In this article, we present the Internet of Things (IoT) and the current security status of IoT devices. The reader will also gain a practical guide towards IoT security in the workplace and an account of the latest information to help futureproof organisations against cyber attacks.

How does IoT work?

Through IoT, Internet connectivity is expanded outside of standard devices, including smartphones and laptops. IoT allows everyday items to become Internet-enabled. By implanting these devices with technology, the tool develops its capability to interact and communicate over the Internet and ultimately enables its remote monitoring and control.

Here is a definition of IoT:

“The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect, collect and exchange data.” (Wikipedia)

Examples of IoT applications used by consumers or industry:

• Connected cars
• Smart homes
• Smart grid
• Industrial internet
• Smart cities
• Connected health
• Wearables
• Smart retail
• Smart supply chain
• Smart farming

IoT global market statistics:

• Over 23 billion connected devices in 2018
• 31 per cent growth year-on-year
• Estimated 31 billion devices in use by 2020
• Market value predicted $7.1 trillion by 2020

What are the main security challenges of IoT?

IoT provides a range of advantageous new features for users both in the home and in the workplace. However, it is crucial that users recognise and carefully think through the potential security issues that come with the IoT phenomena.

IoT instant connectivity

Fundamentally through IoT users can connect their device from their phone to a network-connected computer system. Providing a powerful process of connectivity for the users and beneficiaries, yet a security headache for IT departments and law enforcement, and of course a new source of exploitation for hackers.

IoT malware and computer viruses

With an increased reliance on smart technology and the IoT, the security of traditionally non-internet-exposed devices thrusts into the spotlight. With the average person using IoT technology, this exposes a large amount of the population to potential security threats such as malware and computer viruses.

Given the growth in the usage and deployment of IoT devices, the potential for physical cyber attacks such as attacks through smart city technology (example: automation of traffic lights) could also become a heightened risk, resulting in injuries and the prospect of widespread damage.

IoT and DDoS attacks

Be vigilant to DDoS attacks on IoT devices. Back in 2016 ‘Mirai Botnethad’ infected in the region of 65,000 machines in just 20 hours! Mirai appeared to target routers, printers, IP cameras and digital recording devices. 

IoT buggy apps

Buggy apps are a unique problem of IoT systems. They can cause unexpected ‘bad app’ exchanges and failures, leading to unsafe and dangerous activity.

For example, buggy apps could unlock the connected-computer security system of a building or even a bank, allowing access for criminals.

IoT development and regulation

As the participation of IoT rapidly grows and advances, many professionals are calling for a greater emphasis on security in the development of IoT technology.

The development of the following IoT systems involving specialist areas are of particular interest to security professionals: 

• End nodes
• Hybrid systems
• Industrial security controls systems
• IoT-related business processes

There is also much debate surrounding the need for regulatory changes in the industry.

IoT and privacy

The age of IoT has also introduced a subdivision of internet-connected devices that are classed by some and could be used as “spyware” from appliances to cameras and even thermostats.

How is the IoT influencing the industry?

Let us now take a look at the challenges and triumphs of major industries that have adopted IoT technology:

IoT and the car industry

• The automotive industry is an example of a sector that has embraced computer-controlled devices. From the brakes of the car to its engine, this industry is using IoT technology
• However, evidence reveals that connected cars could be vulnerable to attackers through the vehicle’s onboard network
• Hackers could also topple the vehicle computer systems remotely, which are Internet-connected

IoT and the medical industry

• Healthcare has an estimated IoT technology market opportunity of $118 billion by 2020
• However, despite the many positive gains the medical sector could receive from IoT it also has much to be wary of
• In 2008 pacemakers were revealed as the latest medical target for hackers. Researchers highlighted the remote control of the devices without permission
• Next, it was the turn of insulin pumps and implantable cardioverter defibrillators to be exploited. Real-life hackers remotely controlled the life-critical medical equipment

IoT and law enforcement

• Law enforcement is utilising IoT technology on a daily basis to help fight crime
• Police forces use connected devices to aid in a variety of tasks, such as:
  • Bodycams are used to identify, process, and comprehend information in an emergency
  • Sensors are placed in firearms to trace usage
  • Smart cameras deployed at significant events

What can companies do to futureproof themselves against IoT security issues?

