Automating IOT security

Darron Antill at Device Authority argues that the new NIST push on IoT security automation is a global call-to-action

 

Since its release in 2014, the US NIST Cybersecurity Framework (CSF) has significantly influenced national policy and industry standards for protecting critical infrastructure. It was developed in response to a White House executive order requiring US critical infrastructure organisations to increase protection of vital assets, “physical or virtual”.

 

As threats have multiplied, the NIST guidance has gone through significant updates and broadened to cover more organisations. The framework has achieved widespread global adoption and is important for foreign organisations conducting business in the US, or for any with supply chains that include American companies. Compliance with NIST principles is effectively mandatory for engagement with US federal government agencies.

 

A new NIST publication, Towards Automating IoT Security: Implementing Trusted Network-layer Onboarding, (along with its reference architecture for IoT of May 2024), addresses the Internet of Things and the devices in such networks, which are increasingly critical to major businesses and critical infrastructure organisations. It stresses the importance of device lifecycle automation and provides a route forward for enterprises with diverse IoT ecosystems, placing zero-touch provisioning and continuous trust assessment right at the forefront.

 

That emphasis aligns closely with feedback NIST received during two public workshops held as part of its five-year review of IoT cyber-security guidance. Participants surfaced three clear needs: (1) lifecycle-centric security that follows a device from design through retirement; (2) richer risk visibility and evaluation so organisations grasp the impact of unforeseen use cases and environments; and (3) more effective communication between manufacturers and customers, pre- and post-market, to keep security expectations aligned.

 

With those priorities in mind, cyber-professionals should already be familiar with the five core NIST principles: Identify, Protect, Detect, Respond, Recover, and how the new guidance shifts the focus from patching problems to building security in from the outset. But publishing guidance is only half the battle; the next step is turning it into action.

 

New threats to IoT security

Most enterprise-level organisations now have expanding networks of IoT devices. Many, however, include numerous poorly protected devices dating from an era when cyber-threat actors were thought mostly to focus on rich pickings in IT. 

 

Frequent cyber-attacks on infrastructure organisations should remind us of the vulnerabilities of all IoT networks and their controlling systems. In 2020, cyber-attackers gained access to systems at the Oldsmar water treatment plant in Florida and were within seconds of ordering them to vastly increase the level of caustic soda in the water supply.

 

Threats are constantly mounting. This year’s Waterfall 2025 OT Security report, for example, says 2024 saw a 146% increase in sites suffering “physical impairment of operations because of cyber-attacks” and that most attacks affected multiple physical locations.

 

The risks to IoT networks are central to the NIST IoT Security Framework, which provides a comprehensive risk management approach to securing devices across industries, with particular relevance for healthcare, automotive manufacturing and of course, infrastructure organisations.

 

NIST IoT guidance is multi-layered

Emphasising a multi-layered approach that integrates networking, storage, and processing, NIST IoT guidelines, if properly implemented, should offer a robust security framework.

 

The recommendations include regular software updates, strong encryption for data in transit and device authentication protocols. These measures are vital for maintaining IoT device security and integrity, which is why organisations should conduct periodic risk assessments to ensure their IoT security measures accord with NIST guidelines.

 

Taking the initiative on risk management is crucial. Organisations need to employ automation to manage the identities of millions of IoT devices, which is otherwise complex, time-consuming and error-prone for IT staff. Traditional security models, such as password-based authentication, often fail at the scale required for IoT ecosystems, which frequently comprise highly diverse types of devices.

 

Digital certificates and cryptographic keys, supported by public key infrastructure (PKI), are critical to ensuring that each device has its own verifiable identity. Yet onboarding new devices and managing many thousands of identities across a dispersed physical estate is beyond the resources of most in-house IT teams.

 

The number of connected devices is ballooning as automation of processes and monitoring expands rapidly in all industries. The latest projections from Statista are for the number to more than double from nearly 16 billion in 2023 to more than 32 billion in 2030. Definitions of connected devices vary, but it is certain that the expansion of IoT networks is at a scale requiring automation of security tasks.

 

Device identity management automation  

Organisations must implement automation that streamlines certificate issuance and renewal, reducing human intervention and the associated risks. A single lapse can be sufficient to open up an IoT network to threat actors. The Volt Typhoon threat group, for example, is back in business using devices to create botnets for follow-on attacks against critical infrastructure.

 

AI-enabled identity management systems should become the norm, helping organisations to secure IoT networks against increasingly sophisticated threats. Automation needs to cover the full lifecycle, including revocation of PKI certificates to eliminate certificate-based outages. Organisations must ensure redundant devices are effectively disconnected so they do not become doorways into OT and IT systems for hackers.

 

In any sector, advanced platforms will accomplish all these vital tasks across the network, from edge environments to all devices, with security baselines enforced. Comprehensive solutions, such as trusted execution environments (TEEs), zero trust architecture (mutual transport layer security) and advanced encryption protocols like AES-256, are essential to protect data and computation at the edge.

 

Organisations can integrate privileged access management solutions to ensure human access to networks is on the basis of genuine requirements and is limited to specific roles and requirements with full auditing.

 

AI in IoT security

To counter the increased sophistication of attacks, organisations should have AI-powered anomaly detection and proactive threat mitigation to ensure they respond at speed, using for example, the capabilities of Microsoft Copilot.

 

Working in tandem with an automated device lifecycle management platform, Copilot can analyse live data and draw on intelligence such as a device’s software bills of materials (SBOMs). It can cross-reference with external vulnerability databases, assess risk, recommend next steps and support automated mitigation – even in very complex IoT environments. By integrating predictive analytics with automated update systems, businesses can stay ahead of potential threats while reducing downtime and improving operational efficiency.

 

Companies that take action to comply with the newly published NIST IoT recommendations through real-time monitoring and centralised security management will very significantly strengthen their defences and gain the agility to adapt to new threats amid the rapid growth of IoT.

 

The latest NIST publication on IoT security is a significant landmark, pointing the way to a modernised, effective approach based on proven innovation. Organisations need to take heed and act on its recommendations, increasing automation to secure their networks into the foreseeable future.

 

---

 

Darron Antill is CEO at Device Authority

 

Main image courtesy of iStockPhoto.com and PlargueDoctor