Telit Communications Ltd.

08/01/2024 | Press release | Archived content

How to Win the IoT Cybersecurity War

Solutions, Modules, Connectivity, Platforms

By Enrico Milanese

August 1, 2024

Estimated reading time: 9 minutes

Cybercrime has a significant impact on operations and your bottom line. Statista predicts that the global cost of cybercrime will increase from $9.22 trillion in 2024 to $13.82 trillion by 2028.

What are the reasons for this rise, and how can organizations prepare for and respond to evolving IoT cybersecurity risks? Keep reading to discover the causes of the cybersecurity war and how your organization can win.

What Research Tells Us about IoT Security

Several matters are considered regarding the Internet of Things (IoT). Priority requirements for adopting IoT have changed, and cybersecurity is chief among them.

According to a survey by McKinsey & Company, 32% of enterprise buyers cite cybersecurity as their top concern and an impediment to IoT adoption. A successful cybersecurity strategy requires consideration and implementation at each level. To avoid pitfalls, organizations need to be aware of security risks and the most efficient ways to overcome them.

The State of IoT Cybersecurity Disruptions

IoT security threats aren't just theoretical. Real-world attacks demonstrate the potential for disruption and harm. For example, vulnerabilities in smart meters and grid infrastructure could allow hackers to:

  • Disconnect service
  • Create blackouts
  • Report altered data that distorts electricity usage statistics

Recent public warnings from government security agencies showcase these risks. The U.S. National Security Agency released a report on cyber actors targeting utility infrastructure that supports national economies.

In addition, the Czech Republic's National Cyber and Information Security Agency identified security issues with certain smart meters. It warned that breaches could "include interruptions and mass disconnections of thousands of consumption points" and cause widespread blackouts.

Medical devices are another area of concern. Compromised devices could be manipulated to administer inappropriate and dangerous drug doses or report inaccurate vital signs data. The scenario is troubling enough that the U.S. Food and Drug Administration recently enacted new cybersecurity requirements for medical device manufacturers.

These are only a few examples that spotlight IoT risks. The potential threats increase as more industries and people connect to more devices.

What Are the Motivations for Cybercriminals?

Threat actors have differing motivations when breaching IoT ecosystems. Some look to steal data they can monetize directly. Others want to infiltrate business networks through unsecured IoT devices as an initial attack vector. More advanced hackers turn consumer IoT devices into botnets to enable distributed denial of service (DDoS) attacks that overwhelm their ultimate targets.

Recognizing these motives allows organizations to add the right protections. For example, a company concerned about data theft would invest in access controls, encryption and software integrity checking. These measures would prevent information compromise above all else.

A critical national infrastructure operator like an electric utility may emphasize measures to prevent mass device hijacks to avoid outages. Understanding threat actor incentives guides smart security decisions.

Why Is IoT Difficult to Secure?

Though IoT devices are becoming popular, they remain challenging to secure. Let's examine the most common reasons behind IoT cybersecurity issues.

Diverse Systems and Processes

There is no single standard operating system or set of communication protocols. Different devices operate on varying requirements. How those devices connect and communicate with clouds, servers and each other can also vary. It's challenging to implement functional security solutions with so many moving parts involved.

Hardware Upgrades

You must overlay security measures in older equipment or legacy systems to secure IoT. Some systems can't be upgraded. You can upgrade others incrementally, but it's a slow process.

When adding devices to your IoT deployment, you must ensure the manufacturer builds security from the ground up. Read more in our white paper, "IoT Security: Empowering the Evolution of IoT."

Third-Party Dependencies

Third-party dependencies play a critical security role. You have little to no control over what a third-party provider does or to make specific changes. These dependencies make it difficult to know and trust that data will be managed securely.

Limited Resources

Another overlooked essential security consideration is the limited resources within IoT devices. Compared to other devices, these tend to have lower computing power, battery power and storage capacity. These limitations can restrict the device security measures you can implement.

The State of Vulnerability Management

We can't discuss IoT cybersecurity without vulnerability management. More code is involved in device functions than before, which leads to more vulnerabilities. There has been exponential growth in deployed devices with high variance and diversity. Organizations must then contend with enormous amounts of new code and IoT vulnerabilities.

Companies pay a high price to discover and mitigate vulnerabilities, then patch and update. Global Market Insights says the vulnerability management market was worth $14.5 billion in 2022. It predicts a compound annual growth rate (CAGR) of 10% between 2023 and 2032.

A survey from the IEEE Computer Society shows that developers spend about 30% of their time finding and fixing bugs. Consider an IoT environment where thousands or millions of devices stream data across infrastructure with several integration touchpoints. The defects and debugging time will only continue to grow.

