The Internet of Things (IoT) already plays a massive part in our everyday lives – whether at work, at home or in public environments. We are constantly interacting with connected smart devices that are seamlessly integrated into our everyday lives. IoT is an interconnected system of physical devices that work and exchange data digitally with one another via sensors, actuators, processors, and software technologies. IoT has provided us with accessibility and the ability to realize ideas that were difficult or even impossible before. However, with every advance in technology comes a new set of challenges and risks. Identifying and managing those risks is fundamental as we continue to embrace IoT in our daily lives.
Arguably the most crucial aspect of IoT to consider today is security, with some of the most critical threats including:
- Unencrypted data storage
- Unsecured financial information
- Unauthorized access to physical property
- Weak passwords and ID verifications
- Malicious IoT devices (commonly known as Botnets)
In the first half of 2021 alone, cyberattacks against IoT devices more than doubled to reach a whopping 1.5 billion attacks. With the increasing rate of security threats, the prioritization of research and efforts to curtail online attacks is also on the rise, leading to major breakthroughs in IoT security.
In addition, national governments have started legal initiatives to educate people on the risks of cyberattacks and drive the industry to secure IoT ecosystems. For this purpose, regulations aim to standardize assessing risk and certifying IoT products for public use.
Risk Assessment, Vulnerabilities, and Countermeasures
IoT security is a latent value rather than a typical product feature. However, it is a prerequisite for trusted and reliable IoT services. IoT product requirements are built based on the outcome of a proper risk assessment. For this purpose, target use cases should be carefully reviewed before product development to identify potential threats and attack scenarios in order to implement appropriate countermeasures. Attempting to add security features at the end of the design phase or to previously existing designs will leave gaps susceptible to attack.
In general, attackers target and exploit the availability, confidentiality, or integrity of an IoT ecosystem. For example, a common target for hacking attempts is IoT metering devices located in private environments (e.g., IoT-based utility meters in households). These devices report billable consumption data that an attacker can exploit.
Another example is the security risk of unauthorized access to healthcare devices. Whether it is access to an organization’s IT infrastructure or medical data, gaining control of medical IoT devices may allow for dangerous tampering with a device’s functionalities, which may result in threatening and fatal consequences.
Similarly, cyberattacks on IoT systems of commercial businesses can create a devastating financial loss. A forced failure of installed IoT devices or information theft can sabotage the company’s reputation or cause a loss in market share.
The motivation behind IoT cyberattacks and hacking scenarios may differ on a case-to-case basis. That is why it is strongly recommended that IoT manufacturers proactively implement countermeasures to avoid public disputes about a potential lack of security.
Securing the software is a critical aspect, and it boils down to large-scale monitoring of behavior to identify suspicious activities that indicate illegal conduct or infringement. However, as Lin Nease, Chief Technologist for IoT at HPE, described in an interview, hardware security is more of a “keep bad things from happening in the first place” approach.
Securing hardware enables identity verification of two endpoints and encryption-based protection of the exchanged data between them. In other words, it helps establish a degree of trust between two devices in which both endpoints can clearly identify one another. This is commonly referred to as a root of trust (RoT). This security measure primarily blocks attackers from hacking or accessing the system.
You may look at the hardware vs software comparison as a preventive vs reactive security approach. Hardware security is more preventive, focusing on establishing a healthy, secure system in the first place. Software security is reactive, with a focus on reacting to identified potential threats. Nevertheless, it is always a matter of combining hardware and software security approaches in a way that fits the application at hand. Your goals and needs will determine how you balance your security methods.
If you are designing an IoT product, keep in mind that secure hardware helps protect the device itself and the network to which it is connected. It gives you the precise ability to control which devices communicate with one another and how.