Reduce IoT Cybersecurity Risk With Standards
Industry Standards Can Evaluate and Secure Vast, Complex IoT Supply ChainsIn our increasingly digital world, the scope of commercial and industrial internet of things (IIoT) is expanding across all verticals for a wide range of use cases. As CIOs are called upon to drive business growth and transformation, IoT systems, devices, and sensors are becoming vital to enhancing customer and employee experiences, reducing operational costs, improving productivity, and achieving corporate environmental, social, and governance or ESG goals. A new Worldwide Internet of Things Spending Guide released by IDC estimates that investments in IoT will surpass $1 trillion in 2026. An increased number of IoT endpoints and applications are connecting and communicating over global networks, including corporate LANs.
See Also: OnDemand | AI-Driven Endpoint Security: Adapting to Industry Changes
At the same time, consumer IoT is rapidly expanding with new wearables, smart home gadgets, and entertainment devices that often reside on the same networks employees use for remote work and accessing corporate IT systems. These devices are also regularly accessed from the workplace via corporate networks or brought to the office as part of bring-your-own-device or BYOD initiatives.
Growing IoT Ups Vulnerability Risk
Widespread IoT adoption creates more entry points into corporate networks, inherently expanding the cyberattack surface. Due to their specialized nature and limited computational ability, IoT devices are highly vulnerable, which hampers the integration of adequate security measures. As more vendors enter the burgeoning and competitive IoT market, many strive to keep prices down by using lower-cost, third-party components and free and open-source software at greater risk for gaps in poorly written or undermanaged code.
According to the 2023 Open Source and Risk Analysis Report from Synopsys, the percentage of open source code in code bases has grown significantly across all verticals since 2018. The analysis discovered that more than 60% of all open-source code examined in the aerospace, aviation, automotive, transportation, logistics, energy and clean tech sectors contained high-risk vulnerabilities, with similar findings at only slightly lesser degrees across all other industries.
High-risk vulnerabilities in IoT-related code bases have jumped 130% over the past five years. One notable consequence was the 2021 IoT attack on surveillance vendor Verkada that compromised the security feeds of approximately 150,000 IoT security cameras, including those of leading tech companies, hospitals, schools and public agencies. The first two months of this year alone saw a 41% increase in attacks targeting IoT devices compared to 2022, according to the analysis from Check Point Research. In the first 2 months of 2023, almost every week, on average 54% of organizations were targeted by these attack attempts, with an average of almost 60 attacks per organization per week targeting IoT devices – 41% higher than in 2022, and more than triple the number of attacks from two years ago.
While the business benefits of IoT are significant, CIOs and IT executives looking to leverage the technology to transform their businesses must ensure that the IoT systems, devices and sensors they procure have built-in security protection. Vulnerabilities in IoT devices allow hackers to deploy malware, botnets or ransomware that can disrupt business continuity, devastate consumer confidence and cause substantial financial losses for corporations. According to a recent Cybersecurity Ventures report, the global annual cost of cyberattacks is predicted to top $8 trillion this year, primarily due to the expanded IoT attack surface. The rise in cyberattack attempts is also being driven by factors such as easier access to malware, economic constraints, staff shortages and geopolitical conflicts.. Cybercriminals increasingly view IoT devices as low-hanging fruit that can be easily accessed and exploited.
Securing the IoT Supply Chain Is Essential
Current government and industry initiatives are underway to address IoT security. The U.S. IoT Cybersecurity Improvement Act of 2020 sets minimum security standards for IoT devices used by the federal government. In 2021, Executive Order 14028 directed the National Institute of Standards and Technology, NIST, to initiate pilot programs to educate the public, leading to the July 2023 announcement of the U.S. Cyber Trust Mark program aimed to improve the cybersecurity of network-attached consumer devices with a set of baseline requirements such as strong password protection, data encryption, and the ability to perform software updates, as examples. Across the pond, the U.K. government enacted the Product Security and Telecommunications Infrastructure (PSTI) Act that requires all manufacturers, importers and retailers to ensure IoT devices meet required security standards before going to market. A proposed EU Cyber Resilience Act (CRA) also aims to protect consumers and businesses purchasing or using any products or software with a digital component.
While these efforts are a step in the right direction, they focus primarily on apparent vulnerabilities via education and awareness, device identification (e.g., vendor, model number, firmware version), eliminating default passwords, protecting privacy data, and ensuring automatic software updates and patches. However, the reality is that IoT systems and devices comprise hardware and software components and subcomponents from a growing number of suppliers and locations worldwide across a vast, complex supply chain. That means even a reputable vendor may not be aware of compromised components and subcomponents, especially if a device functions as expected.
IoT security requires addressing all aspects of product development deep within the complex supply chain. CIOs and IT executives must ensure that their IoT vendors have prioritized security alongside functional requirements across hardware and software development life cycles. This includes identifying and tracking the diverse origin of all component and subcomponent assets, scanning for free and open-source software, maintaining code content reports, ensuring third-party open-source compliance among all suppliers, and implementing risk assessment and mitigation processes. Vendors should also have set procedures and tools to continually scan for vulnerabilities after products are released and provide immediate reporting and remediation, such as software patches and updates, to quickly restore adequate levels of security and prevent adversely impacting their customers’ business operations.
Attaining Reassurance With the Right Requirements
For decades, the information and communications technology industry has relied on standards from various standards bodies, including the Telecommunications Industry Association (TIA), to ensure the quality, performance, interoperability, and security of networks, applications, and devices. In early 2022, TIA published the first-ever global Cybersecurity and Supply Chain Security Standard (SCS 9001), to verify that networks and their supporting hardware and software components and subcomponents meet critical security benchmarks to mitigate the risk of cybersecurity attacks. The standard includes operational process criteria to ensure vendor corporate policies and procedures inherently deliver secure products and services. The requirements laid out in SCS 9001 can also evaluate IoT devices and vendors and be used effectively with works focused on IoT operational security, such as NIST IR 8425, CTA ANSI/CTA-2088, and ETSI EN 303 645, as examples.
Stipulating compliance to a globally accepted standard like SCS 9001 (applying to the vast IoT supply chain, including designers, manufacturers, suppliers, retailers, network operators, service providers and systems integrators) allows CIOs and IT executives to gain vendor trust and confidence to make informed risk management decisions. It reassures them that their vendors' IoT systems, devices and sensors have been assessed for risk and can be safely purchased and deployed "out of the box" without compromising their business.