Cybersecure Your IoT

This viewpoint article by Quanterion Solutions’ John Reade was published by the Central New York Business Journal.

Internet of Things (IoT) technologies employ embedded devices to sense, and sometimes control, the physical world around us. They offer several benefits that range from general awareness to improved operational efficiency, or just plain convenience. IoT solutions have supported all of this nation’s critical-infrastructure sectors, from commercial facilities and transportation to food and agriculture, while also proliferating markets for household appliances, climate-control systems, and beyond.

As estimates for world-wide IoT adoption approach nearly 43 billion IoT devices in 2023, it is widely acknowledged that this technology has created an immense (and growing) threat landscape for cybersecurity attacks. Accordingly, IoT security has increasingly become a national priority, dating back to Executive Order (EO) 14028 (2021), “Improving the Nation’s Cybersecurity,” which tasked the National Institute of Standards and Technology (NIST) to initiate programs addressing the cybersecurity capabilities of consumer IoT devices.

The broadened attack surface, which results from the widespread deployment of disparate devices, as well as their respective firmware, operating systems, and wireless-communication protocols, increases the security risk based on the complexity of the connectivity models and the often ad-hoc implementation of these solutions. The ramifications of an exploited IoT device, connection, or cloud service present a significant risk to businesses and consumers alike, with the potential to result in far-reaching intrusions that can laterally impact business systems, sensitive customer data, and/or any number of enterprise infrastructure. Recent high-profile attacks have shown that this not only can happen, but that when it does, recovery costs can run millions of dollars, not to mention the inevitable impact on their brand’s reputation.

While the complexity of the IoT arena can seem daunting, there are a handful of simple strategic protections that can be levied at different levels of the architectural model. The following practices are strongly encouraged within an organization to protect critical information-system assets.

Device: Prior to acquiring and deploying an edge device, research the different manufacturers and the products they offer. The manufacturer’s country of origin and provided support should be considered, in addition to device-specific factors such as the operating system, any onboard software, the use of encryption, etc. When setting up the device, ensure that it has the latest firmware update, and determine the method by which the device can be updated in the future (e.g., wirelessly, serial, etc.).
Connection: There are several wired and wireless-communication technologies that can connect devices to cloud-service providers and user applications. The requirements of each use case should typically dictate which is best suited to the planned implementation. While security tips would ideally be tailored to the selected means of communication, general suggestions involve changing default settings (e.g., access point name, password), employing the strongest encryption methods, and disabling any unused features, ports, etc.
Application: Multifactor authentication (MFA) is a buzzword in the cybersecurity realm for a reason — it is one of the most-effective deterrents because it relies on two or more methods of verification to log into an account. These authenticators fall into the following categories: something you know (e.g., passwords), something you have (e.g., smart cards, authenticator app, or password token), and something you are, (e.g., a thumbprint or facial recognition). Ensuring devices and logins have MFA enabled is one of your best protections for user sign-ins.
Zero-trust security model: A more-complete approach involves the implementation of a zero-trust security model, which replaces legacy-network, perimeter-security strategies by validating each access request while employingstrong authentication and least privilege. The zero-trust model treats every request as if it was coming from a vulnerable open network, which means maximized scrutiny and security are required for each request. This model also enables real-time identification of vulnerabilities to proactively stop cybersecurity attacks before they start.

The implementation of these basic security practices can serve as an effective first step toward securing one’s IoT solutions, whether they include home devices or more significant industrial equipment. Per EO 14028, NIST has more recently released a collection of guidance for both consumers’ and the federal government’s adoption of IoT technologies which provides a more complete set of security safeguards and related considerations. Readers interested in learning more are encouraged to consult the publications provided by NIST’s Computer Security Resource Center (CSRC).

John Reade is IT systems lead at Quanterion Solutions Inc., a Utica–based provider of cutting-edge analytical services, products, and training across a range of disciplines
including cybersecurity; managed-cloud services; reliability, maintainability, and quality; information-systems management; software development; information and knowledge management; and more. Email IoT@Quanterion.com with any questions or to learn more about securing your IoT devices, cloud, or connectivity.

Explore Quanterion Solutions’ cybersecurity services.

Stay connected! Sign up for Quanterion Solutions’ cybersecurity email list to receive industry news, resources, and more.

Find Quanterion Solutions on social media to access cybersecurity resources, tips and more.

Reliability, Maintainability, Quality

Cybersecurity

Knowledge Management

Software Engineering

Consulting

Publications

Data & Tools

Reliability Engineering Training