IoT security—an overview
Protect your data and devices across the Internet of Things
What is IoT security?
The Internet of Things (IoT) can drive huge economic opportunities for industries and enable exciting innovations that reach across fields from childcare to eldercare, from hospitality to mining, from education to transportation. Diverse IoT solutions—everything from remote monitoring, predictive maintenance, and smart spaces to connected products and customer-facing technologies like mobile apps—can reduce operational complexity, lower costs, and speed up time to market.
With technology pundits and analysts predicting even more expansive use of IoT devices and apps in the future, along with ever-evolving devices, services, and apps that touch the IoT space, organizations are often eager to take advantage of the business benefits.
While traditional information cybersecurity revolves around software and how it is implemented, IoT cybersecurity adds an extra layer of complexity as the cyber and the physical worlds converge. A wide range of operational and maintenance scenarios in the IoT space rely on end-to-end device connectivity to enable users and services to interact, login, troubleshoot, send, or receive data from devices. Companies may want to take advantage of IoT efficiencies like predictive maintenance, for example, but knowing what security precautions to take is essential, because operational technology (OT) is too important and valuable to risk in the event of breaches, disasters, and other threats.
What's the security concern with IoT?
Although IoT devices may seem too small or too specialized to be dangerous, there is real risk in what are really network-connected, general purpose computers that can be hijacked by attackers. Even the most mundane device can become dangerous when compromised over the internet—from spying with video baby monitors to interrupted services on life-saving health care equipment. Once attackers have control, they can steal data, disrupt delivery of services, or commit any other cybercrime they’d do with a computer. Attacks that compromise IoT infrastructure inflict damage, not just with data breaches and unreliable operations, but also physical harm to the facilities, or worse—to the humans operating or relying on those facilities.
Protecting employees, customers, valuable operational technologies, and business investments with secure IoT infrastructure needs to take an end-to-end approach. Experienced IoT security companies recommend a three-pronged approach to protect data, devices, and connections:
- Secure provisioning of devices.
- Secure connectivity between devices and the cloud.
- Securing data in the cloud during processing and storage.
What else should I consider with IoT device security?
Security concerns with IoT are also driven by:
Device heterogeneity or fragmentation
Many companies use a large number of different devices running different software, using different chips, and may even use different methods to connect. This is what’s known as device heterogeneity. It creates a challenge to update and control all your different connected devices—but software solutions do exist to simplify this process.
Connection to valuable operational technology
Many businesses would love take advantage of the business benefits of connection, but can’t risk the losses of revenue, if facilities are attacked and go down, even a few days. The good news is that there are trusted IoT security companies that offer software solutions to help protect against attacks.
Challenges with the security of legacy devices
Some devices were designed before IoT existed and any connection was even possible. These devices have never been "hardened," the process for identifying and eliminating or mitigating vulnerabilities. Many other legacy devices are inexpensive or not designed with specific IoT security in mind.
How do IoT attacks happen?
Because this new IoT connectivity covers such a large and often unfamiliar attack surface and IoT devices and apps can hold massive troves of personal, operational, and corporate data, security pros need to go beyond the traditional information security requirements of confidentiality, integrity, and availability.
Security pros are of course concerned with data breaches and other cyberattacks. But, because an IoT vulnerability has the potential to cause life-threatening physical danger or shutdown of profit-making operations, they must especially concern themselves with securing connectivity, device hardening, threat monitoring, and security posture management, as well as securing data on the backend in the cloud.
Understanding IoT cybersecurity starts with a threat model
Threat modeling is used by many IoT security companies to understand how an attacker might be able to compromise a system and then make sure appropriate measures are in place to prevent or mitigate an attack.
IoT cybersecurity attacks can threaten:
Processes—threats to processes both under your control, such as web services, and threats from external entities, such as users and satellite feeds, that interact with the system, but are not under the control of the application.
Communication, also called data flows—threats around the communication path between devices, devices and field gateways, and device and cloud gateway.
Storage—threats to temporary data queues, operating systems (OS), and image storage.
