The proliferation of Internet-of-Things (IoT) devices has enhanced connectivity and automation capabilities for businesses and consumers alike. At the same time, the increased use of IoT devices across critical industries is also raising concerns about the risks of IoT security.

After all, with more non-business IoT devices connected to corporate networks as employees work remotely, adversaries have more avenues to access and exploit sensitive business data.

Consumer IoT devices are not spared, either. In fact, news around the rise of “botnet drones”, a computer malware targeting IoT devices, made headlines in Singapore after authorities detected an increase from 2,300 botnet drones daily in 2019 to 6,600 daily in 2020 on average.  

Limitations to security controls in devices

Businesses and consumers have largely relied on embedded security to safeguard their IoT devices. But this is insufficient; many devices have hardware limitations that make it difficult to implement standardised embedded security features.

For instance, certain IoT devices do not have sufficient storage or processing power to support logging or cryptographic abilities that protect sensitive information from being processed, making them vulnerable. To make matters worse, the billions of already-deployed legacy devices cannot be retroactively designed for security and pose a significant threat to the network.

Even if an IoT device is built securely, vulnerabilities could be inserted – intentionally or otherwise – into devices from any one node within a manufacturer’s diverse supply chain, and these might not be visible when the device is shipped. Variables in real-world deployments can also lead to different risk profiles.

The exploitation of IoT vulnerabilities on a large scale will become more prevalent as IoT implementation continues to grow across sectors. In January this year, South Korea’s National Intelligence Service announced that some 11,700 IoT devices in 72 countries have been infected with malware. The infected devices, some of which included CCTVs, video recorders, and internet routers, can be used in distributed denial-of-service attacks to disrupt server traffic.

Network-level IoT security at scale must complement embedded measures in devices

It’s clearly not enough for users of IoT devices – including companies, governments, and consumers – to rely solely on embedded security features. Instead, organisations should adopt network-level IoT security based on a zero-trust approach. In particular, there are three key security practices that should be executed in a zero-trust approach, going by a “never trust, always verify” approach to all devices, users and nodes.

• Firstly, organisations need full visibility of IoT devices on their network at any given time to help them understand the “attack surface” and important interdependencies: where IoT devices are located, which applications they are using, and how they are interconnected. Once visible to the organisation, IoT devices must be identified and assessed for risk when they connect to the network. Device visibility and identification can eliminate critical blind spots that attackers could otherwise exploit.
  
• In addition, organisations need to practice continuous device and risk monitoring, in order to identify abnormal behaviours and threats. As IoT devices are designed for a fixed set of functionalities, their intended pattern of behaviour is often predictable, making it easier to monitor for abnormalities.
  
• Finally, visibility and continuous device and risk monitoring allow organisations to come up with security policies, taking enforcement actions vis-à-vis their IoT devices in real time to thwart cyberattacks. Such policies may include network segmentation, which creates “least access” zones for IoT devices by their function, reducing risk and limiting lateral movement of threats in case a device zone gets compromised.

Leveraging ML and cloud capabilities for network-level IoT security 

When it comes to zero-day threats, prevention is better than cure. With adversaries getting savvier than ever, the implementation of prevailing technologies in machine learning (ML) have made it an essential approach for IoT cybersecurity.

ML models leverage an extensive, data-driven understanding of an IoT device’s expected behaviour on a network. This enables ML to easily learn patterns at scale and in real time, ultimately to automate device identification, proactively detect malicious deviations, and automatically prevent attacks.

Additionally, as more organisations around the world extend their networks to hybrid cloud models, network-level IoT security should therefore also leverage cloud capabilities to deliver updated controls instantly, and even scale up or down based on the computational needs necessary to counter sophisticated, automated cyberattacks.

Government policies must promote network-level IoT security at scale

The sheer scale of the IoT implementation across industries, coupled with the seriousness of the threat of IoT-based attacks, have led many government authorities to propose or enact new regulations and policy changes.

Many government bodies have been exploring regulations or codes of practice to improve IoT security. These have largely focused on mandating new measures for device manufacturers to take when building or maintaining devices, and implementing device certifications or labelling schemes, such as the Cybersecurity Labelling Scheme in Singapore for consumer IoT devices.

However, as IoT devices are increasingly applied across varied use cases, governments may also consider policies that promote network-level security in addition to embedded device security.

We recommend that governments take the following approaches to promote effective network-level IoT security:

1. Encourage their businesses, government agencies and citizens to take steps to have a full inventory of all IoT devices on their networks, continuously monitor those devices for anomalous behaviour and threats, and take automated security policy enforcement actions vis-à-vis their IoT devices in real time to prevent cyberattacks and react to anomalous behaviour.
   
2. Promote the adoption of automated approaches to cybersecurity, specifically those that leverage ML.
   
3. Promote the use of the cloud and cloud-based security throughout economies.

Finally, given the pervasive use of IoT across industries today – from businesses in healthcare to manufacturing to transportation – as well as by government agencies themselves – close cooperation and collaboration between governments and the private sector will be crucial to prevent cyberattackers from exploiting vulnerabilities in IoT devices.