February 16, 2021
A recent threat report reveals a shocking fact: 98% of all IoT traffic is unencrypted. That means more than 25 billion devices are at risk of hacking. Not to worry: a zero-trust approach is here to help. This method suggests verifying each connected device and offers multiple tech tactics to secure IoT. Moreover, companies and startups can gain an advantage over their competitors with this security framework.
Protecting IoT isn't an easy task, and traditional security practices don't suit connected devices. The problem is that IoT has lower processing power. This makes it challenging to implement firewalls during Internet of Things development. The variety of networks in IoT also provides more access points for breaches.
IoT networks' vulnerability opens the door to unauthorized access, privacy breaches, and DDoS attacks. Data sent to the cloud and many operations processed there can also play into the hands of hackers. The effect of these vulnerabilities among healthcare solutions, in particular, can be life-threatening.
The OWASP Internet of Things Project, which helps startups and large enterprises improve security when building IoT devices, names top vulnerabilities.
Today, ensuring IoT solutions' proper security level means protecting devices, gateways, connections, cloud environments, and user accesses. The zero-trust security model is designed to help do just that.
Two-factor authentication and smile-to-pay facial scanning are two vivid examples of a zero-trust security framework in action. Unlike one-time validation, this concept is about continuous verification of both users' and devices' access even if they've been authorized before.
While traditional network security relies on the principle "trust but verify," a zero-trust model means "never trust but always verify." This concept was first used in a Forrester Research report in 2010. A couple of years later, Google deployed zero trust in their network.
In the IoT world, this approach manages the security of each connected device. As zero trust treats all interactions as malicious, it requires proof of identity every time the device accesses the network. This means checking for the right attributes and privileges.
Overall, implementing zero trust within IoT means casting a wide net. It includes verifying the identity of users, devices, virtual infrastructure, and the cloud environment. That’s why it’s essential to add digital security services to IoT devices from the ground up—from hardware type to patch levels and app functionality.
There is no one-size-fits-all solution to protect each connected device. On the one hand, IoT products vary from smart clothes and accessories to hospital monitors and industrial robots. On the other, IoT incorporates hardware, firmware, connectivity technologies, and user-facing apps. That’s why the task is to create each of these components with a cybersecurity and a zero-trust approach at the fore.
In conversation with Bill Kleyman of Switch, IoT World Today named five main principles of the zero-trust model to deploy within IoT. These include:
Essentially, the zero-trust model is more than just verifying the identity of users and devices that try to access the network. Companies should track what information each connected device processes and which services they use to reveal any suspicious activity.
These principles of zero trust require companies to deploy additional tactics and technologies. Here are some examples:
Thus, the zero-trust approach helps implement hack-proof solutions from scratch. Multiple tactics and technologies protect IoT by providing different levels of access to separate data types and supporting multiple types of verification.
Companies from different industries can implement zero-trust approaches to secure their IoT solutions and, therefore, get an advantage over their competitors. Here are just a couple of examples of how the zero-trust model can benefit IoT in homes and business facilities.
Today, a typical modern house is full of IoT devices with security risks. Smart door openers, outdoor CCTV cameras, HVAC systems, and light bulbs can be controlled through a single mobile device remotely. With zero trust, security tokens can protect IoT on the hardware side. On the user side, multi-factor authentication improves devices’ security: users can input a PIN to authorize and either facial or fingerprint recognition to verify the access.
According to Dr. Zahid Anwar of Fontbonne University, the most vulnerable smart home solutions are outdoor devices with embedded computers that support little or no security protocols. A hacker can compromise such wireless doorbells or garage door openers with a Wi-Fi transmitter.
It’s possible to prevent such security issues in the manufacturing stage. The use of security protocols and the release of firmware updates are a must. Additionally, it’s important to help end users create secure passwords and hide the network from view. Developers can prevent users from creating short hackable passwords and can also add password encryption.
Offices are now connected IoT environments. There are security cameras, vending machines, motion sensor systems, light bulbs, and printers that communicate with each other and rely on Wi-Fi, Bluetooth, and the Internet.
The current office infrastructure is not hack-proof, and is therefore open to DDoS attacks, privacy breaches, and fraud. In IoT, this may lead to funny, but seriously impactful security incidents. A few years ago, cybercriminals hacked a casino’s network by stealing sensitive data via an Internet-connected thermometer in the fish tank.
There was a time when biometric authentication such as fingerprints, retina, or facial recognition was only standard for restricted areas in banking or military facilities. But today, it's common decency for all smart work environments.
With zero trust, companies can provide employees with RFID for building entry, grant access to particular offices with fingerprints, and ask for a PIN to use the virtual private network. And even during pandemic-fueled remote working, zero-trust principles help protect the corporate network and secure all connections.
For IoT companies developing healthcare solutions, the spread of COVID-19 and the rapid rise of cyber attacks are key risks in 2021. This trend began in 2020: IoT botnet attacks (such as Dark Nexus or Mukashi) and pandemic-themed attacks were among the main threats. Moreover, the number of cybercrimes quadrupled during the pandemic and reached 4,000 cases per day, according to the FBI Internet Crime Complaint Center (IC3).
Medical devices are the main target for cyberattacks. The most hackable solutions include infusion pumps, implantable devices, and wireless vital monitors. To help protect health data, the FDA analyzes security risks for different companies and gives warnings. In 2017, they warned that St. Jude Medical's cardiac devices, which monitor heart functions and prevent heart attacks, could be easily hacked. A similar warning was issued about the weak security of Medtronic insulin pumps. There was a risk that hackers could remotely access and control any of these devices.
A zero-trust security framework will help companies and startups prevent many breaches and vulnerabilities. In order to successfully implement one, it’s essential to know what contributes to the rise of malware threats in IoT. Here are just some of the main factors:
Today, IoT companies that want to deliver successful solutions put cybersecurity in the forefront. The main task here is to implement digital security from the ground up, taking into account all stages of product development—from hardware types to app functionality and policies for users.