Blog IoT – The New Attack Surface

Whether as part of a connected smart building using multiple sensor arrays, or an automated factory production line, the use of IoT has seen a massive explosion in recent years and it’s not about to slow down, with 75 billion connected devices predicted by 2025.

These devices are often left vulnerable due to poorly implemented software, or simply not enough attention paid to installing them in a secure manner. They present a very large attack surface for hackers to target which have led to some highly publicised attacks that are notable either by their boldness or weirdness, such as the hack of a Casino’s High Rollers Database through an aquarium thermostat, to the thousands of Wi-Fi enabled dolls that can be turned into surveillance devices within your home.

For businesses, these IoT devices pose a very real threat with the potential of direct attacks on a device vulnerabilities. Devices can be turned into bad actors from within an assumed secure network, able to attacks on the communication channels between devices to mine data. So, how can IoT be secured?

Any device that is being connected to a network must be configured with security in mind. Wherever possible, default passwords should be changed and only secure methods of remote connectivity should be used. Consider direct physical attack also, and if a device has no method of protecting external interfaces, install it in a secure location or hidden behind a panel.

The network should have the ability to confidently identify an IoT device type so that it can be categorised correctly. This categorisation will allow for a network policy to be applied, ensuring that the devices access is appropriately restricted, therefore if a device is successfully compromised and controlled, the damage it can inflict is minimal.

Finally, constant monitoring of the behaviour of these IoT devices is key. Understanding what normal behaviour looks like and then using automated, machine learning tools, to identify and address risky behaviour is the last line of defence for unsecured IoT devices.

In short, an organisation’s IoT security strategy should be built on the assumption of compromise and all measures need to be taken to prevent it in the first instance, and to identify it quickly when it does occur.