IoT Security: An Evolving Landscape
Transforma InsightsTransforma Insights
Security consistently ranks as one of the top challenges when deploying IoT. There are numerous examples of security breaches, and the threat landscape continues to become ever more challenging. In this article, we will examine some of the changing dynamics of IoT security and approaches to securing connected devices.
The widespread deployment of IoT in various consumer and enterprise applications opens up more hacking opportunities, and people are using IoT in increasingly critical systems. At the same time, the scale of deployments continues to rise, with IoT connections set to grow from 16 billion IoT devices in 2023 to 40 billion in 2033.
IoT devices have always been somewhat more vulnerable to hacking by being deployed in unattended environments and often deployed in complex combinations of technologies and stakeholders, all representing a potential weak point in the security chain.
The diversity of IoT also represents a challenge, necessitating enterprise security specialists to understand the security risks of a wider range of devices than simply phones, PCs, and other IT infrastructure. Lack of skills is, therefore, also an issue.
However, the challenges have increased in recent years. For instance, there is an ongoing trend for IoT devices to become increasingly constrained in processing, memory, and power, reducing their ability to support robust security features and updates.
Historically, weak IoT security regulations let manufacturers cut corners, exemplified by the Mirai botnet exploiting basic security lapses. However, this has been increasingly well addressed as discussed in the next section.
The last few years have seen a major expansion in legislation related to cybersecurity in general and IoT device security in particular. There are increasingly numerous examples of codes of practice or guidelines for minimum levels of security on consumer IoT devices, including for instance not using default or weak passwords, and requirements for regular firmware updates.
In some countries, these voluntary guidelines have been replaced by mandatory requirements and this trend is likely to continue. Other elements include labeling programs. These and many other regulations are described in the recent "Regulatory landscape for the Internet of Things" report from Transforma Insights and the associated Regulatory Database.
The EU has several regulations related to cybersecurity. In 2020, ENISA published IoT supply chain security guidelines covering the entire lifespan, from design to disposal.
In 2022, the European Commission proposed a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act. The Act intends to bolster cybersecurity rules to ensure more secure hardware and software products.
The proposed regulation requires digital products to ensure cybersecurity appropriate to the risks in their design, development, and production.
The NIS Directive was the first EU-wide legislation aiming for a high, common level of cybersecurity across Member States. A proposed expansion is covered by NIS2, which obliges more entities and sectors to take measures related to cybersecurity.
In October 2018, the UK's DCMS, along with the NCSC, published the Code of Practice for Consumer IoT Security. It outlined practical steps for IoT manufacturers and industry stakeholders to improve the security of consumer IoT products and services.
The stricter Product Security and Telecommunications Infrastructure Act 2022 came into force in April 2024. It allows the relevant UK minister to specify security requirements for internet-connectable products and communications infrastructure available to consumers in the UK.
These regulations will apply to manufacturers, importers, and distributors of interconnected products in the UK. The regulations today specify requirements for passwords, minimum security updates, and statements of compliance.
In the US, The IoT Cybersecurity Improvement Act, of 2020 requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices.
It gives NIST oversight of IoT cybersecurity risks, requiring it to set up guidelines and standards, including over-reporting on security issues, and minimum-security standards. The NIST Cybersecurity Framework (CSF) 2.0, released in early 2024, represents a revision of the original NIST framework.
In September 2022, NIST published NISTIR 8425, outlining the consumer profile of its IoT core baseline. It identifies commonly needed cybersecurity capabilities for the consumer IoT sector, including products for home or personal use.
In July 2023, the Biden-Harris Administration launched the Cybersecurity Labeling Program to help Americans choose safer smart devices. Under the proposed new program, consumers would see a newly created “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products that meet the established cybersecurity criteria.
The regulations presented above represent just a selection of the cybersecurity rules and guidelines related to IoT. Many other countries will have similar rules.
In July 2024, Transforma Insights published the 2024 edition of its "Communications Service Provider (CSP) IoT Peer Benchmarking Report," identifying both the key themes that are defining the IoT connectivity market and the leading MNOs and MVNOs for IoT. The report stems from discussions with 25 top global cellular connectivity providers and a thorough analysis of their capabilities.
