With increasing integration of IT and OT systems, organizations must develop a comprehensive IoT network strategy to safeguard themselves.
Investments in IoT are increasing at a rapid pace, with experts predicting over 13% CAGR growth for it between 2020 to 2025. In fact, IoT remains among the top 3 technologies that deep-tech startups are focusing on, with AI and Blockchain being the other two areas. IoT is also among the topmost priorities among enterprises after AI, thanks to the need to embed sensors in most devices. All this is happening due to the growing need of capturing real-time data for crucial, on-the-spot decisions for a range of applications. No wonder the number of IoT devices is expected to cross 29 billion by 2030, double what it was in 2020. As the number of IoT devices increases, so does the need to protect them against security threats. In fact, according to reports, India is among the top 3 most vulnerable nations in the world when it comes to malware infections of IoT devices being used in smart cities, financial services, and transportation systems. Another key reason for rising attacks is the integration of IT and OT systems, which if compromised could cause serious damage. Organizations therefore can’t afford to take IoT security lightly. What’s needed is a comprehensive approach to enabling tighter IoT security, starting from govt. policies to build a strategic framework and IoT architecture, to finally seamless tech deployment and management.
How Serious can IoT Attacks be?
IoT attacks increased by 311% last year according to a report by Sonicwall, while another report cited a 400% increase against IoT and OT devices. Many of these were high-grade attacks aimed at causing severe damage. Take for instance, the malware attack on Nuclear Power Corporation of India’s Kundankulam Nuclear Power Plant. The malware managed to infect the Internet-connected systems in the plant. Luckily, they were only administrative systems, which were not connected to the plant’s control and instrumentation systems. Due to this, thankfully, the malware could not gain access to the plant’s controls. Just imagine the outcomes if it did! Now imagine the damage that could happen in chemical plants, transport networks, railway networks, industrial manufacturing, etc. that are integrating IT with OT. As more operational technology (OT) platforms converge with information technology (IT) systems, evolving threats like website intrusion, malicious code, distributed denial-of-service (DDoS) attacks, unauthorized network scanning or probing, malware, ransomware, phishing, data breaches, etc., will happen and cause grievous harm – both on the operations and company reputation.
India is among the top 3 most vulnerable nations in the world when it comes to malware infections of IoT devices being used in smart cities, financial services, and transportation systems.
Even everyday Internet-enabled devices with sensors are a target--Security cameras, Wi-Fi routers, fax machines, smart TVs, smart bulbs, microphones in smartphones, printers, smart speakers, Internet-connected gas stations, and even the humble coffee machine or fridge. All these devices could be hacked for malicious intent—spying, stolen credentials for financial fraud, intrusion of privacy for extortion, to name a few. So, the question now is, what should be done about it?
IoT Security Policy Framework
At the topmost level, the govt. has to step in to build a governing policy around IoT, like the IT ministry’s draft roadmap for IoT security released earlier this year. It aims to develop an indigenous security eco-system for IoT, develop AI-powered self-adapting IoT security, an IoT sandbox, and collaborate with IoT security working groups to constantly update IoT security policies to name a few. Two years from today, i.e. by 2026, the govt. also wants to develop an IoT device lifecycle certificate system.
While the govt. is doing its part, enterprises must also develop an IoT security policy by taking a comprehensive view of their overall IoT footprint and then devise a security strategy for it.
Develop an IoT Architecture
IoT implementations can be complex, comprising
Monitor and Plug all IoT Devices
The IoT devices at the edge must also be strengthened, which starts by monitoring, discovering, tracking, and managing all of them to gain better insights into your IoT inventory, remove unused ones, etc. The active ones must be plugged in with the latest updates to remove potential vulnerabilities so that the network edge remains safe. Change the passwords on all connected devices instead of leaving the default ones supplied by the vendor.
Encrypt and Segment the Network
Besides the devices, unsecured communication between them is another major risk to be addressed. Use the latest encryption protocols to encrypt all data flowing over the IoT network so that it can’t be sniffed out. Another method that should be followed is to segment the network into sub-networks and ensure that the IoT devices are isolated from critical systems and data. This will help you identify unauthorized users trying to gain access from other subnets.
Implement Zero-Trusty Policy
Once you’ve grouped the IoT devices into a manageable number of groups, create zero-trust policy rules, which should be defined based on the observed device group’s behavior and activities.
Conduct Regular Penetration Testing
Lastly, a sure-shot way of testing your IoT network is to evaluate its strength with penetration testing. It will help you identify potential vulnerabilities, test your security policies, regulatory compliance, and risk response speed to name a few.
With the proliferation of IoT devices, it’s no longer enough to protect devices being used by humans. IoT devices that are all doing machine-to-machine communication require equal attention if not more. This will happen only if organizations develop a proper IoT architecture and keep it updated to ensure all new types of devices being introduced are incorporated and provisioned for.
Cybersecurity has become more important than ever before and requires a proactive approach instead of a reactive one. After all, in today’s real-time world, preventive measures are more valuable than doing the clean-up act after a breach has occurred.
By Anil Chopra
Anil Chopra is Research Editor, Dataquest.
maildqindia@cybermedia.co.in