Security has always been one of the biggest challenges when implementing IoT. There are many examples of security breaches and the threat landscape is becoming more and more severe. In this article, we will explore the dynamics of change in IoT security and some approaches to protect connected devices.
IoT Security: A Rising Trend
The widespread adoption of IoT across a range of consumer and enterprise applications creates more opportunities for hacking and leads to the use of IoT in increasingly critical systems. At the same time, adoption continues to grow, with IoT connections expected to grow from 16 billion IoT devices in 2023 to 40 billion by 2033.
IoT devices will always be somewhat vulnerable to hacking, as they are often deployed in unmanned environments and with a complex mix of technologies and actors, making them a potential weak point in the security chain.
The diversity of IoT also poses a challenge, as enterprise security professionals must understand security risks across a broader range of devices than just phones, PCs and other IT infrastructure, creating a skills shortage.
But in recent years, challenges have increased: IoT devices, for example, tend to be increasingly constrained in terms of processing power, memory and power, reducing their ability to support robust security features and updates.
Historically, weak IoT security regulations have allowed manufacturers to cut corners, exemplified by the Mirai botnet, which exploited basic security flaws, but as we will see in the next section, this issue is increasingly being addressed appropriately.
New IoT Security Regulatory Compliance Requirements
Over the past few years, there has been a significant expansion of legislation relating to cybersecurity in general, and the security of IoT devices in particular. There are an increasing number of examples of codes of practice and guidelines regarding minimum levels of security for consumer IoT devices, including, for example, not using default or weak passwords and requirements for regular firmware updates.
In some countries, these voluntary guidelines are being replaced with mandatory requirements, and this trend is likely to continue. Other factors include labeling programs. These and many other regulations are discussed in Transforma Insights’ recent “The Regulatory Landscape of the Internet of Things” report and associated regulatory database.
EU Regulation
The EU has several cybersecurity regulations: in 2020, ENISA published IoT supply chain security guidelines covering the entire lifecycle from design to disposal.
The European Commission has proposed a regulation on cybersecurity requirements for products containing digital elements, the so-called “Cyber Resilience Act,” for 2022. The law aims to strengthen cybersecurity rules to make hardware and software products more secure.
The proposed regulation would require digital products to have cybersecurity appropriate to the risks involved in their design, development and manufacturing.
The NIS Directive is the first EU-wide law aimed at commonizing a high level of cybersecurity across member states. The proposed extension, covered by NIS2, would mandate cybersecurity-related measures for more organizations and sectors.
UK Regulation
In October 2018, the UK’s DCMS, in collaboration with the NCSC, published the Consumer IoT Security Code of Practice, which outlines practical steps for IoT manufacturers and industry participants to improve the security of consumer IoT products and services.
The tougher Product Security and Communications Infrastructure Act 2022 came into force in April 2024. It enables relevant UK Ministers to specify security requirements for internet-connectable products and communications infrastructure available to UK consumers.
These regulations apply to manufacturers, importers and distributors of interconnected products in the UK. Current regulations specify requirements regarding passwords, minimum security updates and statements of compliance.
US Regulations
In the United States, the IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take certain steps to strengthen the cybersecurity of Internet of Things (IoT) devices.
This gives NIST the authority to oversee IoT cybersecurity risks and mandates it to set guidelines and standards, including over-reporting of security issues and minimum security standards.The NIST Cybersecurity Framework (CSF) 2.0, released in early 2024, is a revised version of the original NIST framework.
In September 2022, NIST published NISTIR 8425, outlining the Consumer Profile of the IoT Core Baseline. The standard identifies cybersecurity capabilities commonly required for the consumer IoT sector, including products for home or personal use.
In July 2023, the Biden-Harris Administration launched a Cybersecurity Labeling Program to help Americans choose more secure smart devices. Under the proposed new program, consumers would see a newly created “US Cyber Trust Mark” in the form of a distinctive shield logo that would be applied to products that meet established cybersecurity standards.
The above regulations are just a few of the cybersecurity rules and guidelines related to IoT; similar rules exist in many other countries.
