On October 21, 2016, an IoT security failure took a huge chunk of the internet offline for about a day. The culprit? A now-infamous botnet—a malicious avalanche of traffic, or distributed denial of service (DDoS) attack—called Mirai. The malware found tens of thousands of consumer IoT devices still running on default passwords. Mirai had those passwords.
Once it had control of the devices, Mirai mobilized them as an army of bots. The group behind the attack aimed the bots at a top domain name system (DNS) provider, apparently in an attempt to knock down the Playstation Network. Next thing you know, Reddit, Netflix, and Twitter were all unavailable for hours.
The same sort of breach could give hackers free reign over business IoT systems, with potentially disastrous effects, from stolen data to ransomware and worse. It happens. Cyberattacks on IoT devices more than doubled between the first half of 2020 and 2021, security firm Kaspersky told Threatpost.
But there’s good news, too: The 60 percent + of companies that rely on IoT aren’t powerless to protect themselves. Cybersecurity in IoT has advanced a lot since 2016. Just make sure you choose IoT partners who embrace state-of-the-art defenses.
Today, many IoT systems run on self-service platforms, which allow all business users to build customized IoT applications without designing from scratch. So how do you decide which platform will provide the most peace of mind in the face of security threats?
Ask providers these five IoT security questions. Their answers will reveal whether they follow today’s best practices for IoT security, or whether you should keep searching.
5 IoT Security Questions to Ask IoT Platform Providers
You can’t apply traditional IT security strategies to IoT systems. With each device a potential vector of invasion, this new paradigm requires new approaches to cyber defense. To evaluate an IoT platform’s level of security, conduct an interview with providers—and start with these five IoT security questions:
1. What’s Your Overall Security Framework?
Cybersecurity is a robust field, with established strategies for creating reliable defenses. Your IoT platform provider should be able to describe these strategies. The European Union Agency for Network and Information Security recommends a defense-in-depth approach, in which multiple layers of defenses stop attacks; where one security perimeter fails, the concept holds, another will stand.
Defense in depth maps tightly onto IoT systems, in which you (and your platform provider) must maintain at least three levels of security:
- Protecting devices themselves, including hardware, software, and network connectivity
- Protecting the IoT cloud, including the administrative layer and data access
- Compliance with data privacy laws, including, depending on your location, the General Data Protection Regulation (GDPR), local legislation, and industry certifications
To provide these multiple levels of protection, IoT platform developers may apply the standards of certifications like ISO 27001 or follow a DevSecOps (development, security, and operations) program, which integrates security at every step of the development process. They might do both, or take yet another approach. When in doubt, ask.
Microsoft, meanwhile, recommends zero trust principles for IoT security. This defense framework presumes all requests are guilty until proven innocent; it requires strong verification before providing access.
Note that defense in depth and zero trust are not mutually exclusive. Strong security in an IoT platform may include elements of both. In fact, a third strategy—security by design—involves the integration of multiple security policies at once, viewing security as a holistic requirement across the entire system and its lifecycle.
2. How Do You Enable Security Features in the Platform?
This is something of a trick question. Ideally, security features should be enabled by default. Likewise, device functions that open potential vulnerabilities should be disabled until you’re absolutely sure you need them.
On a related note, default passwords should be initially robust. You should also change passwords and usernames before deployment—a still-relevant lesson from the Mirai attack of 2016.
3. How Do You Prevent Security Breaches at the Device Level?
Device security can be tricky for IoT platforms; after all, they don’t always control the devices you use. Go with a provider that offers a library of pre-integrated devices to choose from—and ask if they’ve verified the security protocols in device firmware.
One key best practice is to only use devices that offer a hardware-based immutable root of trust. That’s a chip that verifies the authentic Basic Input/Output System (BIOS), the firmware that boots up the system. Without this verification, hackers could boot the device on a corrupted BIOS—one that gives them full control.
4. How Does the Platform Control User Access?
Don’t let malicious actors in through the front door. User control in IoT platforms is largely a question of authentication and authorization, but not all authentication protocols are equally robust. In keeping with zero-trust security, platforms should protect system resources individually.
The most common protocol for resource authorization is called OAuth2; choose a platform provider that includes OAuth2 and even better Single Sign-On (SSO) authorization for resources, varying by assigned user role. And speaking of roles, look for role-based access control (RBAC) in your IoT platform. This gives you the ability to different levels of access rights for everyone involved in your IoT project—from administrators to in-house users to third-party partners.
5. How Do You Handle Software and Firmware Updates?
The sooner you apply updates, the more secure your overall system will be. But in an IoT system with dozens (or hundreds) of devices, there’s no way to stay up to date using manual methods alone.
Instead, look for IoT systems that enable over-the-air (OTA) updates, which push new versions of software and firmware out over the cloud. You might also ask about security for updating servers, connections to devices, and encryption methods for updating packages.
Overcoming the Challenge of Cybersecurity in IoT Platforms
The promise of IoT—extraordinarily rich data collection, unprecedented automation, real-time data flow, and more—makes the technology essential for competition. The same characteristics that create these benefits contribute to a new set of security challenges.
Most IoT devices are designed to be as compact as possible, both in physical size and in computing power. That doesn’t always leave room for security features. Even worse, the IoT market hasn’t settled on standardized security protocols across all stakeholders. Device manufacturers may take entirely different approaches to authentication, for instance. Platform providers, systems integrators, and operators themselves may not all be on the same page.
Choosing a single self-service IoT platform removes that fragmentation. These platforms make the holistic security-by-design strategy relatively simple. But before you partner with any platform provider, make sure to understand how they handle security. The IoT security questions listed above are a great place to start.