As might be expected, the topic of IoT security was one of the themes raised. All of the CSPs had highly secure offerings and were layering on security as a value-added service in many cases. However, there was still in a lot of cases a lack of a wider offering related to security and compliance.
Most recognized the need for improved pre-sales support but few prioritized compliance-as-a-service in customer adoption journeys.
This is a good example of the vendor community in a microcosm. The individual element is secure. And there is even a recognition that customers might pay more for additional security.
However, it is relatively rare to find a vendor willing to take responsibility for the overall end-to-end security and compliance with security-related regulations. So, find yourself a vendor that’s going to be sure to emphasize it.
IoT security encompasses protection measures for devices, networks, platforms, applications, and enterprise systems, reflecting their complex interconnections. There are five main security layers.
The primary focus is securing the device itself. Hardening the device to prevent tampering is crucial, including the use of embedded SIM cards (eSIMs) that cannot be removed. Devices should also support Firmware Over-The-Air (FOTA) updates, which require adequate network technologies, storage, and processing capabilities. Detecting malware is essential at this layer.
Network security is generally robust, particularly on mobile networks, but vulnerabilities still exist. IoT applications often span multiple networks, including the public internet, increasing the risk of exploits.
Key security measures include device and SIM authentication, network encryption, private APNs, network diagnostics, IMEI locking, quarantining devices, DNS white-listing, and the deployment of Intrusion Detection and Prevention Systems (IDS/IPS).
Network layer security may be insufficient alone. Transport Layer Security (TLS) is often required, particularly by cloud providers, to secure data delivery.
Typical measures include IPsec VPNs and private global backbones. IoT SAFE, a GSM Association initiative, uses the SIM card for secure end-to-end communication, ensuring mutual authentication and TLS.
Security measures are necessary regardless of whether data is stored in the cloud or on-premises. This includes preventing unauthorized access, encryption, access controls, and data backup/recovery.
Cloud security for IoT also involves managing credentials, access control, and device SDKs, as well as addressing vulnerabilities in interfaces, APIs, and potential data breaches.
Application security is critical as many vulnerabilities arise from poorly built applications. Developers must prioritize security, ensuring authentication and data privacy are integrated into the application design.
Additionally, we identify a sixth aspect: End-to-End security. This considers the entire system, integrating all layers to optimize protection.
This includes secure application design, anomaly detection across layers, third-party vendor compliance, and robust incident response capabilities to manage cyber threats effectively. These layers of IOT security are presented in the chart below.
What should be evident from the commentary above is that the IoT security landscape is evolving rapidly. The nature and scale of the threats are changing, as is the regulation that is being introduced to cope with it.
Approaches from the vendors are also evolving and ideally should embrace the multi-level model presented in the previous section, including consideration of end-to-end security.
Transforma Insights recommends considering security in two dimensions. Firstly, the framework needed to optimize security, including dimensioning the problem, understanding capacity for risk, establishing policies and processes, and managing partners, amongst other things.
The second dimension relates to the specific tools and features needed to address IoT security, which might equate to device hardening, FOTA updates, features such as private APNs, IoT SAFE or IPsec VPNs, anomaly detection, automated threat response, and remediation. The common goal across the areas of framework and functions is to mitigate risks, respond to breaches, and implement remediation measures.
If the topic of IoT security is high on your agenda, and it should be, join Transforma Insights, Semtech, and Kigen for a webinar on the 24th of July 2024 where we will discuss the key security challenges and the best ways to address them.
This webinar is tailored for IT, technical, and product management leaders from organizations deploying IoT devices and routers on national or global cellular networks. Attendees can also engage with the panelists during a live Q&A session.
Key Topics will include analysis of the latest IoT security threats and regulatory requirements, approaches to end-to-end cellular IoT security, encompassing connected hardware, SIMs, mobile networks, and cloud infrastructure, and practical, expert guidance on protecting your organization against IoT-specific cyber threats. Register here: IoT Security Strategies: Implementing Secure Connected Solutions.
New Podcast Episode
Recent Articles