Having seen the damage caused by recent ransomware, malware and other cyber attacks, like last year’s WannaCry attack, enterprises are moving cyber security and resiliency to the top of their priority lists (if they were not there already). This is especially true for enterprises building or managing IoT applications. IoT cyberattacks like the Mirai botnet attack in 2016 – which used IoT devices to launch distributed denial of service attacks (DDoS) – are raising both consumer and business customers’ fears regarding the security of the IoT.
When it comes to IoT cybersecurity, IoT devices are very similar to other internet-connected devices, but also come with their own unique security challenges. For example, IoT devices are often physically located in remote or unsecure places beyond the normal IT security perimeter, making them more vulnerable to tampering than many other internet-connected devices. Many IoT devices are also designed for long lifecycles (up to 15 years), which means they can become increasingly vulnerable over time if they are not updated with new firmware. In addition to these physical and firmware update challenges, IoT devices are frequently designed to run unattended with little user interaction. This can make it harder to detect a successful intrusion as, outwardly, everything about the device might appear to be fine.
One way to address these unique challenges is to only use IoT solutions that come with high levels of built-in security. However, even the strongest safe will not stop a robber if the owner forgets to the lock it, and even the most secure IoT solutions are vulnerable if enterprises do not follow both general cybersecurity best practices, as well as other best practices that address the specific security challenges of the IoT. While not comprehensive (one could fill a book with all the techniques that can be used to make an IoT application more secure), here are five key best practices enterprises can adopt to significantly lower the risk of a successful attack on their IoT infrastructure.
While not unique to the IoT, given its importance it bears repeating that, as with any internet connected device, enterprises should ensure that all of their IoT devices are configured with strong, unique passwords. According to the annual 2017 Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches succeeded through stolen or weak passwords. Yet many enterprises continue to use the default passwords that came with their devices, or, in cases where the device makes them create a new password, use basic ones – such as “password” or “123456.” To learn more about how to create strong passwords, enterprises should look to experts such as the National Institute of Standards and Technology.
IoT device vendors regularly update the firmware on their devices to apply security patches and bug fixes. These security patches and bug fixes are typically a response to detecting vulnerabilities in a device – vulnerabilities that are often known to the public or published on the dark web. This means that failing to apply a firmware update when it’s available may leave a device vulnerable to a known attack – essentially creating an invitation to be hacked. Moreover, in addition to addressing vulnerabilities, these firmware updates can often add new security capabilities that enhance a device’s ability to detect or fend off an attack.
Many IoT devices come with more features and capabilities than are required for a particular use case. Unused features are not necessarily more vulnerable than active ones, but they do increase the potential attack surface on the device. Enterprises can reduce this attack surface by disabling all features that aren’t being used. For example, enterprises that use the AirLink® Management Service (ALMS) to administer their devices should turn off remote access to the device’s web-based UI. Turning off unused services in this way will eliminate the chance that hackers can exploit current and future vulnerabilities that affect the disabled feature.
A surprising number of enterprises are not using all of their devices’ security functionality, such as the built-in firewall, to restrict access to enabled services. Built-in firewall functionality enables administrators to limit the types of traffic that pass through the device. Enterprises should allow only expected traffic to be sent and received. This functionality helps block any unwanted traffic that might represent an attack.
If your device does not have a built-in firewall, strongly consider the use of a private network option from your connectivity provider to make sure that it is not exposed to the public internet.
Using a management system to monitor activity provides enterprises with improved functionality and insights, allowing them to better secure their devices. For example, ALMS supports over-the-air device configuration and software updates, making it easier for enterprises to make firmware updates that include security updates, bug fixes and new security capabilities. In addition, ALMS features interactive monitoring dashboards and maps that show the status, signal strength, data usage and location of all registered AirLink gateways. If this information indicates malicious activity, enterprises can then take action to fend off an attack or recover from a successful breach. With ALMS, users can more easily update their devices’ firmware and keep a finger on the pulse of their IoT devices’ activity, helping them better prevent, detect and react to attacks.
IoT cybersecurity is hard, and the unique challenges of the IoT make it even harder. Though it is impossible to make themselves 100 percent secure, enterprises that make cybersecurity a priority by choosing IoT solutions with strong built-in security and continually follow the five IoT security best practices above can significantly reduce the probability of a successful attack.
As a company committed to making the IoT as secure as possible and with more than 20 years of experience managing remote and mobile devices across a wide range of industries where security is a core requirement, Sierra Wireless can serve as your trusted partner on IoT security. You can find the latest security updates and information on our website. We encourage all users with AirLink gateways and routers that are reachable from the public internet to contact us for a complimentary security assessment at 1-877-552-3860, 6:00 a.m. – 5:00 p.m. Pacific Time, Monday to Friday.
Start with Sierra to find out more about how Sierra Wireless’ device-to-cloud solutions and smart connectivity services empower enterprises to implement security best practices that enable them to better protect their IoT devices and applications and thrive in the connected economy.