Communications Service Provider Approach
Transforma Insights published the 2024 edition of its Communications Service Provider (CSP) IoT Peer Benchmark Report in July 2024 to identify the key themes that will define the IoT connectivity market, as well as both the leading MNOs and MVNOs for IoT. The report is based on discussions with the top 25 cellular connectivity providers globally and a thorough analysis of their capabilities.
As expected, the topic of IoT security was also a hot topic. All CSPs offered highly secure services, and many offered security as a value-added service. However, broader services related to security and compliance were often lacking.
While most companies recognized the need for improved pre-sales support, few made Compliance as a Service a priority in their customer adoption process.
This is a great example of a microcosm of the vendor community: the individual elements are secure, and there is recognition that customers may be willing to pay extra for additional security.
However, it is relatively rare to find a vendor that takes responsibility for end-to-end security and compliance with security-related regulations, so you need to find a vendor that does care.
Multi-layered IoT security
IoT security includes protection measures that reflect the complex interconnection of devices, networks, platforms, applications, and enterprise systems. There are five main security layers:
#1: Destination
The primary focus is on securing the device itself. Hardening the device to prevent tampering, including the use of non-removable embedded SIM cards (eSIM), is key. Devices must also support Firmware Over-The-Air (FOTA) updates, which require appropriate network technology, storage and processing power. Malware detection is essential at this layer.
#2: Networking
While network security is generally robust, especially in mobile networks, vulnerabilities still exist, and IoT applications often span multiple networks, including the public Internet, increasing the risk of exploitation.
Key security measures include device and SIM authentication, network encryption, private APN, network diagnostics, IMEI lock, device isolation, DNS whitelisting, and the deployment of intrusion detection and prevention systems (IDS/IPS).
#3: Transportation
Network layer security alone may not be enough, especially with cloud providers who often require Transport Layer Security (TLS) to ensure secure data delivery.
Common measures include IPsec VPNs and private global backbones. IoT SAFE, an initiative from the GSM Association, enables end-to-end secure communication using SIM cards, ensuring mutual authentication and TLS.
#4: Cloud/Data
Whether your data is stored in the cloud or on-premise, you need security measures, including preventing unauthorized access, encryption, access control and data backup/recovery.
Cloud security for IoT also involves managing credentials, access controls, and device SDKs, as well as addressing vulnerabilities in interfaces, APIs, and potential data breaches.
#5: Applications
Application security is important because many vulnerabilities arise due to poorly constructed applications. Developers must make security a priority and ensure that authentication and data privacy are integrated into their application design.
Additionally, we identified a sixth dimension: end-to-end security, which considers the entire system and integrates all layers to optimize protection.
This includes secure application design, anomaly detection across layers, third-party vendor compliance, and robust incident response capabilities to effectively manage cyber threats. These IoT security layers are depicted in the diagram below.
A complex and ever-changing environment
What is clear from the above discussion is that the IoT security landscape is rapidly evolving: the nature and scale of threats are changing, and so are the regulations being put in place to address them.
Approaches from vendors are also evolving and ideally should embrace the multi-level model outlined in the previous section, taking into account end-to-end security.
Transforma Insights recommends looking at security from two perspectives: First, the framework needed to optimize security, which includes sizing the problem, understanding risk capabilities, establishing policies and processes, and managing partners.
The second dimension pertains to the specific tools and capabilities required to address IoT security, which could correspond to device hardening, FOTA updates, features such as private APN, IoT SAFE or IPsec VPN, anomaly detection, automated threat response, remediation, etc. A common goal across frameworks and capability areas is to mitigate risk, respond to breaches, and implement remediation measures.
learn more
If the topic of IoT security is high on your agenda (and it should be), join us for a webinar hosted by Transforma Insights, Semtech, and Kigen on July 24, 2024. We’ll discuss key security challenges and how best to address them.
This webinar is tailored for IT, technical, and product management leaders from organizations deploying IoT devices and routers in national or global cellular networks, and participants will also have the opportunity to engage with the panelists in a live Q&A session.
Key topics will include an analysis of the latest IoT security threats and regulatory requirements, an approach to end-to-end cellular IoT security covering connectivity hardware, SIMs, mobile networks and cloud infrastructure, and practical expert guidance for protecting your organization from IoT-specific cyber threats. Register here: IoT Security Strategy: Implementing Secure Connectivity Solutions.