IoT security—an overview
Protect your data and devices across the Internet of Things.
What is IoT security?
The Internet of Things (IoT) can drive huge economic opportunities for industries and enable exciting innovations that reach across fields from childcare to eldercare, from healthcare to energy, from manufacturing to transportation. Diverse IoT in smart places—everything from remote monitoring, predictive maintenance, and smart spaces to connected products and customer-facing technologies like mobile apps—can reduce operational complexity, lower costs, and speed up time to market.
With technology pundits and analysts predicting even more expansive use of IoT devices and apps in the future, along with ever-evolving devices, services, and apps that touch the IoT space, organizations are often eager to take advantage of the business benefits. However, many companies are right to be cautious in their pursuit of the benefits of IoT solutions due to very real IoT security concerns. IoT deployments pose unique new security, privacy, and compliance challenges to businesses worldwide.
While traditional information cybersecurity revolves around software and how it is implemented, security for IoT adds an extra layer of complexity as the cyber and the physical worlds converge. A wide range of operational and maintenance scenarios in the IoT space rely on end-to-end device connectivity to enable users and services to interact, login, troubleshoot, send, or receive data from devices. Companies may want to take advantage of IoT efficiencies like predictive maintenance, for example, but knowing what IoT security standards to adhere to is essential, because operational technology (OT) is too important and valuable to risk in the event of breaches, disasters, and other threats.
What's the security concern with IoT?
Although IoT devices may seem too small or too specialized to be dangerous, there is real risk in what are really network-connected, general purpose computers that can be hijacked by attackers, resulting in problems beyond IoT security. Even the most mundane device can become dangerous when compromised over the internet—from spying with video baby monitors to interrupted services on life-saving health care equipment. Once attackers have control, they can steal data, disrupt delivery of services, or commit any other cybercrime they'd do with a computer. Attacks that compromise IoT infrastructure inflict damage, not just with data breaches and unreliable operations, but also physical harm to the facilities, or worse—to the humans operating or relying on those facilities.
Protecting employees, customers, valuable operational technologies, and business investments with enhanced security for IoT infrastructures needs to take an end-to-end approach, using the right IoT technologies and protocols. Experienced IoT cybersecurity companies recommend a three-pronged approach to protect data, devices, and connections:
- Secure provisioning of devices.
- Secure connectivity between devices and the cloud.
- Securing data in the cloud during processing and storage.
What else should I consider with IoT security for devices?
Concerns around security for IoT are also driven by:
Device heterogeneity or fragmentation
Many companies use a large number of different devices running different software, using different chips, and may even use different methods to connect. This is what's known as device heterogeneity and it creates a challenge to update and control all your different connected devices. For organizations with production IoT deployments, all these different devices create complexity—but software solutions do exist to simplify this process.
Connection to valuable operational technology
Many businesses would love take advantage of the business benefits of connection, but can't risk the losses of revenue, if facilities are attacked and go down, even a few days. The good news is that there are trusted IoT cybersecurity companies that offer software solutions to help protect against attacks.
Challenges with the security of legacy devices
Some devices were designed before IoT existed and any connection was even possible. These devices have never been "hardened," the process for identifying and eliminating or mitigating vulnerabilities. Many other legacy devices are inexpensive or not designed with specific IoT security in mind, so they lack IoT cybersecurity features despite good intentions of the manufacturer.
How do IoT attacks happen?
Because this new IoT connectivity covers such a large and often unfamiliar attack surface and IoT devices and apps can hold massive troves of personal, operational, and corporate data, IoT security pros need to go beyond the traditional information security requirements of confidentiality, integrity, and availability.
IoT cybersecurity pros are of course concerned with data breaches and other cyberattacks. But, because an IoT vulnerability has the potential to cause life-threatening physical danger or shutdown of profit-making operations, they must especially concern themselves with securing connectivity, device hardening, threat monitoring, and security posture management, as well as securing data on the backend in the cloud.
Understanding IoT cybersecurity starts with a threat model
Threat modeling with programs such as Azure Digital Twins is used by many IoT security companies to understand how an attacker might be able to compromise a system and then make sure appropriate measures are in place to prevent or mitigate an attack.
IoT cybersecurity attacks can threaten:
Device heterogeneity or fragmentation
Processes—threats to processes both under your control, such as web services, and threats from external entities, such as users and satellite feeds, that interact with the system, but are not under the control of the application.
Connection to valuable operational technology
Communication, also called data flows—threats around the communication path between devices, devices and field gateways, and device and cloud gateway.
