Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Saumitra Das
Saumitra Das
Connect Directly
E-Mail vvv

IoT Security's Coming of Age Is Overdue

The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.

Security always lags behind technology adoption, and few technologies have seen growth as explosive as the Internet of Things (IoT). Despite the rapid maturation of the market for connected devices, security has been an afterthought until now, creating an unprecedented opportunity for hackers worldwide.

It's 2019 and the industry is overdue for a new, comprehensive security model for connected devices — one that reflects the challenges of protecting IoT's position at the confluence of software and device security. The unique threat landscape requires a novel security approach based on the latest advances in network and artificial intelligence (AI) security.

What's at Stake
Cisco estimates the number of connected devices will surpass 50 billion by 2020. Enterprises are on pace to invest more than $267 billion in IoT tools during that same time. Attacks on IoT devices rose by 600% in 2017, reflecting both security vulnerabilities and the value of the targets. The NSA posted an advisory on smart furniture hacks, and the 2018 Black Hat and DEF CON conferences produced a stunning array of connected device attacks and security analysis.

The prevalence of connected devices and lack of comprehensive IoT security pose diverse risks for enterprises.

To start, altering or interrupting connected device performance alone can constitute a catastrophic breach — even one with life-or-death consequences. The Stuxnet attack famously sabotaged the Iranian nuclear program by causing as many as a thousand uranium enrichment centrifuges to malfunction and eventually fail. Attacks targeting power grid infrastructure have been detected abroad in Ukraine and the United States. Interference with consumer devices such as vehicles and pacemakers puts their owners at risk. Inside the enterprise, tampering with smart mining, manufacturing, or farming equipment could cause millions of dollars in damages in goods and equipment. The growing trend toward corporate ransom and hacktivism has expanded the pool of potential targets beyond scenarios where attackers can profit directly from a breach.

In addition to service disruptions, IoT systems are susceptible to breaches resulting in data loss. Data from manufacturing and consumer sensors can be valuable intellectual property. Lost data from consumer or enterprise devices can constitute privacy violations, as in the case of connected toys or even office-entry badge logs. Regulatory experts anticipate a "feeding frenzy" of legal cases stemming from IoT attacks in the coming years.

Following Data from Sensors to the Cloud
The IoT threat landscape includes elements of both centralized and dispersed systems. A typical architecture involves a large number of sensors collecting data, which is then consolidated and analyzed. Practically, we can group the vulnerabilities of IoT systems into two categories: the security of sensors and the security of data repositories.

Connected devices create liabilities at all stages of the security life cycle, from prevention to detection to remediation. The challenge of securing sensors begins with taking an accurate inventory. Many companies will be hard pressed to evaluate the security posture of all connected devices in use, from strategic enterprise equipment to connected devices in regional offices. Many connected devices lack basic security features found on laptops or smartphones. Default passwords, unpatched operating systems, network trust issues, and unhardened devices with open ports are all vulnerabilities endemic in IoT security. Finally, hardware may not support the capability to register that it has been tampered with, limiting the security team's ability to detect and respond to successful attacks.

The Internet of Things is inherently intertwined with cloud security. Most sensors have relatively limited processing capabilities and rely on cloud hosting to analyze data. These consolidated repositories create risks around access control, data security, and regulatory compliance. Gartner warns that at least 95% of cloud security failures will be the customer's fault, meaning misconfigured security settings will result in security incidents. Research on a sample of enterprise AWS S3 buckets found 7% with unrestricted public access and 35% unencrypted. Hundreds of millions of dollars in acquisitions for vendors dedicated to auditing and automating cloud security configurations attest to the breadth of this attack vector.

Leveraging the Strengths of IoT for Security
Companies have invested in IoT in the absence of robust security because of the business opportunities available from massive amounts of data and powerful analytics. Fittingly, IoT security solutions must lean on these same advantages.

First, IoT security fundamentally requires network-based enforcement. IoT sensors cannot support the same endpoint security solutions available for smartphones. The sheer number of devices a typical enterprise uses makes security at the device-level unfeasible. Applying security at the network level allows the enterprise to gain holistic visibility and enforcement across their IoT portfolio.  

