Embracing Zero Trust for IoT: Principles, Tech Tactics, and Use Cases

zero trust model

A recent threat report reveals a shocking fact: 98% of all IoT traffic is unencrypted. That means more than 25 billion devices are at risk of hacking. Not to worry: a zero-trust approach is here to help. This method suggests verifying each connected device and offers multiple tech tactics to secure IoT. Moreover, companies and startups can gain an advantage over their competitors with this security framework.

Why Does IoT Security Fail?

Protecting IoT isn't an easy task, and traditional security practices don't suit connected devices. The problem is that IoT has lower processing power. This makes it challenging to implement firewalls during Internet of Things development. The variety of networks in IoT also provides more access points for breaches.

IoT networks' vulnerability opens the door to unauthorized access, privacy breaches, and DDoS attacks. Data sent to the cloud and many operations processed there can also play into the hands of hackers. The effect of these vulnerabilities among healthcare solutions, in particular, can be life-threatening.

The OWASP Internet of Things Project, which helps startups and large enterprises improve security when building IoT devices, names top vulnerabilities.

Top 5 Vulnerabilities of IoT Devices

  1. Weak, guessable, or hard-coded passwords. These passwords contain credentials that are publicly available, unchangeable, and easy to select by trial and error. They may also contain backdoors in firmware or user software  
  2. Unnecessary or insecure network services running on the device itself and connecting to the Internet
  3. Insecure ecosystem interfaces. These include easy to comprise back-end API, cloud environment, and mobile interfaces like a lack of authentication, authorization, or encryption tools)
  4. Lack of a secure update mechanism (e.g. a lack of embedded and mobile software updates, absence of firmware validation, or nonexistent anti-rollback mechanisms)
  5. Use of nonsecure third-party software/hardware components or outdated software components and libraries

Today, ensuring IoT solutions' proper security level means protecting devices, gateways, connections, cloud environments, and user accesses. The zero-trust security model is designed to help do just that.

What is a Zero-Trust Model About?

Two-factor authentication and smile-to-pay facial scanning are two vivid examples of a zero-trust security framework in action. Unlike one-time validation, this concept is about continuous verification of both users' and devices' access even if they've been authorized before.

While traditional network security relies on the principle "trust but verify," a zero-trust model means "never trust but always verify." This concept was first used in a Forrester Research report in 2010. A couple of years later, Google deployed zero trust in their network.

In the IoT world, this approach manages the security of each connected device. As zero trust treats all interactions as malicious, it requires proof of identity every time the device accesses the network. This means checking for the right attributes and privileges.

Overall, implementing zero trust within IoT means casting a wide net. It includes verifying the identity of users, devices, virtual infrastructure, and the cloud environment. That’s why it’s essential to add digital security services to IoT devices from the ground up—from hardware type to patch levels and app functionality.

What are the Key Tactics and Technologies of Zero Trust in IoT?

There is no one-size-fits-all solution to protect each connected device. On the one hand, IoT products vary from smart clothes and accessories to hospital monitors and industrial robots. On the other, IoT incorporates hardware, firmware, connectivity technologies, and user-facing apps. That’s why the task is to create each of these components with a cybersecurity and a zero-trust approach at the fore.

In conversation with Bill Kleyman of Switch, IoT World Today named five main principles of the zero-trust model to deploy within IoT. These include:

  1. Identifying and protecting all types of data flows and services that devices use
  2. Mapping the data flow, segmenting IoT traffic, and monitoring for suspicious behavior
  3. Building a zero-trust architecture, i.e., ensuring the device always verifies access and checks for possible data breaches
  4. Developing policies for users and devices—for instance, locking down ports and machines, training users, and tracking sensitive devices within the workforce
  5. Monitoring and supporting devices and testing systems to prevent any malicious activity 

Essentially, the zero-trust model is more than just verifying the identity of users and devices that try to access the network. Companies should track what information each connected device processes and which services they use to reveal any suspicious activity.

These principles of zero trust require companies to deploy additional tactics and technologies. Here are some examples:

  • Implementing identity and access management (IAM), which means deploying tools and technologies that help manage access to various data types, including sensitive data, non-sensitive data, and device data. In particular, it’s about using services such as asset and cryptographic key management. Companies should deploy certificates like Online Certificate Status Protocol (OCSP) or DNS-based Authentication of Named Entities (DANE) to improve security
  • Using micro-segmentation. This practice of splitting up security perimeters into small zones ensures separate access to network parts. If there is a breach, the hacker accesses the individual microsegment, not the whole network
  • Adding multi-factor authentication (MFA), which combines more than one type of access verification. Options to apply in IoT applications include password validation, security tokens, retina scans, fingerprinting, and voice, face, and gesture recognition
  • Using artificial intelligence techniques. Machine learning algorithms and data analysis techniques help companies identify security risks and protect systems from cyber attacks

Thus, the zero-trust approach helps implement hack-proof solutions from scratch. Multiple tactics and technologies protect IoT by providing different levels of access to separate data types and supporting multiple types of verification.

