Cyberattacks on Internet of Things (IoT) devices are on the rise, with 8 in 10 organizations having experienced an IoT attack. Companies in the healthcare, utilities and industrial, retail and supply chain, wearables, smart home, and connected car markets are the most at risk of an IoT breach. Some of the biggest mistakes organizations make include:
- Lack of a robust IoT security design
- Using insecure hardware
- Failing to implement proper authentication mechanisms and access controls
- Using default (or no) credentials
These mistakes make IoT devices vulnerable to ransomware, Distributed Denial of Service (DDoS) attacks, and data theft. Such disruptions can lead to downtime, huge sums of money lost, and potentially damaged brand reputation.
To prevent these IoT attacks, organizations are increasingly adopting security technologies that build hardware roots of trust. Notable IoT security solutions include Secure Elements (SEs), authentication Integrated Circuits (ICs), Trusted Platform Modules (TPMs), Trusted Execution Environments (TEEs), and Secure Microcontroller Units (MCUs).
IoT Security Trends
ABI Research has observed the following trends shaping the future of IoT cybersecurity:
- Automakers Integrating Hardware Security Modules (HSMs) into Vehicles: As vehicles become increasingly connected, automotive players will adopt robust security technologies that prevent car hacking. Automotive HSMs stand out as a premiere IoT cybersecurity solution as they provide a trusted foundation for automotive systems. These small HSMs can encrypt/decrypt data, as well as generate and authenticate digital signatures for securing communications and firmware updates.
- Robust Growth for Medical Device Security: Medical devices contain highly sensitive data, making them a prime target for cyberattacks against healthcare facilities. The government's response is to introduce regulations that ensure data protection at the device level. This will drive further demand for IoT device security.
- Retail and Supply Chain Security Protocols: IoT devices are increasingly essential for inventory management and asset tracking in retail and supply chain operations. As more IoT devices are deployed, strengthening wireless security protocols will become a key focus for organizations.
- Physical Unclonable Functions (PUFs): A popular security technology in the smart card space, PUFs are increasingly used by IoT and industrial manufacturers. PUFs deploy the microscopic physical differences of each IoT device's hardware to generate a unique cryptographic key and, therefore, an identifier that cannot be cloned.
IoT Device Security Starts at the Hardware Layer
The deployment of IoT devices creates new ways for threat actors to enter an organization’s network. Anything from a medical device to a connected vehicle can be accessed remotely if the proper security solutions are not deployed. The manufacturing sector is a good example, with numerous connected devices and systems used daily in production facilities. If a threat actor manages to hijack an IoT device, they could manipulate device configurations, extract sensitive data, and use the device as a launch pad into the wider network.
Such a cyberattack would induce profound risks, extending to worker safety, production volume, and profitability. The same scenario can be applied to utilities, as these environments deploy numerous smart meters, sensors, and other IoT devices. SEs and MCUs are critical technologies for IoT security in these applications. They leverage a hardware root of trust and secure execution processes to secure sensitive data.
In retail, the Point of Sale (POS) terminal is commonly targeted by threat actors who aim to harvest customer data and payment card details. A long list of businesses, including Applebee’s and Wendy’s, have had malware installed on their POS terminals, allowing threat actors to extract sensitive information. SEs are vital to ensure security during financial transactions. The technology is placed directly on the device, providing retailers with tamper resistance. Sensitive information is stored and processed within the SE, ensuring integrity and security for customer data and payment information.
TEEs are another essential solution for IoT cybersecurity. They create a protected execution space to store sensitive data associated with IoT applications. TEEs are increasingly essential in the heavily regulated healthcare sector as governments aim to safeguard customer data. For example, Section 524B(b)(3) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) requires manufacturers of cyber devices to provide a Software Bill of Materials (SBOM) for medical IoT devices. With regulations like these, the healthcare sector is one of the biggest markets for IoT cybersecurity solutions.
Read more: Which Security Solutions Are Being Used to Curb the IoT Cyber Risk?
Key Steps to Ensure IoT Devices Are Secure
The ever-growing cyberthreat to the IoT has forced device manufacturers/developers to emphasize security for their products. As threat actors evolve and leverage more sophisticated tactics, IoT device manufacturers/developers must also evolve. A robust IoT cybersecurity strategy includes four key steps: a security-first mindset, zero-touch onboarding, zero-trust architecture, and guidance from trusted organizations.
- Integrate Embedded Security from the Start: Security can no longer be an afterthought for device manufacturers. IoT security should be a core foundation of device design. With the guidance of frameworks like the EU Cyber Resiliency Act and the US CHIPS Act, IoT device manufacturers must incorporate security hardware and software features into the device architecture.
- Leverage IoT Security Hardware for Zero-Touch Onboarding: Manually onboarding IoT devices carries cyber risks and potential inaccuracy. Alternatively, zero-touch onboarding can be leveraged to provision IoT devices securely. Users can store data (e.g., onboarding credentials) on-device with IoT security solutions like SEs, TPMs, and secure MCUs.
- Adopt Zero-Trust Architecture for IoT Devices: It is clear that zero-trust is set to become the primary doctrine for device design. Zero-trust means no IoT device user is ever trusted, and network access always requires verification. Secure storage technologies like SEs will be essential to implement zero-trust as they can enable access control and authentication measures.
- Take a Cue from Secure IoT Product Design Guidelines: Following the National Institute of Standards and Technology (NIST) guidance is essential. The NIST leads the way in creating minimum security standards for the IoT, including the NIST Cybersecurity for IoT Program and the U.S. IoT Cybersecurity Improvement Act. The European Union Agency for Cybersecurity (ENISA) is also a good source of guidance, identifying best practices for IoT cybersecurity in Industry 4.0, connected cars, smart hospitals, smart cities, etc.
The cost to resolve a single IoT breach is estimated to be between US$10,000 and US$50,000. These costs can quickly multiply if a comprehensive IoT cybersecurity strategy is not implemented. Organizations will increasingly turn to cybersecurity vendors offering on-device security solutions and demonstrable experience protecting IoT ecosystems. Download the following ABI Research presentations to identify the key trends in IoT security and several prominent vendors facilitating cyber resilience for connected devices: