Keeping the Internet of Things secure

Darron Antill at Device Authority argues that CISOs need more advanced tools to cope with the demands of IoT device security

 

To realise the full potential of the Internet of Things (IoT), the security decisions made by Chief Information Security Officers (CISOs) and their teams will prove pivotal.

 

With an anticipated IoT expansion to 55.7 billion devices by 2025, as forecast by IDC analysts, a new model of automation and integrated trust is required. Identities have become fundamental – and as the threat landscape changes, CISOs need more innovative approaches to protect huge arrays of devices.

 

The advances of Industry 4.0, connected vehicles, telemedicine, and smart city concepts all call for a new security approach built on automation and integrated trust. If IoT networks lack continual authentication and authorisation, they become vulnerable to credential theft and severe system breaches. The complexity of IoT deployments is often too much for the capabilities of secure chipsets, traditional enterprise security, and standard cloud or network security controls.

 

Challenges to IoT security

The cyber threats are substantial. IoT data is increasingly a prime target for theft, ransom, or disruption. Critical infrastructures are under the covert scrutiny of malign entities with evolving tactics. Concerns about these developments have prompted cyber agencies from the Five Eyes nations to issue alerts about attackers using "living off the land" techniques.

 

In February of this year, US authorities released a warning about the China-sponsored Volt Typhoon cyber operation, which targets IT systems to facilitate lateral movements into operational technology systems. Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs using illicitly acquired admin credentials and passwords. It also exploits poorly patched technology.

 

Threat actors employ a wide variety of methods. The 2024 Global Threat Report by CrowdStrike emphasises how attackers target network peripheries to exploit less visible areas. Even renowned security firms are not immune – early in 2023, Fortinet’s FortiGate devices were compromised through malicious firmware, leading to a significant advisory and subsequent investigation.

 

CISO responsibilities expanding

The challenges of IoT security are boiling up at a time when CISOs are already grappling with tight budgets. The integration of IT with operational technologies across diverse and sprawling networks significantly extends the responsibilities of CISOs.

 

In manufacturing, CISOs must secure the production of new devices and maintain the integrity of supply chains. In established enterprises, CISOs roll out connected new systems, or oversee the retrofitting of security measures to previously unprotected operational technologies.

 

CISOs must also stay current with the compliance requirements of evolving regulations, such as the EU Cyber Resilience Act, the US Executive Order 14028, and the Software Bill of Materials (SBOM) regulation. This adds another layer of complexity, particularly in the medical sector where additional regulatory standards imposed by the FDA and EU are in force. The SBOM is good news – helping ensure software components are clean and up-to-date – but it still requires detailed oversight by the CISO.

 

The stakes are also higher than ever. Criminal investigations and proceedings against CISOs for internal control failures, such as those seen in the SolarWinds incident, highlight the personal and professional risks involved. The SolarWinds breach, for instance, not only underscored the vulnerabilities within supply chains, but also resulted in significant legal and reputational consequences for those in charge of security.

 

Despite these growing responsibilities and associated risks, research by PwC and forecasts by Gartner indicate that spending on security and risk management is expected to rise significantly as organisations realise they cannot compromise on device security. Identity and access management spending is set to rise by more than 14%, according to Gartner.

 

IAM technology

With machine identities vastly outnumbering human users, CISOs and their teams could easily be overwhelmed by the tasks of provisioning, monitoring, patching and compliance. Automation has become essential in all areas but especially in ensuring device identity protection.

 

The complexities of managing large networks demand a coordinated and integrated approach that spans the entire lifecycle of each device, a set of tasks beyond human capabilities. As edge computing advances, enabling quicker data processing, security solutions must scale and adapt accordingly.

 

Organisations need a more holistic approach to IoT security that includes automation of zero trust architectures, using robust public key infrastructure (PKI). This is the implementation of zero trust technologies at scale to manage device registration and identity and access management (IAM) provisioning.

 

This approach also integrates policy-driven data encryption and continuous, automated monitoring, exploiting artificial intelligence to detect anomalies and respond swiftly to potential security breaches.

 

Future-ready IoT security strategies

A more integrated and sophisticated approach to IoT security not only addresses immediate threats but also prepares for future challenges. It ensures comprehensive lifecycle management and continuous authorisation, meeting requirements of regulations such as US EO 14028, which requires transparency in the software supply chain through implementation of the SBOM. Shared threat intelligence works in combination with zero trust.

 

In manufacturing, automation of IAM ensures a secure-by-design approach, building a chain of trust that is rigorously maintained. It provides a trust anchor from the very first step, provisioning and binding identity to the device.

 

By focusing on a comprehensive approach, whether cloud-based or on-premises, CISOs can ensure their IoT environments are equipped to handle the demands of both today and tomorrow, making zero trust the standard and most effective means of securing connected devices.

 

As the IoT landscape continues to expand and evolve, the need for advanced, automated security solutions becomes ever more essential. CISOs, who face increasingly heavy burdens, must prioritise these capabilities to safeguard the vast networks of devices integral to the next stage of IoT evolution.

 

---

 

Darron Antill is the CEO of Device Authority

 

Main image courtesy of iStockPhoto.com and Capuski