We are soon going to be faced with an IoT device saturated workspace and the big question is: how can all of the security risks that go with these devices be controlled? According to IoT Analytics, the global number of connected IoT devices is expected to grow 9%, reaching 27 billion by 2025. "With that dramatic rise in connected devices also comes an increased need for security," states Kaspersky. "In fact, Gartner highlights that, in the past three years, nearly 20% of organisations have already observed cyberattacks on IoT devices in their network."

While two thirds of organisations (64%) globally use IoT solutions, according to Kaspersky, 43% don't protect them completely. "This means that for some of their IoT projects - which may be anything from an EV charging station to connected medical equipment - businesses don't use any protection tools. The reasons behind this may be due to the great diversity of IoT devices and systems, which are not always compatible with security solutions. Almost half of businesses fear that cybersecurity products can affect the performance of IoT (46%) or that it can be too hard to find a suitable solution (40%). Other common issues businesses face when implementing cybersecurity tools are high costs (40%), being unable to justify investment to the board (36%) and lack of staff or specific IoT security expertise (35%)."

64 BILLION DEVICES
It is estimated that, by 2026, there will be 64 billion IoT devices installed around the world, according to Kaspersky, with the trend towards remote working helping to drive this increase. "So many additional devices change the dynamics and size of what is sometimes called the cyber-attack surface - that is, the number of potential entry points for malicious actors," the company reports. Compared to laptops and smartphones, most IoT devices have fewer processing and storage capabilities. "This can make it harder to employ firewalls, antivirus and other security applications to safeguard them," it points out.

Furthermore, cybersecurity risks are seen by more than half of organisations (57%) as the main barrier to implementing IoT. This can occur when companies struggle to address cyber-risks at the design stage and then have to carefully weigh up all pros and cons before implementation.

"Cybersecurity must be front and centre for IoT," advises Stephen Mellor, chief technology officer at Industry IoT Consortium. "Managing risk is a major concern, as life, limb and the environment are at stake. An IT error can be embarrassing and expensive; an IoT error can be fatal. But cybersecurity is only one part of making a system trustworthy. We also need physical security, privacy, resilience, reliability and safety. And these need to be reconciled: what can make a building secure [locked doors, for example], could make it unsafe, if you cannot get out quickly."

Adds Eric Kao, director, WISE-Edge+ of Advantech, a global vendor of industrial IoT solutions: "IoT projects are very fragmented, loosely-coupled, domain-specific and integration-heavy in nature. In comparison, IT projects such as messaging/communication, analytics, CRM etc have around 80% of common requirements. In the case of IoT implementation, however, we have to deal with all kinds of legacy systems, physical constraints, domain protocols, multiple vendor solutions etc and maintain a reasonable balance in availability, scalability and security. In pursuit of higher availability and scalability, certain cloud infrastructure has to be leveraged, the system has to be open to some extent, then security becomes an enormous challenge."
Dave Adams, Prism Infosec: many systems are not currently zero trust enabled.
Why are IoT devices so vulnerable? According to Trend Micro, "largely because these devices lack the necessary built-in security to counter threats. Aside from the technical aspects, users also contribute to the devices' vulnerability to threats".

RISK FACTORS
Some of the reasons that Trend Micro offers as to why these smart devices remain at risk include the following:

• Limited computational abilities and hardware limitations. These devices have specific functions that warrant only limited computational abilities, leaving little room for robust security mechanisms and data protection
• Heterogeneous transmission technology. Devices often use a variety of transmission technology. This can make it difficult to establish standard protection methods and protocols
• Components of the device are vulnerable. Vulnerable basic components affect millions of deployed smart devices
• Users lacking security awareness. Lack of user security awareness could expose smart devices to vulnerabilities and attack openings
• Device vulnerabilities allow cybercriminals to use them as a foothold for their attacks, which reinforces the importance of security from the design phase.

How do device vulnerabilities affect users? "Looking into some of the more notable attacks on IoT devices shows how it can affect users," adds Trend Micro. "Threat actors can use vulnerable devices for lateral movement, allowing them to reach critical targets. Attackers can also use vulnerabilities to target devices themselves and weaponise them for larger campaigns or use them to spread malware to the network."

IoT botnets serve as an example that demonstrates the impact of device vulnerabilities and how cybercriminals have evolved to use them, it continues. "In 2016, Mirai, one of the most prominent types of IoT botnet malware, made a name for itself by taking down prominent websites in a distributed denial of service (DDoS) campaign consisting of thousands of compromised household IoT devices.

"From a business perspective, IoT devices further blur the distinction between the necessary security of businesses and homes, especially in work-from-home scenarios. Introducing IoT devices to the household can open new entry points in an environment that might have weak security, exposing employees to malware and attacks that could slip into a company's network. It's a significant consideration when implement-ing bring your own device (BYOD) and work-from-home arrangements. Attackers can also use IoT devices with existing issues to get into internal networks. These threats range from DNS rebinding attacks that allow for gathering and exfiltrating information from internal networks to new attacks via side channels, such as infrared laser inducted attacks against smart devices in homes and corporate environments."

