The Internet of Things (IoT) is fast becoming ubiquitous. IoT opens up a world of convenience and possibilities from smart office lighting systems to sensors embedded inside machinery. But IoT also changes the nature of the network and brings significant security risks.

IoT expands the network and opens up a near-infinite number of endpoints. The constant communication among the devices makes traditional network security paradigms obsolete. IoT is a new technology. Processes and best practices are yet to crystallize. This tech blog discusses the way to improve the security of an IoT dominated network.

1. Get Cloud Security Right

The unique nature of each business makes a single software platform a non-starter for most customers. IoT vendors partner with AWS, Azure or other cloud service providers, to deliver services through the shared network infrastructure. This increases interoperability and reduces ownership cost. But it also comes with the security risks inherent to the cloud.

Getting cloud security right improves the security of the ecosystem.

• Opt for multi-factor authentication (MFA), which makes it difficult for hackers to steal access credentials. Still better, enforce Role-based access control (RBAC), where each user has limited access, depending on their role.
• Access the services from a secure connection. Unsecured wi-fi networks increase the risk of data theft and server manipulation. About 40% of industrial sites connect to the public internet, heightening the risks.
• Encrypt the traffic, using strong encryption standards such as TLS or WPA2.
• Deploy infrastructure to absorb traffic spikes. Make sure the cloud provider can scale up as required.

2. Improve Network Visibility

Getting IoT security right requires complete visibility into the assets connected to the network. With thousands of connected devices, located haphazardly at different places, this is easier said than done. One in five enterprise security leaders considers the visibility of the IoT devices in their networks as their biggest challenge.

Most conventional security controls and discovery tools do not recognise IoT devices. These tools display only the IP address. They seldom list the nature of the device, the location, the connections, and the controls running on the device. As such, security teams remain in the dark about any vulnerability at these endpoints. A spin-off threat is a lack of visibility into the physical condition of the devices, which may even cause loss of lives in the case of damaged medical devices.

• Undertake periodic asset inventory. Account for each device connected to the network. Evaluate the devices. Replace vulnerable devices that fail security tests, or place security controls around such devices to mitigate the risk.
• Chalk out a holistic risk management approach. Identify the risks posed by vulnerable IoT devices and the business impact of such risks. Prioritise countermeasures to pre-empt risks.
• Deploy AI-powered network monitoring tools. Conventional network monitoring tools may detect large-scale breaches. But several small-scale attacks or micro-breaches take place under the radar. Very few enterprises notice hackers compromising an IoT controlled printer or web camera, and leak information out in small doses. The damages can devastate. Train the algorithms to detect normal traffic, to flag abnormal traffic promptly. Many banking and financial enterprises integrate blockchain and machine learning to identify abnormal transactions.
• Deploy tools that close TCP connections on reaching a certain threshold. This mitigates the worst of the impact and ensures business continuity.

Early detection is the most effective defence against DDoS attacks that plague IoT dominated networks. Shutting down the network at the first signs of an attack preempts the damage.

3. Choose the Right Vendors

The IoT market is under extreme market pressure. Competitive pressures make device manufacturers focus on reducing costs and speeding up time-to-market. In the process, testing and security take a backseat.

Microcontrollers, which drive IoT devices, have limited memory and computational power. Many small yet critical devices, such as temperature and humidity sensors, cannot co-opt advanced security features. Many devices have vulnerable firmware, without security considerations co-opted in the design phase.

Do not compromise quality for cost or safety. Buy robust devices which:

• Co-opt safety considerations in the design phase. Make sure the device can receive security updates. High-end manufacturers offer devices capable of getting upgrades “over the air”. A vulnerable device, which leaves the door open for hackers, will cost more in ruinous regulatory fines, loss of customer confidence, and lawsuits.
• Allow custom preferences, such as disabling location information, remote access, and other features when not needed.
• Disclose privacy policies and how they handle data.
• Adhere to security best practices and regulatory protocols. Regulations on IoT security are evolving. A recent UK law mandates consumer smart devices to adhere to three basic security requirements for IoT.
• Offer the option of standalone operations in case of connectivity problems.

4. Strengthen the Network Architecture

Robust network architecture, with the loose ends plugged, increases the security of IoT enabled networks. The sheer volumes of user data make effective management and control difficult. Another challenge is reconciling legacy infrastructure with new devices. For instance, many smart home providers retrofit existing equipment with plug-and-play devices and sensors. A complete replacement of legacy assets is rarely viable financially. The cross-link between a legacy device and a smart sensor inevitably leaves a gap.

• Design ring-fenced networks. Create tailored solutions for niche applications.
• Make the network architecture resilient. Have different servers located on multiple networks, with diverse paths, and situated at distant locations. Remove bottlenecks such as using a single source of Internet connection that could potentially become a single point of failure.
• Adopt Model Risk Management protocols, which include data governance structure, workflows, stress testing, regulatory compliance, and performance monitoring.

5. Do Not Forget the Basics

Many high-profile breaches have exploited basic vulnerabilities and oversights. Many enterprises neglect the basics. They do so at their peril.

• Change default passwords into strong passwords capable of withstanding brute force attacks. Many IoT devices come with weak default passwords. Weak, easy-to-guess password leaves the IoT device susceptible to brute force attack. The issue became so grave that the state of California, USA, banned default passwords in 2018. Avoid low-cost devices that do not have the option to change default passwords.
• Make regular updates. Regular updates are security best practices for all IT deployments, and more so for IoT environments. Software updates keep IoT devices safe from the latest vulnerabilities.
• Deploy tools such as network firewalls, web application firewalls, and load balancers as additional layers of protection.

Vulnerabilities threaten the all-important trust element that keeps the digital ecosystem resilient. Enterprises have to take a proactive approach to secure their IoT connected ecosystems and keep trust.