Threats to your IoT infrastructure
IoT attacks can be broadly categorized in five different areas: spoofing, tampering, information disclosure, denial of service, and elevation of privilege.
Spoofing, Information Disclosure
- An attacker can manipulate the state of a device anonymously.
- An attacker may intercept or partially override the broadcast and spoof the originator (often called man-in-the-middle or MitM attacks).
- An attacker can take advantages of the vulnerability of constrained or special-purpose devices. These devices, which often have one-for-all security facilities like password or PIN protection or rely on network shared key protections. When the shared secret to device or network (PIN, password, shared network key) is disclosed, it is possible to control the device or observe data emitted from the device.
- An attacker can tamper with any physical device—from battery drainage vulnerability or “sleep deprivation to random number generator (RNG) attacks made possible by freezing devices to reduce entropy.
- An attacker may partially or wholly replace the software running on the device, potentially allowing the replaced software to leverage the genuine identity of the device if the key material or the cryptographic facilities holding key materials were available to the illicit program.
- An attacker may eavesdrop on a broadcast and obtain information without authorization or may jam the broadcast signal and deny information distribution.
- An attacker may intercept or partially override the broadcast and send false information.
Denial of Service
- A device can be rendered incapable of functioning or communicating by interfering with radio frequencies or cutting wires. For example, a surveillance camera that had its power or network connection intentionally knocked out cannot report data, at all.
Elevation of Privilege
- A device that does specific function can be forced to do something else. For example, a valve that is programmed to open halfway can be tricked to open all the way.
How do I evaluate my IoT security?
Learn the most likely threats
Consider the most relevant threats to your IoT infrastructure—whether they’re cyber or physical threats. Examine threats to data storage, cloud services, operating systems, IoT apps, various network technologies, backup services, and monitoring, as well as threats to physical devices, sensors, and the control systems that keep devices functioning properly.
Understand your risks
Review the consequences of the threats you’ve identified and decide what your business cares about most. Prioritize in order of concern and eliminate consequences not relevant to your business scenarios.
Select evaluation strategies
Choose the security evaluation approach that provides the most value and addresses risk scenarios of IoT security attacks—based on the unique threats and consequences to your business that you’ve identified.
Consider the advice of experts
Choose an evaluator or set of evaluators that can help provide IoT security evaluation services. Get started with the Security Program for Azure IoT selection matrix.
Learn how to approach the new threats and consequences facing your business with the e-book, Evaluating Your IoT Security, from Microsoft.
What steps can I take to secure my IoT deployments?
Simplify IoT cybersecurity complexity
Integrate across teams and infrastructure to coordinate a comprehensive approach, from the physical devices and sensors to your data in the cloud.
Prepare for IoT security specifically
Consider resource-constrained devices, geographic distribution of deployments, and the number of devices within a solution.
Get smart about security analytics and remediation
Monitor everything connected to your IoT solution with security posture management. Stack rank the suggestions based on severity to decide what to fix first to reduce your risk. Make sure to have threat monitoring in place to get alerts and address threats quickly.
Focus on customer and business data protection
By tracking all your connected data stores, admins, and other services that touch IoT, you can make sure your IoT apps are protected as well.
Get started building secure IoT deployments with Azure
Rely on trusted security approaches
Take advantage of a broad range of IoT security solutions that have been proven effective by companies like yours and are uniquely suited to help you secure your IoT deployments—across cloud, devices, and the enterprise.
Deploy comprehensive security from device to cloud
With crossover MCUs, a secured Windows IoT OS, and turnkey cloud security service, Azure Sphere helps to protect devices and deliver end-to-end IoT security that responds to emerging threats.
Reduce risk and enable remediation
Find services with flexibility for your specific risk profile and deployment scenarios with the trusted protection from Azure services.
Explore IoT security solutions with Azure
Securely connect, monitor, and manage billions of devices to develop IoT apps.
Decrease your risk of security threats—ranging from physical tampering to IP hacking—while you move your data and analytics to the intelligent edge.
Create highly secured, connected MCU-powered devices to transform your business and delight customers.