All good defense strategies share something in common: Whether they protect a castle or an IoT deployment, they all consist of layers that can maintain security even if one measure fails.
Even though castle or tower defense primarily exists in games these days, cybersecurity strategies elicit the same imagery. Firewalls and zero trust compare to barricades and moats to stop attacks coming from outside of the network. Knights and AI target individual threats that break through the initial defenses. Once attackers breach the outer walls, segmentation creates another line of defense between valuables so attacks can’t continue to spread.
Security strategies with multiple IoT security layers have become necessary because of the growing number of attacks targeting IoT. Between January and June 2021, 1.5 billion breaches took advantage of IoT vulnerabilities, according to security service provider Kaspersky. With the remote work movement and the spread of enterprise networks away from a central network, attackers can take advantage of more potential entry points.
IT administrators can adopt many security best practices that repeat across technologies. One way to organize their strategy is to adopt measures based on six IoT security layers throughout their deployment.
1. Hardware security
IoT devices in the field are often “out of sight, out of mind,” which means IT administrators can easily forget to secure the hardware physically. IoT devices already have limited on-device security options because of the computation and power constraints. These limitations combined with the remote nature of many IoT deployments make it easy for an attacker to find a network entry point using brute force, fuzzing, Rowhammer or side-channel attacks.
Organizations must build an outer line of defense for sensors and gateways. They can start by actively seeking out or designing hardware with built-in security measures. Security measures include tamper-resistant cases and device disablement upon tampering. IoT devices require hardware-level security because attacks on this level can easily escape detection by software-based security measures. Software security alone is not enough to prevent attacks.
2. Device security
The most obvious place for IT administrators to implement security measures for IoT is the devices. IoT devices come in many forms, including temperature sensors, surveillance cameras and wearable medical devices. Even though hardware security includes steps to protect individual devices, IoT device security includes more specific best practices, such as device discovery and segmentation.
Device discovery is the first step any organization must take. If IT administrators don’t know a device exists, they won’t implement other security strategies, such as changing a default password, issuing an update or shutting down unused devices.
3. Software security
The IoT industry hasn’t caught up to other technological areas when it comes to security standards and regulations. IoT technology doesn’t automatically have built-in security because it would cost more time and money to add it. However, organizations must build security into their devices, including their IoT software. Developers must consider the platforms, languages and tools they use to create IoT software because many libraries and APIs contain security flaws. IoT developers might use open source software to speed up development, but they must consider the available support and whether the community actively addresses issues. Software security must include limiting access and testing for vulnerabilities in the software.
4. Cloud security
Many IoT deployments use cloud computing to keep up with IoT data and application processing and storage demands. The cloud gives organizations greater flexibility and scalability, but it can create vulnerabilities, such as unsecure data flow between the edge and cloud. Cloud security often depends on the provider offering, such as Microsoft Azure IoT Suite, ThingWorx IoT platform or IBM Watson IoT platform.
Organizations can compare cloud provider offerings by looking at IT security audit reports and policies. Providers may offer different security features, including device monitoring and data encryption, but organizations must configure each security option. IT administrators must also understand what security responsibilities they must take on versus what falls under the cloud provider’s responsibility.
5. Application security
Attackers target IoT applications with vulnerabilities, such as weak passwords, poor update processes, outdated IoT app components, and unsecured network interfaces and data storage. IT administrators must plan for common threats, such as elevation of privilege or spoofing.
Standard best security practices — including regular apps updates, firewalls and access authorization — work well to protect applications. IT administrators must also secure the surrounding technology, API integrations and communication between devices and apps. However, they haven’t finished the job when all parts are secure; they must also continuously monitor IoT apps for unusual activity and threats.
6. Data security
IoT’s value comes from the business insights of the generated data. The data can inform processes or even ensure the health and safety of a medical patient. However, many organizations find data security one of the most challenging areas to navigate. IoT deployments generate massive volumes of data and constantly send and receive that data. Many protective layers must work together to ensure the data privacy and continued functionality of IoT devices. Organizations must also decide where to store and organize their IoT data. In addition to logistical considerations, legislative bodies have begun to expand data protection and privacy regulations that organizations must follow.
IT administrators can take initial steps to limit access, including regularly changing all passwords and updating every device. IoT data encryption such as SSL ensures that data won’t get intercepted. They must also implement firewalls to protect the devices and monitor how individuals and applications use sensitive data.