By Emily Newton, Editor-in-Chief at Revolutionized Magazine
Internet of Things (IoT) technology has become ubiquitous across heavy industries amid rapid digitization. As helpful as this interconnectivity is, it also presents a significant risk that device developers must address. Embedded IoT security must improve before these vulnerabilities cause too much damage.
Rising IoT Attacks
The most obvious driver behind the need for embedded systems security is the growing trend of IoT-targeted attacks. As more businesses embrace these devices, they — often unknowingly — expand their attack surfaces, and cybercriminals have taken note.
There were over 112 million IoT attacks in 2022, an 87% increase over the prior year. That figure has also risen steadily for the past five years and shows no signs of slowing. Criminals have too much to gain from these attacks to stop, and IoT adoption keeps rising.
As this trend persists, failure to improve IoT security will become increasingly damaging. This responsibility falls on more than just IoT users. With IoT attacks being so prevalent, it falls to IoT companies to make their devices more secure by default.
Growing Criticality of Embedded Systems
Adding to the need for embedded IoT security is IoT’s growing importance. In addition to becoming increasingly common, these devices are serving more critical needs. Consequently, their security shortcomings have a far greater impact.
The nation’s energy infrastructure is a great example. Roughly 80% of utility companies have already implemented at least one IoT project, leaving the grid increasingly susceptible to cyberattacks. The 2021 Colonial Pipeline hack proves these fears are more than just theoretical, too.
The IoT has many benefits for critical infrastructure, but without proper security, this shift may create more problems than it solves. Better on-device cybersecurity measures are essential to preventing the worst effects and protecting critical infrastructure.
Current Low Standards
IoT and security haven’t always gone hand in hand, either. Many, if not most, IoT devices on the market today have minimal built-in protections and unsafe defaults. As much as 98% of all IoT traffic is unencrypted.
Low industry standards leave embedded systems security in the hands of the users. Implementation measures like segmentation, multi-factor authentication (MFA) and real-time network monitoring can help, but many users don’t understand the need for these protections.
This risk is particularly dangerous when considering the organizations most likely to experience IoT attacks are those with the least IT experience. Manufacturers suffer 27% of all cyberattacks, likely thanks to their rapid IoT expansion and minimal experience in securing these systems. User-side protections are important, but embedded IoT security must improve for people to stay safe.
Embedded IoT Security Best Practices
Thankfully, the tide is changing. As these risks rise and new regulations emerge, the IoT industry is shifting toward a stronger default security posture. While each embedded systems environment presents unique challenges, there are a few best practices that will help secure any IoT device or network.
Supply Chain Security
Better embedded systems security starts with the supply chain. Many of these devices rely on third-party hardware and software, so any vulnerabilities in the parties making these components affect end user safety. More worryingly, attacks capitalizing on this risk were twice as high in 2023 than in all previous years combined.
IoT manufacturers must hold their vendors to higher standards and inspect all elements before implementing them. Similarly, businesses should only use IoT devices from suppliers with stronger supply chain security measures. The new Cyber Trust Mark will help identify these devices.
Encryption
Encryption is another non-negotiable step in embedded IoT security. All IoT traffic must be encrypted. Achieving that is impossible if it’s solely up to users to enable this feature, so IoT devices must come with it turned on by default.
Of course, there are many ways to encrypt sensitive data. AES algorithms are among the most common and higher AES tiers are sufficient for most IoT applications. However, the rise of quantum-as-a-service could render conventional techniques like this virtually useless. The NIST has already identified quantum-proof encryption methods worth looking into for more sensitive applications, both as a developer and a user of IoT technology.
Stronger Access Controls
Access controls have been the focus of much discussion around the IoT and security. Lateral movement is the IoT’s primary cybersecurity risk, so ensuring embedded systems are as difficult to access as other, more sensitive devices is crucial. Requiring MFA by default is a good start, but both developers and users can go further.
The practice of automatically connecting to devices on the same network by default should end. Similarly, embedded systems should verify the devices they connect to through cryptographic keys or similar authentication methods. Verification is also only effective if these devices can block and report suspicious activity, so threat detection and alert software are also necessary.
Secure Updates
IoT update practices must also improve. Regular updates are key to ensuring embedded systems have the latest protections, but over-the-air (OTA) update schemes also introduce the risk of malicious updates. The infamous SolarWinds attack affected nearly 18,000 parties by this means.
On the user side, update security means enabling automatic firmware updates. On the dev side, it means equipping embedded systems with a means of verifying updates before installing them. Digital signatures and hashing are both effective solutions to this issue.
The IoT Needs Better Embedded Systems Security
Embedded IoT security today falls far below where it needs to be. The organizations using this technology and those developing it must both embrace higher standards to prevent widespread damage from IoT attacks.
Securing embedded systems can be challenging, but it’s not impossible. If devs and their users follow these guidelines, the IoT can grow without exposing critical infrastructure to too much cyber risk.
Emily Newton is the Editor-in-Chief at Revolutionized Magazine. A regular contributor to Brilliance Security Magazine, she has over four years of experience writing articles in the industrial sector.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.