These organisations have been set up to help provide a source of knowledge and understanding for the IoT industry:

The Internet of Things Security Foundation (IoTSF)

First launched in 2015, the Internet of Things Security Foundation (IoTSF) has a mission to secure IoT through best practice and knowledge.

The IoTSF includes technology providers and telecommunication firms.

www.iotsecurityfoundation.org 

Protect Things

Mozilla launched Protect Things in 2017 to provide a safe route to IoT devices through a Web of Things gateway.

www.iot.mozilla.org

Europol-ENISA IoT security recommendations

www.enisa.europa.eu

At a 2018 IoT security conference chaired by European Union Agency for Network and Information Security (ENISA) and Europol European cybersecurity experts gave their view on the security requirements of IoT:

• ENISA and Europol should continue a close working relationship, helping critical stakeholders in the cybersecurity and criminal aspects of deploying IoT
• Future security solutions for IoT need to be economically sustainable as well as holistic, practical and pragmatic
• Law enforcement needs to investigate and prosecute the criminals abusing connected devices
• Do not let security be an afterthought when designing IoT systems
• Data and privacy protection needs to be considered by both the amount and category of data collected
• A review of the overall IoT ecosystem is crucial
• Creating more robust collaborations with industry

Top tips for installing and securing IoT devices at work

Now let us look at IoT in the workplace. The best place to start is to list the IoT technology you have deployed or are considering adopting in your organisation’s network.

Reflect on these three key questions specific to each IoT technology:

1. How straightforward are they to patch?
2. What security procedures do they support?
3. Does the supplier have a comprehensive privacy policy?

Here are ten best practice guidelines (in no particular order) for working safely with IoT systems in the workplace: 

1. Disconnect UPnP on the network

• Universal Plug and Play (UPnP) is known for making devices vulnerable to attack
• Although UPnP is intended to aid networking without configuration, it is also exploited by hackers who use it to target devices outside of the local network through vulnerabilities in the UPnP protocol
• Best practice suggests switching off UPnP entirely

2. Install the latest firmware onto your network

• Firmware provides the latest security patches
• However, to reduce the probability of an attack, you need to keep your firmware fully updated
• As vulnerabilities occur daily, update your IoT devices and your router regularly
• Keep this process simple by automating it
• Create a scheduled reminder to review updates regularly

3. Investigate cloud services offering IoT security

• Many IoT devices use cloud services
• However, the need for an internet connection to function can cause a problem
  • Firstly, it will not operate when the network is down
  • Secondly, it may sync sensitive data
  • Thirdly, it could provide a potential route into your workplace
• Read the suppliers privacy policy
• Look out for reassurances around data protection and encryption

4. Disconnect IoT devices unless required

• Consider the merit of the functionality of the device
• Do not connect the device to the Internet because you can
• Examine the features it provides before you go live on the network

5. Protect your privacy

• Do not purchase or take on IoT technology unless you have evidence that it has been screened safely for potential security vulnerabilities and violations of privacy

6. Configure a separate IoT interface

• For IoT devices configure a different interface
• The new network must only give access to IoT devices
• Prevent access to networked devices or shared files
• Such configuration prevents hackers from pivoting into your main operations

7. Set unique passwords for every IoT device

• Set-up strong passwords
• Create a unique password for each device
• Stop hackers from gaining access to multiple devices by reusing passwords
• Implement a password manager to keep passwords tracked
• Read our latest protection password blog

8. Monitor and review IoT technology

• Track everything connected to the network
• Keep a monitor of the flow of traffic
• Evaluate each tool to determine its level of access to the system
• Check each device regularly for patching
• Create a flag for unidentified devices

9. Remove personal IoT devices from the workplace

• Do not take your IoT devices to work
• Wearable IoT devices can create potential security concerns
• Create a clear Bring Your Own Device (BYOD) policy and enforce it
• Prohibit private IoT tech from connecting to the network
• Worse case limit personal devices to a guest network.

10. IoT DDoS mitigation recommendations

• Keep abreast of the latest cyber attacks
• Do your due diligence and research vendors who might have infected IoT devices before you implement their technology