IoT security challenges and solutions: What should be common knowledge
In 2022, the number of IoT (Internet of things) connections in enterprises surpassed that of consumers and is forecasted1 to double to over 24.3 billion connections by 2030. Many of these IoT devices are not being actively monitored, are not integrated into security management tools, and lack strong authentication and encryption protection. These vulnerabilities make IoT networks the most insecure component in the enterprise infrastructure.
This blog outlines the primary challenges in securing IoT networks and outlines solutions to strengthen their network resilience and defense.
Table of Contents
Challenge One: Diverse IoT applications
The Internet of Things (IoT) encompasses consumer and commercial applications, expanding across all markets and sectors. The expansive reach of IoT across these sectors has resulted in a highly diverse suite of requirements. For example, industrial automation IoT (IIoT) systems require high availability, near real-time response, and seamless integration with control systems such as SCADA. In contrast, building control systems that can tolerate a one- or two-second delay and can be managed through a cloud-based dashboard.
The diversity of IoT applications also results in different security requirements. For example, industrial automation requires high data accuracy, as an incorrect reading can disrupt production lines and impact human safety. For building control systems, an inaccurate reading may reduce energy efficiency and make room occupants less comfortable.
Pro Tip:
The implication is that there is no single security solution in IoT. The organization must assess the security of each IoT system individually. To do this, take the following steps:
- List key assets, such as devices, gateways, and storage.
- Identify data confidentiality, integrity, and availability requirements, such as the transmission of health data.
- Identify common threats and vulnerabilities, such as unauthorized access.
- Assess the impact of a security breach.
Challenge Two: Multiple standards and proprietary IoT technologies
The diversity of different industry requirements has resulted in a proliferation of proprietary and standards-based IoT solutions. For example, the Bluetooth Low Energy (BLE) and Zigbee specifications focus on the connectivity of devices that are relatively close to each other. LoRaWAN, however, enables long-range communication for connecting devices that may be miles apart, such as utility meters and farming equipment. In addition to IoT-specific solutions, traditional wireless communications technologies like WiFi and cellular standards have recently been enhanced to support high-data-rate IoT applications like video surveillance and augmented reality.
These IoT systems may operate in the same physical environment and, if wireless, share the same radio frequency spectrum. In addition to interference and coexistence issues, this introduces some unique security risks.
- Diverse access control mechanisms.
- Higher level of attack surfaces and vulnerabilities.
- Harder to enforce consistent security policies.
- Devices may not be able to support preferred security mechanisms.
Pro Tip:
It is crucial that IoT networks are isolated from one another and the enterprise network. Isolation reduces the attack surface by ensuring that if one device or IoT network is compromised, the others remain protected. This is accomplished through network segmentation and the deployment of gateways.
- Network segmentation isolates traffic on different logical networks, called Virtual LANs (VLANs). When segmenting the IoT networks, consideration should be given to the level of trust and risk of compromise. For example, temperature sensors may be considered low-trust devices, whereas gas valves monitored in real-time could be regarded as high-trust devices.
- IoT gateways act as a protective barrier between the IoT and enterprise networks. From a security perspective, they can have three essential functions. They can enforce device authentication before a device can send or receive data. They can define Access Control Lists (ACLs) that accept or deny traffic. They can also act as firewalls, inspecting and filtering data based on predefined security rules and policies.
Challenge Three: Multiple protocol stacks
IoT devices typically transmit small amounts of data intermittently rather than continuously, often just a few bytes. The TCP/IP communications protocols used in the IT industry are too resource-intensive for most IoT applications. For example, the 40-byte TCP/IP header is significantly larger than a few bytes of IoT payload data. Consequently, the industry has developed lightweight protocols suitable for IoT applications.
Unfortunately, there is not one preferred protocol stack for all IoT applications.
- IEEE 802.15.4 Low-Rate Wireless network standard is the most widely used specification for the physical and link layers. Zigbee, Thread, ISA-100.11a, WirelessHART, and Wi-SUN are all based on 802.14.5. However, Bluetooth, LoRaWAN, and Sigfox define different physical and link layers.
