Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

How to Shield Against IoT Security Threats

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security attacks (i.e., the Mirai botnet, connected Cardiac devices, etc.).

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security attacks (i.e., the Mirai botnet, connected Cardiac devices, etc.).

IoT in all its flavors (e.g., physical security systems, lights, appliances, heating and air conditioning systems, as well as artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats. 

In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a recent security breach. So, how can we shield against these emerging threats? 

The number of IoT devices is growing at a breathtaking pace, from 2 billion in 2006 to an estimated 200 billion by 2020 (see Intel report). Therefore, IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems, and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in homes, but in manufacturing plants, retail businesses, and the healthcare industry. 

The strong adoption rates in these verticals is tied to the benefits IoT devices provide in terms of tracking inventory, managing machines, increasing efficiency, improving customer interaction and service, reducing maintenance costs, and even saving lives. According to Intel, by 2025, the total global worth of IoT technology could be as much as 6.2 trillion US Dollars. While these numbers prove the business value of IoT, it also introduces major security threats that need to be addressed sooner than later.

If an employee’s smartwatch can be compromised to steal corporate Wi-Fi passwords, the device suddenly falls into the scope of an organization’s attack surface. To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. 

In the past, proprietary technology and competing interests made a truly open and secure network difficult to develop. New initiatives like the Trusted IoT Alliance offer a glimpse of promise, but its inherent focus on promoting an open source blockchain protocol might also be its inhibitor to success. The most practical approach for addressing the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems. 

In this context, the Cyber Shield Act of 2017, which was introduced by Senator Edward J. Markey, and has been endorsed by the Institute for Critical Infrastructure Technology, is a good first step towards creating a standardized approach to cyber security for IoT. The bill is designed to establish a voluntary program to identify, verify, and label compliant IoT devices with strong cyber security standards. More specifically, the proposed legislation would require IoT vendors to follow “security-by-design” best practices in accordance with National Institute for Standards and Technology (NIST) Special Publication 800-160 and receive a certification that would rate their product, allowing buyers to assess the associated risks and drive their technology decision process. 

Unfortunately, the Cyber Shield Act as it stands falls short, since it is a voluntary program that does not incentivize vendors to implement the NIST security standards. It will likely require further refinements before it can garner the needed support of the Senate, House, and President. More consensus across bipartisan lines may exist in creating a National Cyber Security Safety Board, which would focus on fact-finding and development of industry-wide best practices in collaboration with the vendor community. 

Since these initiatives are likely years from fruition, organizations concerned with IoT threats should apply the following minimum safeguards:

● Deploy IoT devices based on standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks. 

● Apply mature identity and access management measures to secure not just applications, workstations, and servers, but also IoT devices.

● Expand the penetration testing scope to include IoT devices.

Ultimately, organizations must leverage emerging technologies that increase business efficiency and contribute to the organization’s overall success. However, security practitioners must expand their view of the attack surface to include IoT. This includes shifting from a perimeter-based to an identity-centric approach to security that assures only verified users and devices can gain access to sensitive resources. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...