Trend Micro points to a number of cases that, it says, demonstrate the impact of IoT vulnerabilities; some of them involve real-world settings and others as research into these devices. "The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, annually releases a list of the top IoT vulnerabilities." Examples of these common flaws include weak, guessable or hardcoded passwords. "New variants of malware typically use this vulnerability. For example, we found a Mirai variant called Mukashi, which took advantage of CVE-2020-9054 and used brute force attacks with default credentials to log into Zyxel NAS products."

Adoption of the Secure by Design Code of Practice, launched back in 2018, has been lacklustre to say the least, comments David Adams, security consultant at Prism Infosec. "Without any carrot or stick, there was little incentive for IoT vendors to implement any of the 13 principles and the government has admitted as much saying that 'too many insecure consumer-connected products remain on the market and we need to take steps'."

‘CARROT AND STICK’
The Product Security and Telecommunications Infrastructure (PSTI) Bill aims to address this by mandating compliance with the top three guidelines in the Code of Practice, namely a ban on universal default passwords, vulnerability reporting and a minimum support period, and is expected to come into force from 2023. "It will act as the stick," states Adams, "but what of the carrot? To help prepare the way for regulation, the DCMS put out a tender for a kitemark scheme whereby manufacturers are voluntarily assessed by an independent third party.

Jim Hietala, The Open Group: it's not possible to consider any IoT device as 'trusted' in today's environment.
"IASME launched its scheme last year, featuring three levels, Basic, Silver and Gold, which align with ETSI's EN 303 645, the PSTI, and are also mapped to the IoTSF Security Compliance Framework. Vendors that meet the criteria will be able to display a badge on their IoT device."

And plenty seem to have taken the carrot and the biggest one at that, he adds. "All those we've come across have gone for gold, because they see it as a way to not only reassure customers, but also get ahead of the curve and differentiate their offerings. No doubt uptake is being watched closely in the US, where NIST has proposed a similar 'labelling', although it has yet to appoint an overseer that would fulfil the same remit as IASME. The scheme and PSTI will mean that from 2023 we can expect a real improvement in IoT security, with security controls baked in from conception and devices no longer susceptible to takeover en masse through the use of default passwords. However, there is still an army of unsecure devices out there."

With over 30 billion devices already deployed, it's retro-managing these devices that is liable to cause businesses and consumers alike problems over the coming years, he points out, particularly as passwords are leaked, new vulnerabilities emerge and devices outlive their support. "To ensure that IoT devices on networks don't represent the weakest link, steps need to be taken towards embracing a zero trust strategy."

"However, this presents further challenges, as many systems are not currently zero trust enabled. We can therefore expect a sizable transition period and it's during this time, when systems are being retired and replaced, that networks are liable to be at their most susceptible to attack. This begs the question: do we also need to encourage retrospective assessments to get us through the dark age of the IoT?"

DEFECTS AND VULNERABILITIES
According to Jim Hietala, vice president, Business Development & Security, The Open Group, it's no secret that there is an increasing threat of cyber-attacks across any industry and for any organisation. "As reliance on technology grows, organisations need to focus on how to protect their devices from these cyber threats by ensuring the systems involved are secure and free of major defects and vulnerabilities. However, devices inevitably have vulnerabilities through their connection to a network. With the growing use of IoT devices, a business' attack service grows alongside, as attacks can originate from the channels that connect IoT devices." What's more, he adds, cybercrime has become a lucrative and mature market and criminal groups are collaborating with peers to align strategies and select targets.

"This means that attacks are becoming more sophisticated, as malicious actors become fully-fledged criminal enterprises, providing as-a-service offerings and malware licences to established customer bases and target markets. As seen with recent ransomware attacks, no amount of network-focused security can prevent an attack, if cyber criminals work a situation where the actual point of infiltration is carried out by genuinely authorised users - a tactic that becomes more viable for attackers with IoT devices and a digital infrastructure that is more complex."

That, Hietala continues, is why it's not possible to consider any IoT device as 'trusted' in today's environment. "This is where Zero Trust is a critical concept to control and mitigate associated security risks. When it comes to the influx of IoT devices, securing networks is no longer enough. Organisations should be looking to models that secure the data and assets those networks are there to carry.

"Rather than assuming any device on a network must have passed a security checkpoint and is therefore trustworthy, Zero Trust assumes every action is potentially malicious and performs security on an ongoing, case-by-case basis," he points out.

"Defending against the cyber threats facing IoT devices is not a losing battle. However, the industry must establish standards and best practices for Zero Trust, in order to successfully implement this and ensure that proactive mitigation of cyber threats is a commonplace tactic for protecting IoT devices against increasingly sophisticated cyber criminals."