With global IoT product adoption continuing to grow, many organizations are trying to tackle the challenge of allowing these devices in while maintaining a strong security posture for the business. How businesses do this varies, but there is some good news for IoT aficionados who hope to deploy some new tech to make their jobs easier.

A growing trend for security

IoTThis week there were a few notable announcements related to the world of IoT. Firstly, the global internet of things security market was valued over US $550 million in 2017, and it is expected to have a compounded annual growth rate (CAGR) of over 34% in 2019. What does that mean exactly?

Well, with 34% growth, we can expect that companies will continue to invest in IoT security and that developers of these devices will have more opportunities to build devices that are inherently more secure. This is great for both consumers and businesses because when devices are deployed in an organization, they will likely have better controls that enable to business to keep the devices secure. Examples may include firmware update capabilities, encrypted communications, and the ability to change default credentials for devices.

As a signal to the market, Secure Thingz announced this week that they will help in the pursuit of securing IoT devices by making it easier to deploy security from the start. According to the announcement, “[b]uilding in security from the start of the design process is widely acknowledged as the optimal approach to tackling security challenges, and it starts with the creation of a security context that defines the application security.”

Because many developers don’t have a background in security, devices are often built with little consideration to security and protecting the user. This doesn’t mean that the developer doesn’t care about security, but because it requires additional resources, it is often left out of the planning stages or added as an afterthought before release. With this approach, many devices can’t be patched or don’t allow the user to change the settings. The result is backdoors for malicious actors to spread malware or leak data from network resources where the device is connected.

IoT security is further fueled as government initiatives for smart cities continue to grow. Countries are focusing on advancing smart cities to manage resources and assets efficiently. The investment in smart city projects will accelerate the deployment of network infrastructure, which will create the grid by which the various devices will communicate. This, in turn, will create demand for IoT devices like smart lighting, smart meters, telecommunication equipment, and more that will need to be secure. After all, we don’t want our city’s lighting or traffic systems compromised because we move from our current system to these “smarter” systems.

Securing the insecure

So, great news, we are starting to see a trend toward security for our IoT devices, but what about our current devices? While it’s true that future devices will be more secure, there are still millions of devices that consumers and business continue to deploy each year. How can we ensure that what we currently have is put in place so that we don’t find out we had a compromise because of a data leak?

The first step is proper research. Don’t just buy something because it looks cool and says it can do everything you need it to. Try to understand the security currently built into the devices. If it connects over the internet, it should use secure channels to communicate. You should also research to see if you can change the default password for the device. A simple Google search and you’ll easily find a manual for the product that will tell you if this is possible. If it’s not, move on. You don’t want a device you can’t update or that can’t provide basic security.

Only add IoT devices to guest or isolated networks. Even home routers have guest network capabilities, so there is no excuse not to do this. By putting IoT devices in isolation from other devices on your network, you prevent them from stealing data should they be hacked. Isolation is one of the best approaches to IoT security because the insecurity of a device won’t compromise other devices. It’s reassuring to know that even if a device is hacked, the only thing the device can do is communicate with itself. Take that, hackers!

Sometimes, though, you need to add the device to the network for it to do the job it was built to do. If the device is monitoring other devices, it won’t do you any good to put it in isolation. In this case, you need to monitor every part of your network and verify that the IoT devices you deploy aren’t communicating outside of their job description. Network traffic analytics can provide you with real-time data and show you when anomalous behavior is taking place. By using this type of data, you will prevent unknown data leaks from wreaking havoc on your network, and the business.

To take advantage of the data already on the network and keep your network and the IoT infrastructure you have secure, download a 30-day trial of Scrutinizer.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related