IoT Security on the Edge Is Never Absolute — Michael Skurla, Radix IoT
By Michael Skurla, Chief Product Officer, Radix IoT
Global peak in IoT technology adoption expected by 2025, with over 152,200 IoT devices connecting to the internet per minute.
Increase in IoT attacks, reaching over 10.54 million by last December.
Evolution of IoT connectivity driven by advancements in technology and enterprise needs, leading to various IoT solutions and the integration of AI for enhanced data analytics optimization.
It is estimated that by 2025, the global peak in IoT technology adoption–with over 152,200 IoT devices connecting to the internet per minute–has the potential to generate $4-11 trillion in economic value. This IoT device proliferation goes hand in hand with open vectors of attack–which are no longer umbrellaed by typical I.T. security provisions.
So, it should come as no surprise that this global proliferation has given rise to global IoT attacks. In fact, by last December, the attacks reached over 10.54 million.
To better understand the ecosystem of these attacks, we must first understand that an IoT network is a conglomerate of physical devices embedded with sensors, software, and network connectivity. Typically, these networks are highly diverse and include equipment and devices from different manufacturers. The ability to tap into this ecosystem has fully empowered enterprises to aggregate and share actionable data critical to their business continuity. However, the proliferation has made it obvious that the global market is not ready–or willing–to pay significant premiums for IoT security.
IoT connectivity has transformed as new advanced technologies and enterprise needs have led to the design and delivery of various IoT solutions. From cellular-based IoT connectivity’s implications for enterprises and connectivity providers to embedded operating systems with higher efficiency to IoT-optimized protocols–many hardware manufacturers are now bundling hardware and connectivity for greater and simpler integration. The AI’s integration into IoT solutions has further expanded and enriched data analytics optimization that allows for reduced latency while providing far more data management efficiency.
Regulations Securing IoT
In recent years there have been various IoT security measures around the globe. The EU’s first European Commission proposed Cyber Resilience Act is a nearly €1.5 trillion cybersecurity regulation for the IoT industry that mandates “stronger cybersecurity protections for IoT devices.”
The 2020 IoT Cybersecurity Improvement Act “prohibits agencies from procuring or using an IoT device after Dec. 4, 2022”, if that device is considered “non-compliant” with standards developed by the National Institute of Standards and Technology (NIST).
This July the U.S. White House unveiled a voluntary consumer labeling program—aimed at protecting millions of consumers and remote workers as threats against smart home and IoT devices are on the rise.
The regulatory landscape already in place includes:
European ETSI – EN 303 645 Cyber Security for Consumer Internet of Things: Baseline requirements.
European ENISA – Baseline Security Recommendations for IoT for Critical Information Infrastructures.
United States NISTIR 8259A (Core Baseline), NISTIR 8259B (Non-Technical Supporting), NISTIR 8228 (Managing IoT Considerations), NIST Draft for Baseline Security for Consumer IoT Devices.
UK DCMS – Code of Practice For IoT Commercial and Consumer (Various Docs).
Indian, Australian, etc.
It’s time for Enterprises to swap their thought process from preventing to implementing mechanisms for detecting and gracefully recovering from a breach. Though prevention should always be in our mind, simply put, the prevention methodology can’t move fast enough to be considered a comprehensive strategy anymore.
Looming IoT Security Issues
As technology’s fast-track pace morphed the security regulations, July 2023 saw 87 publicly disclosed security incidents, accounting for 146,290,598 compromised records. Government regulations also cannot be seen as an answer and should only be seen as a bare minimum of compliance, not protection.
With increased IoT security threats, especially in scale and across critical infrastructure, IoT devices have become magnets for attackers now more than ever as both devices and stakeholders have multiplied and there’s an obvious deficiency in embedded security development skills overall. To add to this, we see systems that traditionally were not networked, entering the I.T. framework often with limited understanding of the security implications from all levels including the end user, integrators, and even manufacturers.
Most IoT security issues commonly occur within Cloud Ecosystems, Desktops and Often middleware (router switches).
But the greatest threat remains at the “Far Edge.” This could include everything from the Pepsi machines installed in a company cafeteria to the Dell Server–all of which are a vector. Attacks can be directed to physical, personal, operations, communication, network, and information. (Ironically printers can be one of the most vulnerable targets in an office).
Currently, enterprises combat security risks by including policy, awareness, training, and educating their staff and employees. And following this with deploying tested technology tools.
However, restrictions and policies haven’t proven to be sufficient tools to block security risks. By 2025, IoT devices are expected to outnumber non-IoT by 3:1.
According to Consumer Reports' Future of Memory Safety report, “60 to 70 percent of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety, many of which can be solved by using memory-safe languages.” However, given the technicality of this – regulation has instead focused on exceptionally basic improvements at this stage. An example of this is the EN-303-645 standard which focused on:
No default passwords.
Vulnerability product reporting mechanisms.
·Transparency on the security lifecycle of a product.
This is certainly a start, but to truly address the security implications, the industry itself and end users need to take on the responsibility of understanding what they are deploying – hence of the three statements above – the most important is “transparency” so an integrator, user, or anyone can understand the true risks of an addition to their network of a foreign device.
Stop Hiring Cyber Security Professionals
While IoT offers vast global economic and societal significance and advantages, it also poses major security concerns. For decades there’s been a focus on security and network protection.
Haphazard deployments across various applications have resulted in a loT of confusion.
The National Institute of Security and Technology (NIST) Framework recommends enterprises to: Identify, Protect, Detect, Respond, and Recover. Security will never be absolute. And prescriptive standards have failed and will never evolve quickly enough to stay relevant in the fast-moving world of digital crime. Though this sounds counterintuitive, enterprises must stop hiring more cyber-security professionals. Instead, the industry should focus on implementing cyber-security competency in trades and vendors. This comes back to the fact that most breaches still come from the most basic of places. People. This would, however, require a mind shift. It would mean that enterprises make security a tenant of their business in more than just words – but practice.
It’s important to understand that IoT Security lies in multiple IoT devices, while IT Security lies in the equipment.
Additionally, the three main factors to consider are regulation, safety, and liability. While we know that consumers won’t pay more and that liability is much greater upstream, can regulation help reign in a security status? There are already various effort levels based on technical debt–both in the regulatory and market-based spheres.
One thing is clear–regulators and governing bodies are a bit slow, and if not clueless. And with the rapid pace of technology and the already proliferation of low-cost IoT devices, the cat’s out of the bag–and the litters have already figured out how to outsource and clone themselves.
Michael Skurla is the Chief Product Officer of Radix IoT and has over 25 years of experience in control automation and IoT product design with Fortune 500 companies. He is a contributing member of ASHRAE, IES Education, and USGBC and a frequent lecturer on the evolving use of analytics and emerging IT technologies to foster efficiency within data centers and commercial facility design.