Security consistently ranks as one of the top challenges when deploying IoT. There are numerous examples of security breaches and the threat landscape continues to become ever more challenging. In this blog post, Matt Hatton examines some of the changing dynamics of IoT security and approaches to securing connected devices.
The widespread deployment of IoT in various consumer and enterprise applications opens up more hacking opportunities, and IoT is being used in increasingly critical systems. At the same time, the scale of deployments continues to rise, with IoT connections set to grow from 16 billion IoT devices in 2023 to 40 billion in 2033.
IoT devices have always been somewhat more vulnerable to hacking by virtue of being deployed in unattended environments, and often deployed in complex combinations of technologies and stakeholders, all of which represent a potential weak point in the security chain. The diversity of IoT also represents a challenge, necessitating enterprise security specialists to understand the security risks of a wider range of devices than simply phones, PCs and other IT infrastructure. Lack of skills is, therefore, also an issue.
However, the challenges have increased in recent years. For instance, there is an ongoing trend for IoT devices to become increasingly constrained in terms of processing, memory, and power, reducing their ability to support robust security features and updates.
Historically, a big weakness for IoT security was the lack of sufficient regulation, which allows manufacturers to cut corners on security, exemplified by the Mirai botnet's exploitation of basic security lapses in consumer IoT devices. However, this has been increasingly well addressed as discussed in the next section.
The last few years have seen a major expansion in the amount of legislation related to cybersecurity in general and IoT device security particularly. There are increasingly numerous examples of codes of practice or guidelines for minimum levels of security on consumer IoT devices, including for instance not using default or weak passwords, and requirements for regular firmware updates. In some countries these voluntary guidelines have been replaced by mandatory requirements and this trend is likely to continue. Other elements include labelling programmes. These, and many other regulations are described in the recent ‘Regulatory landscape for the Internet of Things’ report from Transforma Insights and the associated Regulatory Database.
The EU has several regulations related to cybersecurity. In 2020, the European Union Agency for Cybersecurity (ENISA), published guidelines for securing the supply chain for IoT which created security guidelines for the whole lifespan, including requirements, design, end use delivery, maintenance and disposal. In 2022, the European Commission proposed a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act. The Act intends to bolster cybersecurity rules to ensure more secure hardware and software products. The proposed regulation states that products with digital elements shall be designed, developed, and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high, common level of cybersecurity across the Member States. A proposed expansion is covered by NIS2, which obliges more entities and sectors to take measures related to cybersecurity.
In October 2018, in the United Kingdom, the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC) published the Code of Practice for Consumer IoT Security which laid out some practical steps for IoT manufacturers and other industry stakeholders to improve the security of consumer IoT products and associated services. The stricter Product Security and Telecommunications Infrastructure Act 2022 came into force in April 2024 to make provisions for the security of internet-connectable products and communications infrastructure giving the relevant UK minister the power to specify requirements to protect or enhance the security of relevant connectable products made available to consumers in the United Kingdom and users of such products. These regulations will be applicable to manufacturers, importers, and distributors of interconnected products in the UK. The regulations today specify requirements for passwords, minimum security updates, and statements of compliance.
In the US, The IoT Cybersecurity Improvement Act, 2020 requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. It gives NIST oversight of IoT cybersecurity risks, requiring it to set up guidelines and standards, including over reporting on security issues, and minimum security standards. The NIST Cybersecurity Framework (CSF) 2.0, released in early 2024, represents a revision on the original NIST framework. Furthermore, in September 2022, NIST published NISTIR 8425 Profile of the IoT Core Baseline for Consumer IoT Products outlining the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). In July 2023, the Biden-Harris Administration announced Cybersecurity Labeling Program for Smart Devices to Protect American Consumers to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. Under the proposed new program, consumers would see a newly created “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products that meet the established cybersecurity criteria.
The regulations presented above represent just a selection of the cybersecurity rules and guidelines related to IoT. Many other countries will have similar rules.
In July 2024, Transforma Insights published the 2024 edition of its ‘Communications Service Provider (CSP) IoT Peer Benchmarking Report’, identifying both the key themes that are defining the IoT connectivity market and the leading MNOs and MVNOs for IoT. The report is based on extensive discussions with 25 leading global providers of cellular connectivity and detailed analysis of their capabilities and strategies.
As might be expected, the topic of IoT security was one of the themes raised. All of the CSPs had highly secure offerings, and were layering on security as a value-added service in many cases. However, there was still in a lot of cases a lack of a wider offering related to security and compliance. Most had noted a need to offer enhanced pre-sales support for customers for their adoption journey, but relatively few had identified the need for a substantial compliance angle to that, what we might term compliance-as-a-service.
This is a good example of the vendor community in microcosm. The individual element is secure. And there is even a recognition that customers might pay more for additional security. But it is relatively rare to find a vendor willing to take responsibility for the overall end-to-end security and compliance with security-related regulations. So find yourself a vendor that’s going to be sure to emphasise it.
When discussing IoT security, we refer to the protection measures across the various components involved in IoT deployments, which are complex and include devices, networks, platforms, applications, and enterprise systems. There are five main security layers:
Additionally, we identify a sixth aspect: End-to-End security. This considers the entire system, integrating all layers to optimize protection. This includes secure application design, anomaly detection across layers, third-party vendor compliance, and robust incident response capabilities to manage cyber threats effectively. These layers of IOT security are presented in the chart below.
What should be evident from the commentary above is that the IoT security landscape is evolving rapidly. The nature and scale of the threats are changing, as is the regulation that is being introduced to cope with it. Approaches from the vendors are also evolving, and ideally should embrace the multi-level model presented in the previous section, including consideration of end-to-end security.
Transforma Insights recommends considering security in two dimensions. Firstly, the framework needed to optimise security, including dimensioning the problem, understanding capacity for risk, establishing policies and processes, and managing partners, amongst other things. The second dimension relates to the specific tools an features needed to address IoT security, which might equate to device hardening, FOTA updates, features such as private APNs, IoT SAFE or IPsec VPNs, anomaly detection, automated threat response, and remediation. The common goal across the areas of framework and functions to mitigate risks, respond to breaches, and implement remediation measures.
If the topic of IoT security is high on your agenda, and it should be, join Transforma Insights, Semtech and Kigen for a webinar on the 24th July 2024 where we will discuss the key security challenges and the best ways to address them.
This webinar is tailored for IT, technical, and product management leaders from organizations deploying IoT devices and routers on national or global cellular networks. Attendees can also engage with the panellists during a live Q&A session.
Key Topics will include analysis of the latest IoT security threats and regulatory requirements, approaches to end-to-end cellular IoT security, encompassing connected hardware, SIMs, mobile networks and cloud infrastructure, and practical, expert guidance on protecting your organization against IoT-specific cyber threats.
The webinar will feature:
Register here: IoT Security Strategies: Implementing Secure Connected Solutions
