2018 prediction: securing IoT-connected devices will be a major cybersecurity challenge

For careless operators, an IoT-connected device could lead to breaches bigger and more invasive than we’ve ever seen.

iot security ts
Thinkstock

Internet of Things (IoT)-connected devices no longer represent a niche market; rather they’ve become a mainstream part of our lives both inside and outside the workplace. Gartner predicts that nearly 20 billion IoT–connected devices will be online by 2020.

To illustrate this phenomenon, consider the Washington Post and Consumer Reports 2017 Holiday Tech Gift Guide where at least 12 out of 17 gifts were IoT devices. Chances are, you will interact with dozens of IoT devices each day, many even before you’ve had your first cup of coffee, which may have also been made by an IoT-connected device.

And while your coffee maker may not have been hacked, the last few years have seen some major breaches of IoT devices that have serious implications.

The August 2016 Mirai botnet attack targeted Internet recording devices to create one of the largest DDoS attacks in history, and an August 2017 attack lead to the recall of 500,000 pacemakers over fears that security gaps could cause someone to manipulate the heartbeat-regulating device.

While these devices are undoubtedly improving our lives and businesses in many ways, securing this massive number of devices will represent one of our biggest challenges in 2018. Fortunately, identity management can help because each device has an identity, as well as potentially multiple user credentials to manage. By creating three-way trust between the device, user and application we can drastically reduce the attack surface.

The case for IoT security standards

As even more people adopt IoT as a reality of the modern life and workplace, regulations are needed to ensure companies get security right and we don’t have to wait on an accident to course correct. 

Despite its relatively slow adoption of IoT, security guidelines are one area where the federal government has taken the initiative. Securing and supporting IoT was a priority set forth in the Commission on Enhancing National Cybersecurity’s report in December 2016, and, this year, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017 to establish guidelines for securing devices procured by the U.S. government.

Similarly, companies should adopt a set of guidelines to ensure the secure development and deployment of IoT devices. At the heart of these standards ought to be identity-focused security solutions, which can help spur IoT security by managing the relationships between these devices, the entities controlling them, and the data being sent and received.

One resource to help create guidelines and drive the requirements for businesses to follow is the Open Web Application Security Project (OWASP), a repository of information on web application security, which lays out cybersecurity suggestions in its IoT Attack Surface Areas Project.

owasp iot attack surface Open Web Application Security Project (OWASP)

The project provides a list of attack surfaces and standards that should be understood by manufacturers, developers, security researchers and those looking to deploy or implement IoT technologies within their organizations.

From device firmware to network surfaces and physical interfaces, the OWASP guidance acts as a set of best practices for those who want the convenience of IoT without the inherent risk of connecting hundreds of devices across an organization. Just by laying out those risks, it is clear identity and access management capabilities are the best security options across every category.

Covering the OWASP attack surface requires several steps. It’s imperative to both authenticate the user’s identity with each interaction and make sure the user is authorized for each activity on their IoT-connected device.

Companies must also manage the human-device relationship. That means giving different permission levels for difference users of the IoT device. That process requires real people on the back end of the device managing access levels. For example, on my IoT-connected car, I may want my kids to be able to launch the video player but not have the permission to do a software update and reboot.

The device lifecycle presents another attack surface. Organizations need to keep track of version configurations on devices, monitor the baseline behaviors of the users and employ more granular control of the user permissions throughout the lifecycle of the device. One example of this is how I control which people in my family can use their fingerprints or voice to unlock my IoT-connected doors. We need a way to be able to dynamically change the relationship between the user and the device

Be both cautious and connected

Hackers are getting better at tricking us into handing over our credentials and that could spell disaster for a company that’s connected via IoT devices. For careless operators, an IoT-connected device could lead to breaches bigger and more invasive than we’ve ever seen.

But with some relatively simple cyber hygiene practices that stretch from the IT department to on-the-ground employees, organizations can stay connected and still be safe from cyberattacks.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.