5 Big IoT Security Challenges (And How To Overcome Them)

CRN talks to tech executives and engineers about some of the biggest IoT security challenges in the industry and how organizations can try to overcome them.

More Devices, More Problems

The IoT market continues to grow, and that means an increasing number of devices entering the world, opening up all kinds of new IoT security challenges.

It’s not that companies are looking to open the attack surface for hackers more than ever before. Many of them believe IoT applications can bring new value to businesses, governments and consumers alike, but for IoT to be a net benefit, organizations developing and using IoT applications need to ensure that they are secure as possible and do more good than bad in the world.

[Related: How Connected Building Solutions Can Support Hybrid Workplaces]

However, there are no silver bullets to doing IoT security right.

“There is no single solution that will solve all the problems,” said Anahit Tarkhanyan, an IoT security architect and principal engineer at semiconductor giant Intel. “It is a process and a process that requires all the participants and supply chain in an ecosystem to work together.”

What follows are five big IoT security challenges and how organizations can try to overcome them, based on interviews with executives at IoT security startups and other companies.

Investing In Infrastructure To Protect OT Environments

Grant Geyer, chief product officer at industrial cybersecurity vendor Claroty, said one major challenge with IoT security is that there is a “very high barrier” for industrial companies to invest in the right infrastructure to scan operational technology environments for potential threats.

Without the right infrastructure, companies could face “earth-shattering compromises, as there‘s economic implications of supply chains being impacted or public safety implications around utilities being impacted” in the event of a cyberattack, according to Geyer.

Industrial companies may be reticent to installing security appliances and sensors because of the amount of time it can take to do so, which could result in them having to turn off machines systems and slow down productivity as a result, he added.

“It could take weeks or months for organizations to allocate infrastructure, go through a change management process and get an approved window to install equipment,” Geyer said.

Geyer said companies that are struggling to invest in the proper infrastructure should look to solutions that don’t require any, such as Claroty’s new “zero-infrastructure” cybersecurity solution, called Claroty Edge, which can provide companies with visibility into industrial networks quickly without needing to make any physical changes to environments.

Claroty Edge is a new addition to the Claroty Platform, which also includes cloud and on-premises threat detection capabilities for industrial networks.

“We‘re hoping to relieve a lot of the pressure on cyber teams and asset owners to operationalize defenses and help secure their environments,” he said.

The Dangers Of Ransomware And IT-Born Attacks

Another big challenge is one that goes beyond purely IoT-related security matters: ransomware attacks and other kinds of cyberattacks that originate in IT environments that can impact IoT devices and operational technology environments.

“Increasingly, ransomware is no longer a game of opportunistic infection but targeted activities against organizations that are in the critical infrastructure space and have the revenue and profitability to pay,” said Geyer, Claroty’s chief product officer.

A recent example includes the May 8 Darkside ransomware attack against Alpharetta, Ga.-based Colonial Pipeline, which jeopardized fuel access for more than 50 million Americans. Colonial reportedly paid a nearly $5 million ransom to Darkside to speed up the restoration process, but Colonial ended up using its own backups to restore its system because Darkside’s decryption tool was so slow.

In the case of Colonial, the company was reportedly hacked through an inactive account that didn’t use multifactor authentication for a virtual private network.

To Geyer and other security professionals, this underlines the fact that IT and OT operators need to think more holistically about the security of all their assets rather than thinking about different types of assets, like IoT devices, as separate categories that operate in their own siloes.

“Because hackers are just going to look for the weakest link to cause damage to the enterprise,” he said.

While there is no silver bullet to preventing ransomware and other kinds of attacks, Geyer said, organizations should take a multi-layered approach to security to reduce the chance of successful attacks. That means getting full visibility of the network as well as setting up threat detection services, firewalls, network access control and other kinds of security technologies. It also means training employees on best security practices, such as being judicious with links and attachments in emails.

“The digitization of everything means that there‘s opportunities, if [devices are] not properly coded, to get access into the environment, which is why it takes a multi-layered approach,” Geyer said.

Geyer said good policymaking also has a role to play. As an example, he pointed to President Joe Biden’s May 12 cybersecurity executive order that includes a section dedicated to improving the security of software supply chains used by the federal government.

“Your first glance might be, ‘well, this is only about securing the federal government,’ but if you think about it, if every organization that provides software to the federal government — and there‘s callout for IoT in there as well — has to have auditability, has to provide transparency, that same software is used by businesses and home users around the world,” Geyer said. “And so the trickle-down effect of that executive order should help ensure that there’s more diligence by organizations on securing the software that provides an entry point to so many attackers.”

Lack Of Security In IoT Devices

One of the major ongoing issues in IoT security is the lack of security in the IoT devices themselves, which can give attackers an easy entry point into networks.

