or spam mail.

In the case of IoT botnets, specifically, IoT devices, such as cameras, routers, wearables and other embedded technologies, are the ones infected with malwares. Infected IoT devices seek to spread their malware, persistently targeting more and more devices. So, while a traditional botnet may consist of thousands or tens of thousands of devices, an IoT botnet is typically larger in scale, with hundreds of thousands of compromised devices. And because a large proportion of IoT devices are always on (24/7/365), an attacker can deploy large-scale DDoS attacks within days. All the more reason, therefore, to detect, monitor, assess, mitigate and, ideally, prevent those infections from happening.

IoT security by design.

When managing IoT-based cyber risks, it is first and foremost important to consider the security of the whole IoT system or infrastructure, a concept commonly referred to as security by design or built-in security. Indeed, one of the major challenges of IoT security is the fact that security has not traditionally been considered in the design phase of the environments to which the it is grafted. All too often still, security is merely an afterthought in development, whereas we should actually be designing systems to be as secure as possible from the start.

IoT security best practices.

However, the biggest inhibitor to IoT security growth, as research by Gartner points out, is a lack of prioritization and implementation of IoT security best practices and tools. It is clearly not for lack of best practices themselves, though, as these are widely and readily available from highly independent and trustworthy bodies, such as ENISA, the European Union Agency for Cybersecurity.

One such best practice, courtesy of ENISA, is to conduct an asset and risk assessment, which is key to determine the criticality of the assets and threats that affect your specific IoT environment. Another is to conduct periodic audits and reviews of your security controls, to ensure that they are effective, and perform penetration tests at least twice a year. A third recommendation from ENISA is to implement a logging system that records events relating to user authentication, management of accounts and access rights, modifications to security rules, and the functioning of the system (thanks to a SIEM, for example).

More ENISA recommendations for IoT security can be found here and here.