Challenges with the security of legacy devices
Storage—threats to temporary data queues, operating systems (OS), and image storage.
IoT attacks can be broadly categorized in five different areas: spoofing, tampering, information disclosure, denial of service, and elevation of privilege
Here are just a few examples of threats to your IoT infrastructure.
Spoofing, Information Disclosure
- An attacker can manipulate the state of a device anonymously.
- An attacker may intercept or partially override the broadcast and spoof the originator (often called man-in-the-middle or MitM attacks).
- An attacker can take advantages of the vulnerability of constrained or special-purpose devices. These devices, which often have one-for-all security facilities like password or PIN protection, or rely on network shared key protections. When the shared secret to device or network (PIN, password, shared network key) is disclosed, it is possible to control the device or observe data emitted from the device.
Information Disclosure
- An attacker may eavesdrop on a broadcast and obtain information without authorization or may jam the broadcast signal and deny information distribution.
- An attacker may intercept or partially override the broadcast and send false information.
Tampering
- An attacker can tamper with any physical device—from battery drainage vulnerability or “sleep deprivation to random number generator (RNG) attacks made possible by freezing devices to reduce entropy.
- An attacker may partially or wholly replace the software running on the device, potentially allowing the replaced software to leverage the genuine identity of the device if the key material or the cryptographic facilities holding key materials were available to the illicit program.
Information Disclosure
Denial of Service
Elevation of Privilege
How do I evaluate my IoT security?
Learn how to approach the new threats and consequences facing your business with the e-book, Evaluating Your IoT Security, from Microsoft.
Learn the most likely threats
Consider the most relevant threats to your IoT infrastructure—whether they're cyber or physical threats. To best understand security for IoT, examine threats to data storage, cloud services, operating systems, IoT apps, various network technologies, backup services, and monitoring, as well as threats to physical devices, sensors, and the control systems that keep devices functioning properly.
Understand your risks
Review the consequences of the threats you’ve identified and decide what your business cares about most. Prioritize in order of concern and eliminate consequences not relevant to your business scenarios.
Select evaluation strategies
Choose the security evaluation approach that provides the most value and addresses risk scenarios of IoT security attacks—based on the unique threats and consequences to your business that you’ve identified.
Consider the advice of experts
IoT security maturity modeling provides a path for communicating with business stakeholders and is a great way to build support to move forward with a comprehensive IoT security roadmap.
What steps can I take to secure my IoT deployments?
Simplify security for IoT complexity
Integrate across teams and infrastructure to coordinate a comprehensive approach, from the physical devices and sensors to your data in the cloud.
Prepare for IoT security specifically
Consider resource-constrained devices, geographic distribution of deployments, and the number of devices within an IoT security solution.
Get smart about security analytics and remediation
Monitor everything connected to your IoT solution with security posture management. Stack rank the suggestions based on severity to decide what to fix first to reduce your risk. Make sure to have threat monitoring in place to get alerts and address IoT security threats quickly.
Focus on customer and business data protection
By tracking all your connected data stores, admins, and other services that touch IoT, you can make sure your IoT apps are protected and your security for IoT is effective.
Get started building secure IoT deployments with Azure
Rely on trusted security approaches
Take advantage of a broad range of IoT security solutions that have been proven effective by companies like yours and are uniquely suited to help you secure your IoT deployments—across cloud, devices, and the enterprise.
Deploy comprehensive IoT security from chip to cloud
With crossover MCUs, a secured Windows IoT OS, and turnkey cloud security service, Azure Sphere helps to protect devices and deliver end-to-end IoT security that responds to emerging threats.
Reduce risk and enable remediation
Find services with flexibility for your specific risk profile and deployment scenarios with the trusted protection at Azure IoT Central.
Explore IoT security solutions with Azure
Rely on trusted security approaches
Protect both managed and unmanaged IoT and operational technology devices with agentless asset discovery, vulnerability management, and threat detection.
Microsoft Sentinel
Get a bird's-eye view of IT, IoT, and operational technology security plus intelligent security analytics for your entire enterprise with the industry's first cloud-native SIEM platform on a major public cloud.
Azure IoT Central
Reduce risk with security posture management, and threat monitoring and remediation.
Azure Sphere
Actively protect your devices with a comprehensive IoT security solution that includes hardware, OS, and cloud components.
Azure IoT Edge
Ensure your devices have the right software and that only authorized edge devices can communication with one another.
Azure IoT Hub
Enable highly secure and reliable communication between your IoT applications and the devices it manages.