For the Internet of Things (IoT) to fulfil its potential, the choices Chief Information Security Officers (CISOs) and their teams make about security will be critical, says Darron Antill, CEO, Device Authority.

The explosive growth in IoT (55.7 billion devices by 2025 according to analysts at IDC) demands a new level of automation and integrated trust. Identity and access management (IAM) are essential, but security teams facing significant changes in the threat and security landscape need new approaches.

Traditional security is no longer able to cope with the demands of securing such vast numbers of devices.

Industry 4.0, connected vehicles, telemedicine and the development of smart cities demand new solutions. 

If IoT device networks lack continuous authentication and authorisation, then the current threat landscape means they are opening themselves to credential theft and significant system compromise.

Secure chipsets, enterprise security and conventional cloud platforms or network security controls are unlikely to cope with the complexity of scaled, industry-specific IoT deployments.

How IoT security is under threat

IoT data is increasingly a target for theft, ransom or disruption and critical infrastructure is in the cross-hairs of groups with malign motivations and evolving methodologies. 

It is why cyber agencies in the Five Eyes countries have issued warnings about attackers exploiting native tools using “living off the land” techniques.

In February this year, US authorities warned about China-sponsored Volt Typhoon targeting IT systems in critical infrastructure to enable lateral movement to operational technology systems (OT).

But threat actors are not limited to one technique. CrowdStrike in its 2024 Global Threat Report highlights how criminals are targeting network peripheries where there is less visibility.

Even respected security companies are susceptible.

At the start of 2023, for example, Fortinet FortiGate devices were compromised through malicious firmware, prompting the company to issue an advisory and conduct an investigation.

Regulation, budgets and broadening CISO responsibilities

The new challenges of IoT security are confronting CISOs at a time when budgets remain tight and threats are multiplying.

The integration of IT and OT covering diverse networks of widely dispersed devices, has added greatly to CISO workloads.

CISOs may equally be responsible for protecting the production of new devices, rolling out connected systems or retrofitting security to OT that has previously had little protection.

In addition, businesses must comply with new device and software regulations such as the EU Cyber Resilience Act, the US Executive Order 14028 and the SBOM (Software Bill of Materials) regulation.

The burdens are greater in the medical sector where devices are regulated by the FDA in the US, and EU Medical Device Regulation in Europe.

The SBOM is a welcome introduction and aims to give a product manufacturer the evidence that software components are up-to-date and should provide buyers with a basis for evaluation.

But it adds to the tasks of monitoring and validation.

In this ever-more complex environment, IoT security is not a subject that teams can neglect. PwC estimates “mega breaches” are more numerous and costly.

In utilities, industrial and automotive PwC research finds the average cost is significantly more than $4m.

Despite budget constraints in many sectors, Gartner forecasts a 14% increase this year (globally) in spending on security and risk management (rising to $215bn).

More specifically, IAM has become so crucial that Gartner predicts spending on it will rise by 14.8%.

Teams cannot cope without more advanced IAM technology

With machine identities outnumbering human equivalents by a factor of 45:1, automation and strengthening of identity protection is non-negotiable.

Teams need to simplify their device authentication operations so they can save huge amounts of time and remain confident about security.

Human monitoring of all devices in large networks is impossible, so a coordinated, integrated approach that covers the full lifecycle of devices is required.

And as edge computing develops, devolving data processing for lower latency, security must be capable of scaling and adapting. 

The only answer to these considerable challenges lies in a more holistic IoT security that advances the automation of zero trust for IoT environments.

This means benefiting from automation that deploys tested PKI (public key infrastructure), zero trust technology at scale, handling device registration and IAM provisioning.

In addition, enterprises need policy-driven data encryption and continuous, automated monitoring of ecosystems, which requires AI.

PKI security evolution

PKI security is vital.

It is based on certificate assurance – an approach that has evolved from its origins to resolve problems of identity, authentication, integrity and privacy.

It has now overcome the difficulties of scaling for IoT, especially for devices with no UI or associated user. IoT device certificates are securely generated, signed and managed through policy-driven automation.

A more advanced, integrated approach blends IoT IAM with the traditional enterprise IAM, hardware security modules (HSMs) and data security platforms.

This is essential for secure end-to-end security and data exchange.

Device-bound crypto-key provisioning ensures security, while lifecycle management policies ensure automatic removal of sensitive data on decommissioning.

Continuous assurance, threat validation and lifecycle management also tackle the requirements of regulations such as the US EO 14028.

This requires transparency in the software supply chain through implementation of the SBOM, along with shared threat intelligence for critical infrastructure and zero trust.

With a mature approach to IoT, security teams benefit from real-time zero trust, ensuring they have SBOM status visibility across all assets allied to continuous tracking and automated reporting.

The deployment of AI as part of an integrated approach, ensures detection of anomalies that indicate suspicious behaviour and enable fast response times that reduce or eliminate damage from incidents.

Speed of response is vital considering that on average it takes 272 days to identify and contain zero-day vulnerability-based breaches, according to IBM/Ponemon’s 2023 Cost of a Data Breach Report.

AI is necessary for continuous authorisation, but organisations also need access to external threat intelligence, policy-driven data encryption and validation with SBOMs.

This is what a more integrated approach that addresses current threats will provide in current and future IoT environments, managing the identity of thousands of devices – from provisioning to decommissioning.

It will ensure only authorised devices can register, providing the initial trust anchor with an IoT application.

Security has moved on and must be ready for the next IoT evolution

To gain access to this level of security and assurance, CISOs need these advanced, automated capabilities in a single platform, whether in the cloud or on-premises.

In the cyber world, there is always much noise about solutions.

But the explosion of IoT networks means CISOs need to consider whether current technology is capable of securing vast numbers of devices, many of which have weak in-built protection.

As IoT and industrial IoT take off, it is vital to make the right choices. For most enterprises, the path to greater security is firmly laid towards a best-of-breed technology that will integrate into the wider enterprise tech stack.

In IoT, zero trust is now the standard approach to security for connected devices.

But it requires a platform designed to meet all the heavy demands of today’s and tomorrow’s IoT environments.

More Security News