Rethinking the security of connected devices in an era of hybrid working

Internet of Things (IoT) adoption is growing rapidly across numerous industry verticals and among consumers worldwide, leading to a growing attack surface and new threat landscape.

The use of IoT devices has rocketed during the pandemic, with more people working from home, yet many of the devices are inherently insecure, raising concerns about the risks of IoT security. 

With more non-business IoT devices connected to corporate networks as employees work remotely, cyber adversaries have more avenues to access and exploit sensitive business data. Consumer IoT devices are not spared, either.

A December 2020 Department for Digital, Culture, Media and Sport (DCMS) report by Ipsos Mori found that on average, UK households purchased two smart devices in the first nine months of the pandemic alone, which widened attack surfaces and created more opportunities for cybercriminals to attack.

Limitations to security controls in devices

Consumers and businesses have largely relied on embedded security to safeguard their IoT devices. But this is insufficient - many devices have hardware limitations that make it difficult to implement standardised embedded security features.

For instance, certain IoT devices do not have sufficient storage or processing power to support logging or cryptographic abilities that protect sensitive information from being processed, making them vulnerable. To make matters worse, the billions of already-deployed legacy devices cannot be retrospectively designed for security and pose a significant threat to the network.

Even if an IoT device is built securely, vulnerabilities could be inserted – intentionally or otherwise – into devices from any one node within a manufacturer’s diverse supply chain, and these might not be visible when the device is shipped. Variables in real-world deployments can also lead to different risk profiles. 

The exploitation of IoT vulnerabilities on a large scale will become more prevalent as IoT implementation continues to grow across society. In January 2021, the BBC reported how the government had given out laptops in England to support vulnerable children’s home-schooling that contained malware.

Network-level IoT security

It’s clearly not enough for users of IoT devices – including companies, governments and consumers – to rely solely on embedded security features. Instead, organisations should adopt network-level IoT security based on a zero trust approach. In particular, there are three key security practices that should be executed in a zero trust approach, going by a “never trust, always verify” approach to all devices, users and nodes.

Firstly, organisations need full visibility of IoT devices on their network at any given time to help them understand the “attack surface” and important interdependencies: where IoT devices are located, which applications they are using, and how they are interconnected. Once visible to the organisation, IoT devices must be identified and assessed for risks when they connect to the network. Device visibility and identification can eliminate critical blind spots that attackers could otherwise exploit.

In addition, organisations need to practice continuous device and risk monitoring, in order to identify abnormal behaviours and threats. As IoT devices are designed for a fixed set of functionalities, their intended pattern of behaviour is often predictable, making it easier to monitor for abnormalities. 

Finally, visibility and continuous device and risk monitoring allow organisations to come up with security policies, taking enforcement actions vis-a-vis their IoT devices in real time to thwart cyberattacks. Such policies may include network segmentation, which creates “least access” zones for IoT devices by their function, reducing risk and limiting lateral movement of threats in case a device zone gets compromised. 

Leveraging new capabilities for IoT security

When it comes to zero-day threats, prevention is better than cure. With adversaries getting savvier than ever, the implementation of prevailing technologies in Machine Learning (ML) have made it an essential approach for IoT cybersecurity. 

ML models leverage an extensive, data-driven understanding of an IoT device’s expected behaviour on a network. This enables ML to easily learn patterns at scale and in real time, ultimately to automate device identification, proactively detect malicious deviations, and automatically prevent attacks. 

Additionally, as more organisations around the world extend their networks to hybrid cloud models, network-level IoT security should therefore also leverage cloud capabilities to deliver updated controls instantly, and even scale up or down based on the computational needs necessary to counter sophisticated, automated cyberattacks.

Public Sector must promote IoT security at scale

With the sheer scale of the IoT implementation across industries, and the seriousness of the threat of IoT-based attacks, many government authorities have proposed or enacted new policies and regulations.

The UK government’s recognition of the growing attack surface is illustrated by the publication of its Code of Practice for IoT Security, which  is undoubtedly a step in the right direction. Governments globally are exploring policy levers to enforce IoT security, concentrating on promoting measures that IoT device manufacturers should take when building or maintaining products. For example, the Code of Practice recommends manufacturers do not sell devices with default passwords. It also advises manufacturers to develop “a clear management and software update deployment plan”, and that they remain “transparent about the current state of update support”. 

In addition to the UK existing policy, in 2019, the European standards body ETSI published ETSI EN 303 645, the first globally-applicable industry standard on internet-connected consumer devices. It follows the approach of the UK government’s Code of Practice, setting out 13 provisions to which device manufacturers should adhere, such as an ability to ‘keep software updated’ and ‘make it easy for users to delete data’. But, again, the key focus was security specifically embedded in devices, and aimed narrowly at consumer IoT devices

Government policies that promote or mandate built-in IoT device security, though important, falls short, as it does not take into account the full threat landscape and risks to devices, users and networks.

As IoT devices are increasingly applied across varied use-cases, governments should also consider policies that promote network-level security in addition to embedded device security. 

We recommend that governments take the following approaches to promote effective network-level IoT security:

1. Encourage their businesses, government agencies and citizens to take steps to have a full inventory of all IoT devices on their networks, continuously monitor those devices for anomalous behaviour and threats, and take automated security policy enforcement actions vis-a-vis their IoT devices in real time to prevent cyberattacks and react to anomalous behaviour.
2. Promote the adoption of automated approaches to cybersecurity, specifically those that leverage machine learning.
3. Promote the use of the cloud and cloud-based security throughout economies.

Given the pervasive use of IoT across industries today – from businesses in healthcare to manufacturing to transportation – as well as by government agencies themselves – close cooperation and collaboration between governments and the private sector will be crucial to prevent cyber attackers from exploiting vulnerabilities in IoT devices.