Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • Why is the Internet of Things So Hard to Secure?

Why is the Internet of Things So Hard to Secure?

Internet of Things (IoT)

Access to real-time data has immense value for business intelligence. Imagine if a robotic arm on an assembly line could tell you how much energy it’s using, how long it takes to do its job, or when it will need maintenance.

From pacemakers to self-driving cars, devices that were previously siloed are getting connected to the internet. This offers a great deal of value to users and can even save lives in the case of medical devices. But with the added value of interconnectivity comes much greater risk.

Theoretically, the Internet of Things (IoT) infrastructure can be even more secure than that of servers and workstations, as manual processes are often the most vulnerable part of a cloud-based infrastructure. 

But as a new technology facing explosive growth, IoT device security can be a moving target as new technologies, regulations, use cases, and threats emerge. And the stakes are high, as the potential fallout of a data breach in which medical devices, military equipment, personal vehicles, or major public utilities are compromised could be life-threatening.

The Internet of Things is a new world for traditional IT and cybersecurity folks. There are plenty of ways their current expertise can apply to this new IoT revolution, but they’ll have to face some new challenges, as well.

Challenge 1: Meeting the demands of scale

Manufacturing machinery often has to produce hundreds of thousands of units per week, each one with its own certificate and identity. Certs have to be issued as fast as units come off the assembly line. 

Simply maintaining the inventory of all the issued certs, let alone monitoring and updating them, is a major undertaking, especially for certificates with short lifecycles. 

Forty-two percent of enterprises still use spreadsheets to track digital certs manually, and 57% don’t have an accurate inventory of their SSH keys. Consequently, up to 40% of machine identities aren’t being tracked.

Challenge 2: Zero trust

Automotive electronic control units (ECUs), which control in-vehicle safety, drive train, and infotainment systems, are manufactured in a sprawling supply chain with several points of entry that could be exploited by a threat actor. 

And the products of this supply chain are deployed into unknown environments that might employ decades-old security controls. Manufacturers can’t let their product’s security depend on the end user, as a data breach tied to the product can potentially damage the reputation of the manufacturer, even if the breach is ultimately the user’s fault.

IoT technology must take a Zero Trust approach to security for both human and machine identities. This approach, in which rejecting access is the default and access is only granted based on strict criteria, doesn’t just bolt on security as a feature—it bakes it in as a design element throughout the product lifecycle.

Additionally, the device has to integrate with a wide range of adjacent systems, some of which might not adhere to the same rigorous security standards. Regulations and industry standards are still taking shape in the IoT space, so manufacturers face the challenge of tool disparity among these systems. Protecting your products while also making them interoperable can be a tall order.

Challenge 3: Platform limitations

Security is hardly ever a selling point for an IoT device. What matters in the market is how well the product works, how energy efficient it is, cost, etc. IoT product sellers can’t charge customers more for a product by using security as a value proposition. Consequently, manufacturers must take care that security measures don’t adversely impact usability and efficiency.

Security considerations must be interwoven throughout the product development and manufacturing process so that they don’t become clunky add-ons. If security is part of the workflow from the beginning, i.e., “Security by Design,” it will create less friction in the product release cycle and eat into profit margins less.

Challenge 4: Balancing security and functionality

Security is not usually Job #1 in the design process for manufacturing equipment. Clients mainly care about how well the product works, whether it has all of the capabilities they need, and how much it costs. Giving business leaders the ability to oversee operations across the internet is a huge value driver, but everything a device connects to presents a new risk. Balancing security and interconnectivity has to be on a product designer’s mind to prevent the damage to a company’s reputation a potential data breach could cause.

This balancing act can be difficult, especially if the design phase leans toward an Agile or DevOps model. Designers thrive on change and innovation, while security folks find stability in stasis and predictability. Designers may not want another cook in the kitchen, and security leaders may not be flexible enough to compromise.

Challenge 5: Meeting compliance standards

IoT will see tons of evolution in the next few years. New use cases, technologies, and threats will spur new regulations. But if security isn’t a top priority for IoT developers, then compliance will always be a struggle.

Currently, the regulatory environment around IoT security is disjointed. NIST informs regulations in the U.S., but other countries have their own sanctioning bodies and standards. Electric vehicle regulation covers PKI, but those regulations differ from one region to the next. Standards like IEC 62443 are often discussed in comparison to other security standards. California’s SB: 327 law was the first IoT-specific law in the U.S. 

An enterprise releasing a product globally must manufacture that product with security that complies across several regulatory landscapes (e.g., GDPR in Europe, PIPL in China, LGPD in Brazil). These privacy regulations are being expanded to include IoT devices, and some organizations may benefit from specialized consultants who are familiar with all the standards.

Risks of treating IoT security as an afterthought

For most IoT manufacturers, security is not the primary value, but buyers assume that products are secure, and a breach at the device level can diminish customer confidence in a brand and lead to high-profile reputational damage. An aquarium thermometer in a casino allowed a hacker to export 10 GB of undisclosed data out of the country. Breached security cameras gave hackers access to video feeds in Tesla factories as well as jails, police departments, and hospitals. 

On a grander scale, the Stuxnet virus altered the speeds of Iran’s nuclear centrifuges so imperceptibly that humans could not detect the change, bringing the Iranian nuclear program to its knees. 

But it’s not just governments and corporations that can be impacted: from vehicles getting hacked while driving down the highway to home security cameras being compromised to vulnerabilities in IoT pacemakers, cyberattacks on some IoT devices can be directly life-threatening and create fear on the part of consumers.

Because of this, unsecured devices can result in hefty fines and penalties by government regulators. In 2015, the HHS Office of Civil Rights (OCR) announced its first settlement involving a data breach through medical devices in a hospital setting. 600 records were exposed, and Lahey Hospital & Medical Center settled for $850,000. The argument could be made that the OCR is sending a message about bringing devices and systems under the HIPAA compliance umbrella.

The market is expanding

The IoT industry is set to explode across several verticals. According to IoT Analytics, the Global IoT market grew over 22% in 2021, and it is projected to keep increasing at that same compound annual growth rate through 2027. 

There are a lot of growing pains in this relatively new industry, and companies aren’t sure who’s in charge of what when it comes to security. The best security posture will be achieved when design, operations, and security leaders recognize that they all have a stake in IoT device security. The best IoT products will be built by manufacturers that incorporate security and compliance considerations into device design from the beginning.

If you want to dive deeper into the principles of how to secure the Internet of Things, check out our whitepaper Five Guiding Tenets for IoT Security.