Top IoT Security Concerns and Ways to Address Them

Bodil Josefsson, head of IoT Security at Ericsson, describes the four concerns she's noticed customers have on the top of their mind when devising IoT strategies. Josefsson then makes suggestions on how to address and overcome those concerns.

147
Image of a lock over a graphic of the connected world with a bunch of arrows pointing in and focusing on the lock

By 2023, the number of connected devices is forecast to reach 20 billion. This increase in volume is a growing challenge for service providers tasked with trying to keep their networks secure, as well as for enterprises and critical infrastructure entities deploying and managing devices. After all, nobody wants to fall victim to a DDoS (distributed denial-of-service) botnet attack.

With this in mind, it becomes clear why it’s paramount that security becomes a top-of-mind concern for all stakeholders in the IoT. This includes everyone from the service providers who need to meet service level agreements (SLAs) for secure uptime to the organizations managing and utilizing the deployed devices. Also included are the device manufacturers themselves, whose role and responsibilities in IoT security were thrust to the forefront by the Mirai botnet in 2016.

Below are four concerns I’ve noticed customers have on their mind when devising their IoT strategies as well as some suggestions for how to reinforce end-to-end network and IoT operation security.

The 4 Top IoT Security Concerns

1. Identity and Access Management

Identity and access management (IAM) is normally associated with the human component of network and company resources. It’s not just end-users who require this; it also extends to devices and applications, both of which need network and resource access. The legitimacy of their connection requests and what they may have access to needs to be verified.

Devices left exposed in remote locations can easily be hacked and used to infiltrate an organization. Should this occur, the potential damage that it could cause must be closely controlled and limited, especially for control systems and critical infrastructure, for example, power plants and hydroelectric dams.

2. Data Integrity

Another area drawing customer concerns is data integrity. Data is the life-blood of IoT operations. It’s critical that data’s integrity is robust. All parties involved must ensure that their data hasn’t been manipulated or tampered with while at-rest, in-transit or in-use.

Privacy and confidentiality is another area related to data integrity. Personal data and any data generated by an IoT device must be protected, regardless of whether it’s in-transit or at-rest. Organizations should encrypt their data to ensure it arrives unaltered.

3. No IoT Ecosystem Will Ever Be 100% Secure

Service providers and enterprises must accept one fact: no IoT service will ever be fully secure. These operations are simply too complex; therefore, they’re often full of vulnerabilities. Of course, this doesn’t relieve any stakeholder of their responsibilities for ensuring the right levels of security within an IoT ecosystem. After all, as every CISO knows, it’s not a matter of “if” you’ll be attacked but “when.”

In the end, enterprises and other users must be able to trust their network connection. This means building an infrastructure that’s not only as secure as possible but also one that’s resilient and robust enough to withstand a security incident. Reliability is important. They must find ways to offer uninterrupted operation and functionality, even if a part of the network is under attack.

4. Automation and Management Tools for IoT Security

No human is capable of manually managing the sheer volume of connected devices on any IoT network. Even if they could, they’d be a single point of failure. The continuous addition of devices and network re-configurations means that there will be a constant influx of new vulnerabilities and attack vectors. As processes and device management become increasingly automated, they must simultaneously become adaptive enough to handle evolving threats while also ensuring that the right levels of security are maintained.

IoT networks will always continue to evolve. Stakeholders, devices, applications, and other technologies will come and go over the lifecycle of an ecosystem. Tools that provide end-to-end security visibility and overarching management of all entities are imperative.

The strategies and items to consider when creating an IoT service differs greatly depending on the nature of the application. Strategic considerations for mining are considerably different from those for agriculture or manufacturing use cases. Each scenario adds its own set of complexities that must be taken into consideration when constructing, maintaining, and securing any network designed to support an organization’s IoT operations.

Written by Bodil Josefsson, head of IoT Security, Ericsson.