IoT devices have evolved quite a bit since the first network-connected vending machine was invented in 1982. In 2024, the potential of IoT innovation is nothing short of transformative.
But along with opportunity comes risk. Each individual connected device presents a potential access point for a malicious actor. At scale — electronic shelf labels deployed by a grocery store chain, or smart boards deployed across a school district, for example — the attack surface swells to an untenable dimension. That’s part of the reason why IoT attacks grew 400% from 2022 to 2023.
When engrained in business processes, like a connected robotic arm on a factory floor, each device represents a potential point of failure that can cause downtime and diminish productivity.
Many organizations, including device manufacturers and organizations leveraging those devices, aren’t sure where to begin regarding IoT security strategy. That’s why Keyfactor compiled its first-ever global IoT security report, Digital Trust in a Connected World: Navigating the State of IoT Security.
The report shows how organizations and device manufacturers are thinking about and strategizing for IoT security.
As security leaders look ahead to 2024, the report reveals three resolutions they can take to start improving IoT security, regardless of where they are in their security journey.
Resolution 1: Make certificate outages a thing of the past.
Digital certificates play a big part in how IoT devices function. A certificate is built into every device. When that device turns on for the first time, the certificate lets the device know it can trust the manufacturer’s server or API. Note – this is a drastic simplification, as there are many critical functions that are performed through the certificate handshake.
But if the certificate expires, the device no longer knows what to trust. In response, it trusts nothing and essentially ceases to work.
The State of IoT Security report shows that 98% of organizations experienced a certificate-related outage in the past 12 months. For the average device manufacturer, these outages caused losses of more than $2.25 million.
These types of outages are symptoms of a deeper mismanagement of certificate lifecycles.
As devices grow in volume and usage, getting a handle on certificate management is crucial. The solution is to centralize certificate management into a single, universal hub, and then automate the discovery, monitoring, revocation, and re-issuance of certificates.
Resolution 2: Define what IoT security looks like and requires for your organization.
IoT vulnerabilities can be somewhat of a blind spot for organizations.
The IoT report shows only 43% of organizations believe they are “as protected as they can be” from IoT attacks, while 56% agreed that their organizations lack the proper awareness and necessary expertise to prepare for IoT attacks.
Organizations that lack confidence in defending their IoT devices should gain visibility into the state of IoT security within the enterprise.
Product designers and manufacturers should create policies that consider security at the very outset of the project, rather than tacking on security at the end.
IoT devices come with finite resources — power consumption, processing power, budgetary restraints, etc. Considering the security demands at the beginning can inform product design in terms of hardware, chip selection, and other factors, which creates more space for security controls within the limits of the device.
Organizations leveraging IoT devices should work to achieve visibility by identifying how many devices are connecting to the network. From where are they connecting? Who operates them? Which teams use IoT devices, and which devices are they using?
From there, organizations can identify gaps and make a plan to reduce their unique risks. Understanding these particularities can inform the search for vendors and partners who will provide the most value to the organization.
Once organizations understand the dynamics of their own IoT landscape, they can identify gaps and make a plan to address them.
In the 2023 Gartner® 2023 Hype Cycle™ for Digital Identity, organizations can find identity-first best practices to make smarter technology decisions.
Organizations that accomplish visibility by centralizing device identities are better informed in creating their approach to IoT security and implementing policies that maintain that security.
Resolution 3: Get ahead of emerging IoT regulations.
Governments and regulating bodies are forming a consensus that IoT security is a shared responsibility. End users must adopt basic security hygiene; organizations must adopt tools and architect systems that support security; and device designers and manufacturers must take greater care to engineer devices that are more secure by design.
That consensus is slowly but surely distilling into policy.
- The EU’s Cybersecurity and Cyber Resilience Acts put forth legislative frameworks that, among many objectives, set certification standards for digital and connected devices.
- In June of 2023, the White House directed agencies to prioritize technologies that were secure by design. This falls in line with the pillars of the Biden administration’s broader cybersecurity security strategy released in the spring of 2023.
- While there is no hard law demanding device security, the Biden administration enacted a cybersecurity labeling program to designate smart products that resist attacks.
- The Matter standard seeks to standardize smart home devices around a universal protocol, which will cut complexity and enable manufacturers to get products to market faster. The Matter standard strictly lays out security requirements for devices.
Ninety-eight percent of respondents in the IoT report said regulations have an impact on their development of IoT and connected products. It’s only logical to assume that legislation and standards impose greater responsibilities on organizations that use and manufacture connected devices.
In the face of unpredictability, crypto-agility sets organizations up for success.
Historically, adapting to new cryptographic standards and algorithms has been anything but easy. However, as digital technologies, machine identities, and connected devices have become more pervasive, solutions and methodologies that empower organizations to adapt smoothly to new demands have evolved.
In the IoT and machine identity context, this is known as crypto-agility. Crypto-agility allows organizations to respond quickly to authentication and certificate issues, manage machine identities at scale, and change out cryptographic algorithms fluidly.
As organizations keep their ear to the legislative ground regarding emerging regulations, they should also build crypto-agility within the organization. On top of the centralization, automation, and strategy represented in our two earlier resolutions, organizations can roadmap to the next phase of their evolution and tie security more tightly to innovation.
Bridging the physical and digital worlds – securely
For many organizations, IoT security is a challenge of “unknown unknowns.”
Once a device leaves the assembly line and is sold to an end user, there’s no telling what kind of environment that device may find itself in. Device manufacturers said their biggest challenges in securing the devices they produce are:
- The inability to quantify the threat impact of third-party IoT devices
- The lack of visibility and management of devices
Though budgets for IoT devices are increasing, 52% of those budgets are at risk of being diverted to cover the cost of IoT breaches and attacks.
Both now and in the future, organizations can no longer afford inadequate IoT security. It must be prioritized. Ensuring that product security is managed throughout the entire lifecycle is vital to preventing the risk of new threats from new attack vectors.