A vulnerability enabling one compromised IoT device to execute code on peer equipment could require a large-scale redeployment of updated firmware. Unlike patching one server or database, this redeployment must occur simultaneously across all assets.

As investment in IoT expands, so does the need for security at a foundational level across hardware and software components. Otherwise, billions spent on these fixes may be wasted while more costly business disruptions arise.

Mitigating IoT Security Risks

How do you protect your organization from these threats and avoid the consequences of breaches? Take these steps to improve your security posture in the IoT landscape.

Vet Partners Carefully

If a third party suffers a breach or lacks segmentation and access controls, hackers may gain access to the sensitive data your systems transmit and store with those providers. Outsourcing aspects of an IoT ecosystem can relinquish visibility and control over your data at multiple junctions unless explicitly outlined in vendor agreements.

Some providers treat privacy and protective measures as an afterthought. Due diligence around a partner's security posture ensures that your information remains protected when engaging external services.

IT architects should conduct detailed assessments on elements, including:

  • Encryption implementations
  • Operator access restrictions
  • Vulnerability testing procedures
  • Other safeguards used by third parties they wish to leverage for IoT deployments

Requiring access to audit logs and limiting data replication outside geographic or legal boundaries also reduces exposure from mismanaged vendor ecosystems. Knowing key partners take data confidentiality seriously reduces lapses that create breaches.

Have Device Visibility

IT leaders need an enterprise-wide connected device inventory to gauge their exposure. Understanding the reach of IoT and properly segmenting access is essential to contain threats.

While convenient for collecting and analyzing data, integrations also introduce risk in the form of "shadow IoT." If attackers access IoT devices on a corporate network, they may pivot to exploit vulnerabilities in adjacent business systems with which the devices interact daily.

Few IT teams have full visibility into all the IoT gear spread across their environment or what vulnerabilities old equipment may contain. Not patching or updating IoT gear with the same rigor as a server or laptop leaves easy openings for lateral movement across networks.

Know Attack Patterns

Organizations must also implement a security strategy to mitigate present and future attacks based on the most common patterns. You must leverage technologies to reduce continuous security patching. Software updates can be challenging and costly in IoT. You don't want to increase the risk of security issues if high or unexpected costs catch you off guard.

Operational awareness is crucial, as you must know the state of your deployment and if or when you are under attack. It's the only way to prevent or lessen the impact. You must consider security as early as possible.

Understanding the Role of Security by Design

Security can't be an afterthought when implementing an IoT system. Instead, organizations must make security an integral ingredient across their entire IoT value chain through security by design.

Security by design means considering potential vulnerabilities, threats and safeguards during a project's research and planning phases. It goes beyond considering these while configuring devices or cloud servers. It also means partnering with device manufacturers that engineer security measures into their products from the start.

Furthermore, organizations must acknowledge when they lack the in-house security expertise to evaluate and strengthen an IoT deployment. Seek outside guidance by partnering with an experienced IoT solutions provider. Build in security from the start through thoughtful design choices and collaboration.

Examples of IoT Security by Design

What does this concept look like in practice? Specific examples include:

  • Baking device identity processes early on to enable proper access controls
  • Encrypting communications channels using robust algorithms to prevent data interception
  • Providing monitoring tools to detect anomalies indicating potential threats

For those building new IoT projects, prioritizing fundamental security hygiene is the best place to start. Measures to address common attack vectors include:

  • Automatic software updates
  • Multifactor authentication preceding configuration changes
  • Network micro-segmentation to isolate components
  • Structured penetration testing

Organizations without in-house security expertise can engage partners like Telit Cinterion, which has proven methodologies and implementation experience. Such a partner can set projects up for success from the start instead of reactively bolting on protection measures.

What You Need to Win the IoT Cybersecurity War

Telit Cinterion is a global leader in IoT enablement. We are trusted by thousands of direct and indirect customers worldwide. Our extensive solutions portfolio powers millions of connected devices to date.

For over 24 years, we have been a leader in global IoT solutions because we believe in your business's potential. You've done the challenging work of digital transformation. IoT will empower the next phase of your future, and security will empower IoT.

Our IoT solutions embrace a 360-degree security by design approach. We build security into every layer of your ecosystem, giving you holistic, end-to-end protection. We work with you to find a unique solution and provide the tools and confidence to take the next leap forward.

Speak with our IoT experts about your security approach.

Key Takeaways

  • Cyberthreats are increasing in frequency and impact. The worldwide cost of cybercrime is predicted to reach $13.82 trillion by 2028.
  • Challenges to ensuring consistent, effective cybersecurity measures include diverse systems and processes and limited resources.
  • Security by design means that security is built into the project from the start. It includes measures like encryption and tools to monitor threats. This approach is crucial for a strong cybersecurity strategy.

Editor's Note: This blog was originally published on 14 September 2021 and has since been updated.