https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

Image depicts network big data transfer

9 IoT Security Principles to Help Reduce Your Attack Surface

How to get a grip on IoT security. 
  • Written by Brian Buntz
  • 19th September 2019

Cybersecurity can seem at once like a pervasive and nebulous concern. Every day, there are a variety of headlines describing banks, cities, hospitals, individuals and virtually every other possibly entity that has become a victim of a cyberattack. At the same time, it can be difficult to quantify cyber-risk. Rising numbers of IoT devices compound the risk by creating a larger and more abstract attack surface, making risk-management still more difficult. 

Here, we include security advice from Sean Peasley, a Deloitte Risk and Financial Advisory partner and IoT security pioneer as well as recent research from Deloitte and Dragos, weaving in perspectives from Sara Boddy, director of F5 Labs.

[IoT Security Summit is the conference where you learn to secure the full IoT stack, from cloud to the edge. Visit the website for more information.]

1. Follow a Secure-by-Design Approach

Manufacturers developing connected products need to integrate security into product development as early as possible. “It’s very difficult, if not impossible, to get to the same level of security if you’re trying to retrofit that later in the process in the product development process,” Sean Peasley said. “As organizations develop connected products, they need to understand the [cybersecurity] risks and evaluate those, and then, hopefully, have the appropriate kind of response.”

“Organizations should be thinking of cyber everywhere in the environment,” Peasley said. That includes technologies deployed on-premise in production environments, mobile applications, in the cloud and beyond. 

2. IoT Security Requires Factoring in Third-Party Risk

One of the impacts of the Internet of Things is its tendency to expand organizations’ attack surfaces. “The attack surface has increased almost exponentially from the traditional IT attack surface we had five to 10 years ago,” Peasley said. That is true from a networking perspective, of course, but it also applies equally from a software perspective. Decades ago, cars made little use of software. Now, many cars require more than 100 million lines of code to operate. A carmaker doesn’t write all of this code in house, of course. It stitches it together from myriad suppliers. In addition, as cars become more software-defined, they are becoming more reliant on cloud services. And from a cybersecurity standpoint, carmakers — along with other types of manufacturers — become more reliant on their partners.  

3. Research the Threat Landscape

It’s challenging to get a cohesive picture of the threat landscape by scouring headlines and focusing on your own organization’s recent cybersecurity track record. Two meaningful megatrends from a threat actor standpoint are the recent rise in attacks both from nation-state actors as well as proverbial “script kiddies,” or inexperienced hacker wannabes, as well as young tech-savvy gamers who create malware in their spare time. All of these actors are targeting IoT devices, given their tendency to offer sub-optimal cybersecurity protections. Nation-state-back actors often pave the way with attacks that scrappier hackers can imitate, said Sara Boddy, director of F5 Labs.

4. Have a Security Strategy That Addresses Postmarket and Privacy Risks

For manufacturers, that includes focusing on postmarket cybersecurity of their products. Organizations “can’t just focus on one area because there’s risk in pretty much all of the areas as the company is trying to develop and market their goods, and acquire and manage customers,” Peasley said. 

The same general principle applies to organizations with IoT deployments. The goal of making cybersecurity a fundamental priority is especially vital in operational technology environments. Organizations with OT environments should make sure they can mitigate cybersecurity risks at the earliest stage when deploying connected technology. 

5. Have a Clear Cybersecurity Governance Strategy

Organizations of all stripes should strive to ensure cybersecurity awareness extends across the organization while also selecting a governance model to ensure potential problems are elevated to the appropriate stakeholder. 

For IoT device manufacturers, the responsibility for cybersecurity shouldn’t be solely the focus of an information security department. Given the criticality of such products, manufacturers should ensure that cybersecurity awareness extends across the organization. “Putting the burden on the chief information security officer makes it challenging for the organization to achieve their objectives,” Peasley said. 

6. Cybersecurity Awareness Should Pervade an Organization

Cybersecurity is a team sport. While the CISO can provide cybersecurity leadership to help educate and support other parts of the organization, cyber accountability should extend across the organization — from product designers and engineers to application developers to chief information officers. “We probably see upwards of 80% of CISOs are reporting to CIOs,” Peasley said. And in many cases, CIOs report to the chief executive officer or chief operating officer. Such arrangements can potentially be problematic in organizations where cybersecurity is not a top priority of the top brass. “Knowing that cyber is typically going to be one of the top risks for an organization, especially for those organizations that are developing connected products or that are using connected products in a manufacturing process,” Peasley said, CISOs should help educate the board members, helping them understand the types of risk that need to be addressed. Boards are making progress on this front, Peasley said. “I think boards are starting to get more educated on this. I think it’s taken some time, but they’re, they definitely see [cybersecurity] as a key business risk.” 

