Plugging the Security Gaps in Your IoT Infrastructure

Posted by Andrew McKenna on May 23, 2017 at 11:58 AM

The Internet of Things (IoT) is growing at such a fast rate that it can feel out of control. Almost 23 billion devices will be connected by 2021, tripled from 2016. With such explosive growth, where everything from delivery trucks to building surveillance systems, microwave ovens to TVs are now connected, security is a serious challenge. The stakes are too high to ignore, so taking the proper steps to regain control and protect your organization from IoT security gaps is a must.

In this two-part blog series, we will discuss common vulnerabilities within IoT devices and how best to secure them.

PART I:
IoT Security - Where Organizations Go Wrong

Let’s first look at where IoT system vulnerabilities tend to occur:

  • At the firmware level
    Some IT leaders maintain that if they can keep attackers out of their network, they don’t have to worry about the security of individual devices. But it’s virtually impossible to keep attackers out of networks, especially when you accept the possibility that a single malicious employee, contractor, vendor, or customer could become an inside hacking threat. Even air-gapped systems are vulnerable when malware can jump the gap between systems, as famously happened in 2010 with Stuxnet.
  • At the software level
    The largest attack surface for IoT devices is the application software running on the devices and the servers they communicate with. IoT organizations might take a page from the software industry playbook that emphasizes constant application testing at all stages of design, implementation, and launch. The most responsible software companies also ensure that security is built into their applications by properly training their developers, testers, and engineers before they write a single line of code.

The Top Five IoT Security Weak Points

Four key conditions often account for the major points of IoT security weakness. Addressing each of these issues will dramatically reduce your organization’s exposure to potential harm:

  1. Insufficient security training
    Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat.
  2. Insecure deployment
    In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches.
  3. Infrequent firmware updates
    Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats.
  4. Unsupported legacy systems
    IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
Stay tuned for PART II: How Best to Secure Your IoT Infrastructure.

Topics: application security, application risk & compliance, internet of things

Andrew McKenna

Written by Andrew McKenna

Andrew leads Security Innovation’s IoT Center of Excellence. An engineer with over 5 years of industry experience, Andrew is an accomplished expert in IoT systems. Andrew has vast experience securing IoT systems such as PLC firmware, NFC hardware, wireless door locks, point of Sale (PoS) devices, mobile phone firmware drivers, Thales Hardware Security Module (HSM), wireless protocols (GSM, Bluetooth, Zigbee, Z-Wave, NFC, RFID), and many others.