The Internet of Things (IoT) has gained popularity as more and more households and businesses embrace the use of interconnected devices. IoT devices provide convenience, automation, and insights that were unimaginable just a decade ago. However, this connectivity also comes with significant cybersecurity risks that must be noticed, and one must ensure securing IoT devices.
Why is there a need for securing your IoT devices?
The IoT market is expanding at a breakneck pace, with analysts predicting there will be over 30 billion connected devices worldwide by 2025. From smart homes to industrial IoT, network-enabled devices are being rapidly adopted across the board.
While IoT devices provide game-changing value, they also dramatically expand the attack surface. Most IoT devices lack basic security features, making them soft targets for cybercriminals. Flawed IoT security has already led to major botnet attacks like Mirai, which infected over 600,000 IoT devices to take down internet infrastructure.
Securing IoT devices is not just an IT issue. It is now paramount to risk management and business continuity planning. In this guide, we will provide pragmatic tips and strategies that can be deployed to harden IoT device protection and prevent attacks.
How to Secure IoT Devices
IoT is revolutionizing every industry. Amidst such growth, securing IoT devices necessitates employing a strategy that encompasses layers of security at the device, network, and system levels. The following actions must be performed:
Change Default Credentials
Most IoT devices are shipped with default, publicly known passwords that are never changed by end-users. This results in millions of IoT devices still using credentials like ‘admin/admin’ or ‘1234’, making them trivial to hack.
- Change default credentials to strong, unique passwords for every device
- Leverage a password manager to generate and store complex passwords
- Ensure passwords are changed from defaults on all IoT devices
- Multi-factor authentication using physical security keys provides stronger IoT device protection than SMS or app-based MFA. NFC security keys are ideal for IoT.
Install Updates/Patches
IoT devices frequently need more basic software security hygiene. They do not automatically install security updates and patches, which leaves them vulnerable when new threats emerge.
- Enable auto-updates wherever possible.
- Regularly check for and install new firmware releases
- Some critical patches may require device replacement if no patch exists
- Default update schedules should push patches monthly at a minimum for high-priority CVEs. Devices cannot rely on users to manually update.
Isolate IoT Network Segment
Home and enterprise networks should have separate SSID and VLAN for IoT devices. This limits lateral movement for malware-containing infections and helps to secure IoT devices.
- Spin up a separate WiFi network just for connected devices
- Use VLANs to isolate IoT devices in enterprise environments
- Limit communication between IoT and business networks
Encrypt Network Traffic
IoT devices often use plain text communications, exposing data like credentials and personal information. Encrypting traffic closes this security gap.
- Mandate WPA2 WiFi encryption.
- Use SSH instead of Telnet for device administration
- Deploy virtual private networks (VPNs), IPsec where feasible
Disable Unused Features
Reduce the attack surface by turning off any unused services and features on connected devices. These can become security liabilities.
- Switch off Bluetooth if not required.
- Turn off remote administration over the internet
- Disable Universal Plug and Play if not needed
IoT Device Protection Strategies
Defense-in-depth is required to address IoT security challenges stemming from devices, data, networks, and people. Key strategies to secure IoT devices include:
Endpoint Protection
- Antivirus/antimalware tools for endpoints like security cameras
- Intrusion detection and prevention systems (IDS/IPS)
- Server-level sandboxing techniques can isolate processes
Network Monitoring
- 24/7 monitoring for network anomalies like DDoS
- Next-gen firewalls that can identify IoT traffic anomalies
- Web application firewalls (WAF) to prevent attacks
Access Controls
- Multifactor authentication for device and user accounts
- Role-based access control (RBAC) for restricting account privileges
- Block outdated device protocols like Telnet/FTP/SNMP
Data Protection
- Encrypt data in transit and at rest
- Anonymize/mask data where possible to prevent misuse
- Backup of critical data as restoration may be needed after an attack
Vulnerability Management
- Continuous vulnerability scanning of all devices
- Hardware disposal procedures to wipe devices when retiring
- Patching critical vulnerabilities as a priority
People Processes
- Vet supplier relationships and ensure contracted devices meet baseline security requirements.
- Establish an IoT asset inventory and approval process for any new connections to the environment.
- Designate an IoT security lead or team responsible for monitoring threats, coordinating patches, and enforcing policies.
Secure IoT Devices Best Practices
Here are additional tips that can be applied to understand how to secure IoT devices:
Smart Home Devices
- Separate your smart home devices on their network
- Use a next-generation router like Google Wifi with built-in security
- Enable multi-factor authentication (MFA) for device accounts
- Enable two-factor authentication using physical security keys for all administrator accounts on IoT hubs and apps.
- Configure automatic privacy controls to restrict voice assistant access when users are not home.
Industrial IoT
- Audit ICS network segmentation to contain breaches
- Enforce device authentication via certificates
- Deploy specialized IDS/IPS tuned for ICS environments
- Perform manual penetration testing of operational networks
Healthcare IoT Devices
- Monitor connected medical devices for HIPAA compliance
- Encrypt patient health data end-to-end
- Require medical device vendors to sign cybersecurity terms
- Maintain a full asset inventory of all connected devices
Retail IoT
- Physically lock down unattended payment terminals
- Isolate payment networks from the rest of the corporate network
- Install end-to-end encryption for cardholder data
- Maintain patch levels and AV protection on POS endpoints
Smart Cities
- Train operational staff on cyber risks from IoT
- Segment traffic light networks from the rest of smart city IT
- Authenticate city services based on device identity
- Federate identity management across departments
Adoption of IoT Security
IoT adoption provides immense opportunities for businesses and consumers. Taking a proactive approach to knowing how to secure IoT devices, isolate networks, monitor traffic, and protect data is critical.
Implementing the actionable tips and best practices outlined in this guide will go a long way in bolstering IoT security. However, it requires ongoing vigilance. As threats and technologies rapidly evolve in space, IoT cybersecurity must be treated as an ongoing journey – not a one-time project.
At Avigna, we are passionate about IoT. Join our mission of building a connected world by reaching us at queries@avigna.ai. Connect with us on LinkedIn.