7 security tips for IoT systems
By Brandon Vigliarolo
Security risks are important considerations with IoT initiatives. A Kaspersky report includes steps to take to prevent an IoT-targeted attack. Security firm Kaspersky has released a report with startling statistics about IoT security, including the fact that nearly a third (28%) of companies with IoT systems faced attacks targeting internet-connected devices in 2019.
The report also found that 61% of organizations are currently using IoT platforms, and agrees with the general assessment that the IoT industry is poised for massive growth over the next few years. That growth is likely to be hindered by the problems that Kaspersky points out in its report, such as the fact that 36% of organizations give third parties access to their IoT systems (which increases the possibility of a data breach), the 105 million attacks against IoT devices recorded by Kaspersky in the first half of 2019, and the aforementioned high rate of IoT-targeting attacks.
Businesses have a lot to gain from IoT implementations, the report concludes, but adds that “businesses must also be aware of the cybersecurity objectives. Risks can include outage of services, data loss regulatory [non]compliance, reputational and direct financial loss.”
Seven ways to ensure your IoT network is safe and secure
Kaspersky has seven suggestions for organizations considering new IoT initiatives and those that need to better secure current ones.
1: Assess an IoT device’s security before implementation
Many IoT devices will have security certificates that verify their level of security and the best way to protect them. Be sure to opt for these devices before installing something that is unrated or vulnerable. The Industrial Internet Consortium has created a framework for assessing the security of IoT devices–be sure to check it out to find out if a device passed the test and how to assess non-certified devices.
2: Conduct regular security audits and risk assessments
Regular reporting on the state of IT network security is a given, but be sure IoT networks are made part of those assessments and audits. Don’t roll them into the general IT assessment either–make sure to treat IoT security assessments as a separate matter with separate considerations.
Be sure IT decision makers are kept up-to-date on the latest reports and threat intelligence pertaining to IoT networks.
3: Keep third-party access lists up to date
It doesn’t matter how good your security is if the vendors you allow to access your IoT network have a breach: Their mistakes can end up costing your organization too. To minimize that risk, be sure to keep third-party vendor access lists current, delete old vendors, and revoke any permissions that a third party doesn’t explicitly ask for and justify. Implement compliance standards for vendors to follow as well, and be sure they’re meeting those requirements. Hold those not up to standard to account as well.
4: Keep software up to date
Kaspersky’s report found that 86% of organizations had obsolete or vulnerable software. Outdated software is a common cause of security incidents, and that trend holds true for IoT as well. If your IoT devices are tough to update, replace them with hardware that makes that process smooth, never let a critical update languish, and don’t put off patches until a more convenient date. Any of those reasons for delay can be the difference between safeguarding data and being just one more cybercrime victim.
5: Establish a procedure for keeping up on vulnerability news
When a new threat is detected, it’s important not to miss the news–your IoT security could be at stake. Kaspersky recommends using this as a criteria for choosing IoT vendors as well: “If possible, prioritize those that allow you to update software based on root of trust.”
6: Analyze network traffic
Kaspersky researchers found that corporate networks are also often used for IoT device communication. If your network is pulling double-duty for both IoT and user traffic, your cybersecurity solution should be “designed to analyze network traffic and detect and prevent network attacks covering traffic from IoT devices, and integrate the analysis into the enterprise network security system.”
7: Only use IoT devices that are built with security in mind
Kaspersky specifically mentions IoT gateways here, pointing out that many gateways are only designed to secure the gateway itself–if it is breached, all the IoT devices connected to it are at risk as well. Make sure your IoT gateway secures not only itself but also has the ability to protect connected devices. As an additional layer of security, be sure your IoT nodes/sensors/devices have onboard security as well.