How to improve your IoT security in a world of rising cyber attacks

This article originally appeared in the Feb'24 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.

A security framework, comprising measures to defend, detect and react, offers a robust approach, and one that companies should supplement with rehearsal and continuous improvement to put them in the strongest position possible to mitigate IoT security risks.

The rise of IoT cyber attacks

According to SonicWall’s Cyber Threat report, there were more than 77 million IoT malware attacks globally in the first half of 2023, a 37% year-to-date rise. Meanwhile, the World Economic Forum’s ‘State of the Connected World’ 2023 report, which examines governance gaps on IoT and related technologies, identified cybersecurity as the “second-largest perceived governance gap.”

All IoT devices and solutions, whether they capture environmental data, record, and share smart meter data, or carry out any of the many other activities of the IoT, face security threats. These include ransomware, malware, device spoofing, and man-in-the-middle attacks.

Companies must protect their devices and solutions to mitigate the risk of an attack or breach, and the operational, financial, and reputational damage they can cause.

Security is a top priority in the IoT therefore, yet 96% of respondents to a Keyfactor report say they struggle to secure their IoT and connected products.

IoT security action you should take

IoT security must take a 360-degree approach to defend solutions and detect and react to any security incidents. This holistic approach to IoT security should include processes and people, as well as technology, and extend to choosing partners with strong reputations and security credentials.

Defend

It begins with defence, which starts with preventing unauthorised access to devices, Cloud infrastructure and data. In this, IoT SAFE has a central role to play. It is an interoperable, industry-wide SIM security standard for uniquely identifying devices for authentication. Defence measures should also include secure communication, outage resilience, software updates, data security policies and compliance with market and industry regulations.

If 360-degree IoT security is a pie chart, defend is the biggest slice, while the rest is given up equally to detect and react.

Detect

Detection is essential because, no matter how robust defence measures are, companies must still monitor device behaviour, analyse network traffic, and use analytics to make informed decisions. These measures are needed to detect any potential breaches, anomalous activities, or unusual behaviours. Warning signs of these can include altered target URLs or data usage that is out-of-the ordinary.

React

Should detection measures identify any red flags, companies must react using pre-planned countermeasures, some of which may be automated. Action can include quarantining and cleaning affected devices and applying corrective actions across all systems. Reporting breaches and anomalies also fall under reactive measures.

‘Defend, detect and react’ together make up a 360-degree framework for IoT security but there is a fourth action companies should also take: rehearse. Rehearsal equips companies to swing into action quickly if a situation demands it because they have planned for it and know what to do. Rehearsing has another benefit too – it can help expose any weaknesses or security gaps that need to be plugged.

Companies can call on tools and techniques to help them rehearse security scenarios. These include ‘digital twin’ virtual representations to model threats and ‘what if?’ workshops that step through scenario handling.

What IoT security legislation is there?

Regulatory compliance is, of course, essential, and is part of the IoT security defence strategy.

Companies need to be aware of existing and pending legislation and understand what it means for them. In addition to sector specific security legislation, this includes the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, the EU’s Cyber Resilience Act, and the USA’s IoT Cybersecurity Improvement Act (for devices used by federal government).

The PSTI (Product Security) regime, which comes into effect on 29 April this year, regulates consumer products such as routers, webcams and connected fridges. It mandates that impacted products be free of default passwords, have vulnerability disclosure policies and be transparent about update support periods.

Large IoT deployments are often international or global, and companies must comply with relevant regulation, which is likely to vary, in all regions.

A range of existing industry standards, such as the European Telecommunications Standards Institute (ETSI) standard EN 303 645, IEC 62443 4-2 and ISO/SAE 21434, are important resources that IoT solutions designers can draw on for guidance on meeting cybersecurity challenges.

Effective IoT security needs continuous cycles of improvement

Companies with IoT products and services, device manufacturers and solutions providers must make IoT deployments secure by design. For that, they need comprehensive 360-degree security with measures to defend, detect and react. Added to that, they must rehearse security regularly and feed insights back into development cycles to continually improve their security posture. Threats to the IoT are very real, and no company wants to suffer the operational, financial, and reputational impact of a security failing.