7. Ensure the Organization Has Appropriate Cybersecurity Resources

Digging into technical specifics of cybersecurity can have a certain appeal, but security professionals should be able to converse with company executives and other employees in simple terms. They should be able to describe the broad risks the company is facing and the programs it has in place to address those. 

“Boards are definitely seeing cybersecurity as a key business risk,” Peasley said. Senior security professionals should be able to help quantify that risk, which in turn can help shore up support for cyber initiatives, while also determining how to delegate leadership of those initiatives.  

8. Keep a Close Eye on IoT Devices

It may sound like obvious advice, but many organizations aren’t fully aware of all of the IoT devices on their network, which makes it difficult to ascertain if those devices have been breached. The challenge is especially acute in operational technology environments because of the potential of active network scanning to cause problems. “There are some IoT monitoring platforms that can connect to operational environments, and do passive scanning,” Peasley said.

If having an IoT inventory is the first step, gauging the risk individual IoT devices pose and taking steps to minimize that risk is next in line. “How do we monitor for events? How do we remediate technical or security deficiencies in those environments to help ensure that you’re going to meet your risk management goals?” Peasley asked. “There are a handful of things that we suggest they do, like network segmentation, privileged access management, secure remote access and OT monitoring.” 

9. Don’t Forget About Legacy Devices

Some networked devices tend to fade into the background of people’s minds. The humble printer may not register in most people’s minds as a connected device. In many industrial and health care environments, it is not uncommon to see older computers linked to equipment running operating systems like Windows XP or Windows NT.

Tags: Network security Security Features Internet of Things World 2020 Conference Coverage

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Microsoft Extends Secured-Core Program to IoT Devices
  • Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration
  • Unmanned Robotic Combat Vehicle Being Tested
  • Image shows a Close up of lens on black background
    Carnegie Mellon Researchers Invent System to Find Hidden Cameras

Roundups

View all

IoT Product Roundup: Canonical, InfluxData, Wiliot and More

23rd June 2022

IoT Product Roundup: Cisco, Telit, Draganfly and More

9th June 2022

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Image shows Unilever's Alberto Prado at AI Summit 2022 in London

AI Summit 2022: Unilever’s Alberto Prado

Prado talks about how Unilever is using AI to accelerate the speed of new discoveries and gives them access to more breakthrough innovation

Image Shows John Lewis' Barry Panai at AI Summit London 2022

AI Summit 2022: John Lewis’ Barry Panayi on AI in Retail

Panayi talks about data and AI in retail and how individuals and the technology can work together

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🤔 Looking for 3 Strategies to Avoid IoT Key Theft? We’ve got you covered! As tech companies continue to develop an… twitter.com/i/web/status/1…

5th July 2022
IoTWorldToday, IoTWorldSeries

AI Summit 2022: Unilever’s Alberto Prado dlvr.it/STMpRN https://t.co/1dyLREr8N6

5th July 2022
IoTWorldToday, IoTWorldSeries

Seoul Robotics Expands 3D Perception Platform across South America dlvr.it/STMhSV https://t.co/a10l3Eb2Kn

5th July 2022
IoTWorldToday, IoTWorldSeries

Microsoft Extends Secured-Core Program to IoT Devices dlvr.it/STMg4k https://t.co/laBPF5VjC4

5th July 2022
IoTWorldToday, IoTWorldSeries

Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration dlvr.it/STKWjb https://t.co/LdRg7a2xqU

4th July 2022
IoTWorldToday, IoTWorldSeries

Another 59,000 @Teslas being recalled over a software glitch affecting the vehicle’s Emergency Call safety system… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

Join us in the premier #tech destination of #Austin this November 2-3 for our next #IoT event. Connect and collabo… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

SoftBank, May Mobility Team on Autonomous Driving dlvr.it/STJrW0 https://t.co/mOYoBsgs14

4th July 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X