Introducing the 2024 PKI & Digital Trust Report     | Download the Report

How to Secure IoT Device Identities

Internet of Things (IoT)

The following article by Cory Vanderpool, Keyfactor’s Senior Business Development Manager of IoT, was featured as a guest post for IDSA.

Smart machines outnumbering people may sound like the loose plot of a doom-mongering science fiction movie. But the recent explosion in internet-connected devices means we’ve already surpassed the tipping point where devices outnumber people.

IoT Analytics’ latest State of IoT research found there were 12.2 billion active endpoints in 2021 and predicts that figure will grow to 14.4 billion through 2022 and 27 billion by 2025 – compared to nearly 7.8 billion people inhabiting the planet. In addition, we now have more than 400 active Internet of Things platforms accommodating connected vehicles, payment terminals, inventory management and monitoring tools, and more.

It’s critical for organizations and individuals to secure this growing mass of devices and data. However, research by the Identity Defined Security Alliance finds the vast majority of organizations remain unprepared. Their 2022 Trends in Securing Digital Identities study finds that 84% of organizations experience an identity-related breach and, of those, 96% reported that it could have been prevented.

Why device security matters

As internet-connected devices boom in volume, they offer a bigger target to cybercriminals. IoT security isn’t simply a case of thinking about protecting future devices, but also devices that are already in the field and operational. A few examples of the IoT device security risk include:

Mirai Botnet: In 2016, the largest-ever distributed denial of service (DDoS) attack targeted domain registration service provider Dyn using an IoT botnet. The attack targeted vulnerable IoT devices like cameras and DVR players and used commonly known default usernames and passwords to infiltrate and infect them with malware. The attack highlighted that it’s not always the obvious devices, such as wearables or smart thermostats, that hackers target. Rather, organizations need to consider the vulnerabilities that exist behind the device and across their broader attack surface.

St. Jude Medical cardiac device attack: In 2017, it was confirmed cardiac devices manufactured by St. Jude Medical contained vulnerabilities that hackers could exploit. The vulnerability was discovered in transmitters that read device data and shared it with doctors. If hackers gained access, they could run down the battery or induce incorrect pacing or shocks to a patient. This vulnerability is indicative of a lack of cybersecurity measures around medical devices like cardiac monitors and insulin pumps, as well as life-critical machines in hospitals.

Connected vehicles: The vulnerability of connected vehicles was highlighted when Chrysler had to recall 1.4 million cars after hackers proved they could remotely hijack a Jeep’s systems. Modern vehicles contain up to 70 electronic control units (ECUs), including in the engine and transmission, lighting systems, steering, and braking, which use the Controller Area Network (CAN bus) protocol to communicate reliably. However, the protocol isn’t built for cybersecurity, which means it doesn’t utilize authentication or encryption to prevent the network from suffering cyberattacks. Furthermore, many vehicle components are sourced through third-party providers, which further increases the vulnerability risk. The onus is, therefore, on organizations to go the extra mile to secure devices, but many may not realize they need to.

How to secure IoT devices

As we move to Industry 4.0, which ushers in cyber-physical systems, the IoT, advanced networks, and more, organizations have to manage completely new environments. Security has to be built in from the beginning of a product lifecycle and implemented in devices already in the field to mitigate risk, generate revenue, and sell more products. Cybersecurity technologies that can secure IoT device identities include:

Public Key Infrastructure (PKI): PKI uses a system of policies, processes, and technologies to encrypt and sign data and authenticate devices, services, and users. PKI is ubiquitous in identity management and securing laptops, smartphones, and servers. However, it hasn’t fully translated to the IoT and operational technology (OT) world, so edge devices and communications with gateways, the cloud, and mobile apps lack authentication, encryption, and integrity.

On-device code generation: IoT identity relies on authenticating devices and users at all times. Simple code generation apps or links ensure only authorized and verified users can access corporate resources.

Mutual authentication: In addition to securing devices, businesses also need to safeguard the networks they communicate with and the gateways they access. So it’s important to think about not only the “thing”, but also what it connects to and how it delivers data. For example, digital certificates enable mutual authentication, which shares a root of trust for secure data exchanges across open networks.

Zero Trust: Businesses are accustomed to a zero-trust approach to securing devices and data. The same concept needs to be applied across industries like healthcare and manufacturing to guarantee device identity security. This ensures that no device or person is trusted or granted access to resources until they verify that they are who they say they are.

Offline and limited-connectivity devices: It’s not just obvious devices like laptops and smartphones that need to be protected. Many devices, both IoT and OT machines, aren’t constantly on or in use and may have limited connectivity. But they can still be vulnerable and provide hackers with a route into corporate networks, so businesses need to ensure they can be authenticated even without an internet connection.

Securing your IoT devices

New devices like modern cars are designed to increase our safety by preventing us from veering off the road if we get distracted. But the components within these devices are often unsecured, overlooked by traditional cybersecurity methods, or bring new threats that could leave a business vulnerable to cyberattacks.

Cybersecurity strength enables organizations to drive competitive advantage, build trust, and inspire customer confidence. And instilling cyber prevention is more cost-effective than the losses suffered as a result of a data breach. Taking action on IoT security also positions organizations as socially responsible, reduces downtime and remediation costs, and boosts company value.