Second, companies can use the large quantities of data coming from IoT devices to implement behavioral security with neural networks. The AI approaches in use today with IoT are simple statistical deviation or anomaly detection. They may find the needle in the haystack, but they will also see needles where they do not exist. The massive traffic coming from IoT systems allows for the training of neural networks to accurately detect malicious intent with greater accuracy, lowering the rate of false positives and alleviating alert fatigue.

Forcing existing enterprise security approaches onto IoT systems is doomed to failure. Securing the Internet of Things requires a combination of hardware and software security that contends with the unique risks and limitations of connected devices and data processing repositories. By tailoring security to the architecture of IoT systems in use, organizations can take advantage of all the benefits that technologies like the cloud and AI have to offer.

Related Content:

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
2/4/2019 | 11:21:15 AM
In fact, there are already many protection technologies. The most popular is the blockchain system. Also, the development of neural networks makes itself felt and there will soon be a new system based on neural systems.
Saumitra Das
Saumitra Das,
User Rank: Author
2/4/2019 | 2:30:53 PM
Re: Blockchain
Blockchain for IoT is an interesting area for distributed trust between devices and the entities they interact with. However, security itself can be about the IoT device being tampered with in terms of transacting with other entities as well as being compromised itself leading to lateral movement in the enterprise. Additionally, many IoT systems are battery, CPU and network bandwidth constrained which can be challenging for deploying blockchain. Neural network based threat detection can help identify compromise early and has the potential to be a key enabler of this ecosystem.
User Rank: Apprentice
2/14/2019 | 2:01:46 AM
Many entry points..
The more connections you have to an information hub, the more security you're going to need. Every access point is a potential threat, of course. I'm pretty sure that you'll be able to find some good solutions to beef up the security of the data storage points though. That at least is one way to implement a bit of protection.
User Rank: Strategist
2/14/2019 | 9:35:31 PM
We need to improve, pronto
As technology evolves, so should security. However, in this rapidly progressing era, that unfortunately isn't the case. As we witness constant development of various technologies, we sadly also experience major lapses in security over various platforms. Consumer data is sacrificed affecting not only individuals but large corporations as well. Major loss of confidence has occurred over the course of just less than a decade and how can we seriously improve?
User Rank: Ninja
2/15/2019 | 7:05:56 AM
Re: We need to improve, pronto
The bad guys ( all of them ) have nothing but TIME on their hands - they have all day to just THINK about how to bypass any security function and this is an incredible advantage.  WE have to deal with trying to out-think them while dealing with a few thousand corporate rules, regulations, budget and time issues.  We have an 8-12 hour working day standard.  The bad guys have 24 hour days all of the time.  There we have a mega disadvantage in effort and, besides,   I always believe we are forever 5 minutes behind the the bad guys all of the time. 
Saumitra Das
Saumitra Das,
User Rank: Author
4/26/2019 | 3:07:17 AM
Re: We need to improve, pronto
I think there has been a lot of focus on compliance, auditing and visilibty as it related to security. We have given up on early detection at the point of intrusion and basically assumed breach and focused on hunting for post infection IOCs with NTA and SIEM. This exacerbates the problems for an overloaded SOC team already receiving tons of logs and alerts and struggling to deal with them given the cyber talent shortage. While hunting for threats assuming breach is a good layer to have, equal or more focus should be given to detecting as early as possible so the risk of breach is minimized and we only have to threat hunt for the very few that may be sophisticated enough to still make it through.
Saumitra Das
Saumitra Das,
User Rank: Author
4/26/2019 | 3:12:23 AM
Re: We need to improve, pronto
This is the nature of our industry where the bad guys have TIME as you mention but many are incredibly well funded as well. As you say, they need to find one hole while we have to patch or inspect all points of entry. In my past roles, I have seen targeted attacks where no threat intel would help since the payloads, domains, IPs were all new and custom. So every attack is "unknown" when you see it and so you sandbox and you are minutes to hours behind depending on how evasive the threat is. Having a different technique that can provide a low false positive verdict in near real time can help burdened SOC teams in prioritizing and going after threats before they have spread futher in and is one step we can make towards shifting this TIME imbalance.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...