How Can Zero Trust Benefit IoT Solutions Across Multiple Industries?

Companies from different industries can implement zero-trust approaches to secure their IoT solutions and, therefore, get an advantage over their competitors. Here are just a couple of examples of how the zero-trust model can benefit IoT in homes and business facilities.

Smart Homes

Today, a typical modern house is full of IoT devices with security risks. Smart door openers, outdoor CCTV cameras, HVAC systems, and light bulbs can be controlled through a single mobile device remotely. With zero trust, security tokens can protect IoT on the hardware side. On the user side, multi-factor authentication improves devices’ security: users can input a PIN to authorize and either facial or fingerprint recognition to verify the access.

According to Dr. Zahid Anwar of Fontbonne University, the most vulnerable smart home solutions are outdoor devices with embedded computers that support little or no security protocols. A hacker can compromise such wireless doorbells or garage door openers with a Wi-Fi transmitter. 

It’s possible to prevent such security issues in the manufacturing stage. The use of security protocols and the release of firmware updates are a must. Additionally, it’s important to help end users create secure passwords and hide the network from view. Developers can prevent users from creating short hackable passwords and can also add password encryption.

Robust connected home solutions are properly protected. They also sync smoothly with 3rd-party devices and apps, have firmware updated, and deliver a seamless user experience. We’ll guide you through all these development challenges in home automation—see how.

Smart Offices

Offices are now connected IoT environments. There are security cameras, vending machines, motion sensor systems, light bulbs, and printers that communicate with each other and rely on Wi-Fi, Bluetooth, and the Internet.

The current office infrastructure is not hack-proof, and is therefore open to DDoS attacks, privacy breaches, and fraud. In IoT, this may lead to funny, but seriously impactful security incidents. A few years ago, cybercriminals hacked a casino’s network by stealing sensitive data via an Internet-connected thermometer in the fish tank.

There was a time when biometric authentication such as fingerprints, retina, or facial recognition was only standard for restricted areas in banking or military facilities. But today, it's common decency for all smart work environments.

With zero trust, companies can provide employees with RFID for building entry, grant access to particular offices with fingerprints, and ask for a PIN to use the virtual private network. And even during pandemic-fueled remote working, zero-trust principles help protect the corporate network and secure all connections.

What are the Main Threats in 2021?

For IoT companies developing healthcare solutions, the spread of COVID-19 and the rapid rise of cyber attacks are key risks in 2021. This trend began in 2020: IoT botnet attacks (such as Dark Nexus or Mukashi) and pandemic-themed attacks were among the main threats. Moreover, the number of cybercrimes quadrupled during the pandemic and reached 4,000 cases per day, according to the FBI Internet Crime Complaint Center (IC3).

Medical devices are the main target for cyberattacks. The most hackable solutions include infusion pumps, implantable devices, and wireless vital monitors. To help protect health data, the FDA analyzes security risks for different companies and gives warnings. In 2017, they warned that St. Jude Medical's cardiac devices, which monitor heart functions and prevent heart attacks, could be easily hacked. A similar warning was issued about the weak security of Medtronic insulin pumps. There was a risk that hackers could remotely access and control any of these devices.


What’s the Bottom Line?

A zero-trust security framework will help companies and startups prevent many breaches and vulnerabilities. In order to successfully implement one, it’s essential to know what contributes to the rise of malware threats in IoT. Here are just some of the main factors:

  • The exponentially growing number of IoT devices in the market and the increasing numbers of endpoints (laptops, mobile phones, IoT devices) connected to the same network. All network types from 2G to Wi-Fi have vulnerabilities and security concerns
  • The insecure development of connected devices that are accessible through the Internet
  • The absence of proper security updates of IoT devices. The essential task for a development company is to release updates of embedded and mobile software, avoid outdated components and insecure update mechanisms, regularly modernize cloud infrastructure, and create security patches
  • Non-compliance with cybersecurity standards and requirements, such as HIPAA, HL7, FDA, PCI DSS, GDPR, and FedRAMP

Today, IoT companies that want to deliver successful solutions put cybersecurity in the forefront. The main task here is to implement digital security from the ground up, taking into account all stages of product development—from hardware types to app functionality and policies for users.