The idea of connectivity is not just limited to computers, it has also extended to the appliances we use in day-to-day life. By contributing to a smarter workplace environment, the need for IoT-based systems has increased during the pandemic-induced hybrid working model, with systems put in place to ensure easier remote access and COVID-appropriate behaviour within the premises.
With the ever-increasing usage of IoT devices—Gartner predicts that 47% of companies plan to increase their investments in IoT despite the COVID 19 onslaught—the need to secure IoT devices from adversaries have also risen proportionally. Kaspersky reported that “the first half of 2021 witnessed 1.51 billion breaches of IoT devices taking place, with over 58% done with the intent of of cryptocurrency mining, distributed denial-of-service (DDoS) shutdowns or pilfering confidential data.”
The findings further confirm that many of the compromised devices lacked sufficient security protocols. With IoT devices now integrated with the critical assets of an organisation (such as cloud environment), it is important to safeguard them as they will be seen by attackers as potential vectors to carry further attacks.
Challenges to IoT security
Presence of Shadow IoT:
Shadow IoT refers to the unauthorised devices brought by employees that function within the office network. The increased usage of personal devices such as smartwatches, speakers etc. leads to the expansion of threat surface, as unmanaged devices, without built-in security features approved by the firm, can have an unassuming presence within the environment. Such endpoint devices can be exploited by threat actors to infiltrate the network.
To prevent shadow IoT from posing security risks, it is important to isolate such devices by having a separate network for such devices. The network must allow devices to perform their designated services, while examining incoming requests. With the application of Secure Access Service Edge (SASE) model, device monitoring becomes more efficient.
Security posture of third parties:
Callous cybersecurity practices by third-party IoT providers can invariably affect its host/customer organisations. One of the main reasons attributed to this issue is the lack of a compliance system put in place for standardising IoT security. Additionally, the lack of firmware updates and debugging solutions will give leeway for attackers to exploit vulnerabilities.
Such shortcomings can be avoided by implementing software testing and vulnerability assessment measures to test the device for bugs, security gaps and find solutions to mitigate them. Standardised rules help too, for instance, the Product Security and Telecommunications Infrastructure (PSTI) bill passed by the British government aims to formulate cybersecurity standards for the manufacturers and distributors of IoT and other internet connectable gadgets. Device updates can be delivered on a timely basis using Over-The-Air (OTA) strategy, where firmware and software can be remotely updated without the interference of the supporting hardware.
Lack of authentication methods:
Relying on traditional authorisation measures poses a major risk of getting affected by credential stuffing i.e., the compromise of one user account will lead attackers to use the same credentials for unauthorised access across various platforms. A major example is the security breach of IoT-based Home security systems Ring, in which over 3600 accounts were exposed, causing a major violation of individual privacy.
IoT manufacturers must inculcate practices that promote better password hygiene such as the addition of special characters and a regular change in passwords to prevent stagnation. Although the practice mentioned above is economical in its design, it can be highly prone to human error and callousness. Hence, multi-factor authentication and context-based access must be implemented for better authorisation. By prioritising user and device identity for access, context-based access can create user-specific credentials that are hard to duplicate and also regulate access control.
Inconsistent storage mechanism:
The omnipresence of IoT devices in our environment can result in a closer proximity to users’ personal information. IoT-based devices are extensively used in the healthcare sector to monitor an individual’s vital signs. With no well-defined databases in place, IoT devices rely on cloud-based systems for data storage. Cloud storage in IoT can be vulnerable to data theft, APT and other malicious attacks through backdoors.
As an alternative to centralised cloud storage, virtual ledger platforms such as Blockchain must be adopted to store and secure data. Blockchain stores data as a collection of uniquely interrelated blocks that can be replicated across networks without depending on physical servers.
How AD360 takes care of your IAM needs:
- Identity automation
- Identity lifecycle management
- Multi-factor authentication
- Hybrid IAM
- Identity protection with UBA
- Identity analytics