- IoT solutions, such as Zigbee and cellular NB-IoT, define their unique stacks, allowing IoT applications to be developed on top of them. However, there has been growing adoption of IPv6 in IoT networks, which is fostered by the 6LOWPAN adaptation layer.
Pro Tip:
Like in traditional IT networks, data encryption and message integrity can be applied at multiple layers when protecting the data transmitted over the IoT network.
- Device-to-device protection, where data sent directly between two IoT nodes is encrypted. Each link is independently protected. If one device is compromised, communications between other devices are still protected. The level of protection is dependent on the IoT technology deployed. For example, Bluetooth 4.1 supports 128-bit encryption. Link-level protection is ideal in environments where there is concern over local threats, such as eavesdropping on over-the-air communications.
- Device-to-gateway protection, where data is encrypted at the IoT device and decrypted at the gateway, and vice versa. This offloads processes, such as key management, to the IoT gateway and uniformly enforces security measures across the IoT network. This level of protection is effective in environments where the IoT gateway is filtering traffic.
Device-to-cloud protection provides end-to-end data confidentiality, data integrity, and device authenticity.This enables the same security mechanisms to be applied across various IoT networks, including Zigbee and Wi-Fi. However, end-to-end encryption increases the complexity of key management and restricts data inspection and filtering at the gateway. Device-to-cloud protection is ideal in environments that require compliance with industry regulations, such as HIPAA.
Challenge Four: Resource-constrained IoT devices
Device limitations can be a significant challenge for securing IoT networks. Not only is there a wide diversity of IoT devices, but these devices also typically have limited computing power, memory, and storage capabilities. Additionally, many IoT devices are low-power devices that run on batteries, which are expected to last weeks, months, or even years. These device constraints mean that the IoT device may not be able to:
- Perform a secure boot that checks that only trusted and verified software runs on the device.
- Perform firmware upgrades to address bugs and security vulnerabilities.
- Support digital certificates for stronger authentication and public key encryption.
- Send standardized alerts and detailed logs, which can make it challenging to monitor IoT devices.
Additionally, IoT devices are often deployed in areas with limited physical security. If an attacker gains access to an IoT device, they may be able to extract passwords and other data that could compromise the system.
Pro Tip:
While not a comprehensive solution, the following steps can help alleviate security concerns:
- Where possible, deploy tamper-resistant hardware. For example, enclosures, alerts, or tags show if the device has been tampered with. For high-end IoT devices, apply IT-level security hardware guidelines such as using Secure Element (SE) chips and a Trusted Platform Module (TPM).
- When supported, deploy over-the-air (OTA) updates for patching vulnerabilities. Wi-Fi and NB-IoT devices can support over-the-air (OTA) updates, whereas ultra-low-power or low-memory devices do not.
- Monitoring the IoT gateway is crucial. As discussed above, gateways offload resource-intensive security functions from IoT devices, such as authentication and encryption, while performing data inspection and filtering. While the gateway can detect vulnerabilities and data breaches in the IoT network, it is a central point of failure. If the gateway is compromised, it could lead to unauthorized access to the entire enterprise network
- Use a lightweight monitoring protocol if possible. Several protocols have been designed to support monitoring low-power, resource-constrained IoT devices. These include Modbus, Message Queuing Telemetry Transport (MQTT), and Constrained Application Protocol (CoAP).
- Integrate IoT alerts and logs into a centralized security monitoring tool if viable. Integration is crucial as the number of IoT devices within the organization grows, increasing the complexity of securing the IoT network.
What to do after reading this blog
Securing IoT networks is becoming increasingly important as the number of connected IoT devices continues to grow and the pressure to safeguard the IoT from cybersecurity threats and meet regulatory compliance requirements intensifies. After reading this blog, you should:
- Identify the IoT networks within your organization.
- Assess the effectiveness of the current security measures.
- Review the security solutions outlined in this blog and determine which ones align with your organization’s security needs.
- Create a plan for implementing any identified security enhancements.
