By Iain Davidson, senior product manager, Wireless Logic
According to IDC, spend on the internet of things (IoT) could reach almost $345 billion by 2027. The fastest adoption will be in applications such as irrigation and fleet management, with prominent use cases in other areas such as smart buildings and distribution automation. However, stakeholders in the IoT’s rapid growth must be mindful of the cybersecurity risks they face. They must safeguard the security of their infrastructure, solutions and products, whilst ensuring they fall in line with current – and incoming – legislation.
There can be no doubt the risks are real. Nokia’s Threat Intelligence Report of June last year found that IoT devices involved in distributed denial of service (DDoS) attacks increased fivefold in the space of a year. The number of these insecure devices (bots) engaged in botnet-driven DDoS attacks rose from around 200,000 to approximately 1 million.
The main risk for businesses investing in IoT technology is their own commitment to security, especially as IoT systems become more integrated into core products and systems and critical national infrastructure, expanding the target for cyberattacks.
Indeed, IoT’s integration into critical infrastructure, such as electric vehicle fleets, smart grids and cleaner energy solutions such as solar and battery storage, calls for proactive defence measures from both governments and enterprises. Connected energy solutions exchange high value data which makes them vulnerable to attacks. Disruption from any attack could be far-reaching and threaten the smooth running of these essential services. It is essential, therefore, that devices can be authenticated, and connections secured, as solutions are deployed.
The impact of IoT security legislation
Considering what is at stake, it would be strange if governments and international organisations weren’t calling out threats to the IoT. The UK’s National Cyber Security Strategy 2016-21 identified that, “poor security practice remains commonplace across parts of the (IoT) sector.” Meanwhile, last year’s World Economic Forum’s ‘State of the Connected World’ report, which examined governance gaps in IoT and related technologies, labelled cybersecurity the “second-largest perceived governance gap”.
In 2018, the UK published a Code of Practice for Consumer IoT Security, which contained guidelines for product security design and best practices. This influenced the European Telecommunications Standards Institute (ETSI) standard EN 303 645 – a source of guidance for IoT solution designers, along with standards IEC 62443 4-2 and ISO/SAE 21434.
Now, players in the IoT space must also consider the EU’s Cyber Resilience Act and the USA’s IoT Cybersecurity Improvement Act (for devices used by federal government), as well as sector specific legislation. Electric vehicle charge points in the UK, for example, are bound by security requirements which came into force in December 2022.
Then there is the impact of this year’s Product Security and Telecommunications Infrastructure (PSTI) Act. The product security regime comes into effect on 29 April to regulate consumer products such as routers, webcams and connected fridges. It has mandates around default passwords, vulnerability disclosures and transparency of update support periods.
All organisations with a vested interest in the IoT must be aware of relevant security legislation and act to ensure compliance. This can be no mean feat, particularly as IoT deployments are often international, or global, and legislation can vary from region to region.
Fortunately, helps is at hand. Just recently, the Connectivity Standards Alliance (CSA) published its first version of an IoT device specification for a single IoT cybersecurity standard and certification programme. This offers a robust framework to drive optimised consumer product security and guide manufacturers on the path to compliance with standards such as ETSI EN 303 645 and NIST IR 8259 as well as the Cyber Resilience Act, the IoT Cybersecurity Improvement Act and PSTI.
IoT security best practice
The array of legislation and standards bodies ultimately point to a series of best practices that range from common sense approaches around keeping security credentials private, to some more sophisticated but cost-effective technology measures. However, it isn’t just about being compliant – it shouldn’t take legislation for businesses to prompt action. Cybersecurity attacks can do significant damage, operationally, financially and reputationally. That is surely all the motivation any organisation needs to protect and defend their IoT interests against the considerable threats to their security.
In fact, the only possible mitigation against the risks is to review the security of the current infrastructure and build in a strategy to defend, detect and react:
Defending against attacks
The IoT must be defended end-to-end. It’s insufficient to merely secure devices or networks in isolation. All infrastructure and elements – networks, devices, systems and applications have to be secure against the slightest vulnerability. IoT stakeholders must assess their hardware and software but also their processes and training and skills levels of their people. Cyberthreats will exploit any weak links in the chain and these can occur anywhere.
Defence begins with managing all attack surfaces to prevent unauthorised access to infrastructure, devices and data. Companies with devices should utilise IoT SAFE, the interoperable SIM standard to uniquely identify devices for mutual authentication between devices and applications.
That is just one measure of a multi-dimensional defence strategy that should also include secure communication, resilience against outages, software updates and clear data security policies. Regulatory compliance is a defence measure too, so companies need a strategy for assessment and regular internal audits to stay up to date with all requirements.
Anomaly detection
Security doesn’t end with defence. No matter how robust defence measures are, companies must be vigilant and still monitor their infrastructure, network traffic and solutions to detect any anomalies or potential breaches.
According to IBM Security/Ponemon Institute’s Cost of a Data Breach Report 2023 it takes a staggering 277 days to identify and contain an active data breach. Companies must react faster – much faster – than this and they can only do that if they are prepared.
They must monitor connected devices and network traffic to know what ‘normal’ looks like. They need anomaly detection to spot anything that could indicate trouble before it escalates. This is the embodiment of a pre-emptive stance, as opposed to a reactive approach to security breaches.
Detection engines can be device-agnostic and work with artificial intelligence programs to analyse data feeds and score any potential threats. Companies can act when they have identified issues and that can be automated or not, depending on the business rules. A detection could trigger direct action to isolate a perceived threat or send it for review.
Reacting to minimise impact
Preparation is the precursor to success in mitigating the impact of cybersecurity incidents. Organisations that strategise, plan and rehearse their reaction (and make this a regular habit) will act more swiftly if they are faced with a cybersecurity issue. Reaction measures may include isolating a threat and possibly quarantining and cleaning affected devices.
They can draw on available tools and techniques to help them rehearse security scenarios. These include ‘digital twin’ virtual representations that model threats and ‘what if?’ workshops that step through scenario handling. Both can significantly enhance an organisation’s response capabilities if a real cyberthreat scenario ever played out.
Mitigating risks to IoT infrastructure and solutions
Navigating the IoT security landscape is not a one-off activity, companies must continuously assess, refine, reassess and rehearse security measures to mitigate risks to their IoT infrastructure and solutions. Cyberattacks will exploit any security weaknesses in technology, processes or the behaviour and actions of employees and suppliers that interact with IoT implementations. To make cybersecurity as robust as it must be, all stakeholders in the IoT must defend, detect and react to protect against security threats and comply with legislation.
Image by Joseph Mucira from Pixabay