“The biggest problem with IoT security is the device manufacturers themselves. They don‘t know security at all. Not only is their code insecure, but their security implementations are typically flawed,” said Jeff Horne, chief security officer at Order, an IoT security startup.

These problems can range from devices with re-used or hard-coded passwords to devices using the same private encryption key, according to Horne. In addition, many organizations lack device management capabilities for IoT devices, which can leave many of those devices unpatched and, as a result, vulnerable to attacks.

While some of the devices may have strong security implementations, it’s better to assume that none of them do, Horne said, which is why he thinks it’s important for organizations to implement zero-trust architectures for their networks.

“Being able to isolate these things on the network, I think, is incredibly important,” he said. There‘s no reason why my dishwasher should be connected to my Active Directory infrastructure.”

Zero-trust architecture means isolating devices on the network and giving them the least amount of privileges necessary for them to operate. That means it’s important to have a good understanding of how such devices communicate and behave on the network. Horne said this is major strength of Ordr’s software, which can then automatically generate granular security policies based on device behavior.

Securing Devices Across Their Entire Lifecyle – At Scale

For manufacturers that want to implement strong security capabilities into their devices, it can be a challenge to ensure such devices are secure from inception to retirement.

Anahit Tarkhanyan, an IoT security architect and principal engineer at chipmaker Intel, said one of the issues is that there needs to be a secure way to keep devices updated throughout their lifecycle. This ensures that devices receive authorized patches so that they can continue to steer clear of evolving threats as many devices are expected to be in the field for years if not a decade or two.

“You can‘t expect that for the 20 years you will have basically the same security posture. It evolves,” she said. “It’s a constant learning cycle on both ends.”

The best way to tackle this is to bake security into the hardware itself, according to Tarkhanyan, and a key element of this is hardware root of trust, which ensures that the device is running legitimate code and is supported by multiple processor platforms from Intel and other chipmakers.

“You have to have a method to update, and you have to do it securely, and to do it securely, you do have to have that root of trust right in the platform,” she said.

Lancen LaChance, vice president for IoT Solutions at GlobalSign, a developer of public key infrastructure and identity and access management technologies, said device manufacturers are increasingly looking at Trusted Platform Module (TPM) technology as the foundation for hardware root of trust because of its standardized nature and the fact that it’s supported by multiple chip vendors.

With the TPM, manufacturers can provision and manage the identities of devices throughout their lifecycle, which GlobalSign is making easier through a new collaboration with IoT-focused OEM Eurotech, TPM module vendor Infineon and Microsoft, according to LaChance.

This ability to provision and manage device identities securely is important for building trust throughout the entire supply chain, which, in turn, improves the security posture for such devices, he added.

“At the build of the OEM product, we‘re able to securely issue identities that are chained and trusted to specific routes and architectures for identity, so that in subsequent stages, when this device is sold or brought to a customer environment out in the field, that customer is able to leverage that trust chain that we built in there,” LaChance said.

Solutions like this can help device manufacturers improve the security of their devices by removing the heavy lifting required that could have served as a roadblock in the path, according to LaChance.

“Now we have a formula that says you can go and sign up and use this architecture that we‘ve done all the design for, we’ve proved it out, it’s using standards-based components, and you get strong device identity [solution] that’s natively interoperable and almost to a degree plug-and-play with that ecosystem architecture,” he said.

The Increasing Number And Diversity Of Devices

Another big challenge in IoT security is the fact that the number of connected devices in the world continues to increase, as do the types of such devices, which, in turn, expands the attack surface and makes protecting networks even more complicated.

Jonathan Langer, co-founder and CEO of Medigate, an IoT security startup focused on health care systems, said this is becoming a bigger problem in the health care world because the coronavirus accelerated the demand for remote patient monitoring and telehealth solutions.

“[Devices for such use cases] are coming into play, and not only within the four walls of the hospital, but also in outpatient facilities, remote care, home health and so on,” he said. “We‘re seeing IoT sweep into these other venues that we haven’t been focused on before with regard to patient health.”

This creates a need for greater visibility in these new environments and a need to secure the devices so that health care organizations can trust the data they collect, according to Langer.

“That‘s what remote patient monitoring is all about: getting that data without getting the patients to come into the four walls of the hospital. So if we’re to trust it, we have to know that the device is secure,” he said.

Langer said IoT device visibility solutions like the one Medigate provides can help organizations identity the new kinds of devices coming online in these new environments. And from there, organizations can put network segmentation policies in place, which can minimize the attack surface and limit an attacker’s ability to move laterally throughout a network.

But Langer admitted that there is still more work to be done to protect environments that fall outside of a health care organization’s network, like someone’s home.

“It‘s one type of challenge when it’s in your network. When it’s outside looking in, that problem is compounded,” he said. “That definitely exacerbates [the problem], and that’s why I’m calling this out is something that we should be looking at as an industry.”