IoT Security: Trends, Challenges & Best Practices

People all over the world use IoT devices for privacy-sensitive tasks ranging from internet browsing to remote monitoring of personal assets. Just how many people? Well, as estimated 15 billion IoT devices are in use globally today. And that’s expected to double to 30 billion (!) devices on the internet by 2023.

And that’s why IoT security is serious topic. Let’s take a look at this concern — affecting billions of users around the world that interact or consume services with or using IoT devices.

Securing the Internet of Things

IoT devices collect and communicate sensitive information on end-users. Depending on the industry vertical, organizations using IoT devices to deliver a digital service are subject to a variety of privacy and security regulations.

The primary objective of IoT security is to preserve the integrity, confidentiality and security of the data, systems and users interacting with these devices. Any and all security attributes apply on three levels of the technology stack:

  • Tier 1: Low-level hardware or perception stack that involves data collection and measurement.
  • Tier 2: Networking and communication layer stack that is involved in transmitting data and communicating to external devices.
  • Tier 3: The stack involved in interfacing and integrating with external services. 

Considering that most IoT devices operate as endpoint devices for data collection in the first tier, they are designed to perform simplified tasks at scale. Naturally, any security loophole or defect at this level opens the door to cybersecurity threats at a minimum, or worse, a large-scale attack.

(The first step to securing the IoT is monitoring it.)

Trends in IoT cybersecurity

How big is that threat and what makes IoT security so important? Let’s take a quick look at the stats:

  • The cybersecurity market: from $3.35 billion in 2022, the IoT cybersecurity market is expected to grow by over 26% CAGR annually, to reach over $13 billion over the next five years.
  • Digital wave: 16% of homes are classified as smart homes with the prevalence of advanced AI-driven voice-assistant devices, automation and security systems.
  • Industrial Digital Transformation: Industrial Internet of Things (IIoT) is leading investment trends by contributing over $100 billion to the global economy.

Security challenges for the IoT

Let’s evaluate IoT security challenges from a viewpoint of IoT architecture, digital transformation and usage trends:

IoT as dumb terminals

Although a collection of IoT devices is used to discover hidden insights and unique patterns in complex real-world systems, the functionality of a single endpoint device tends to be simple, such as taking a measurement at repetitive intervals. This means that the underlying hardware and software system is also simple and not designed for any complex operation.

Exploiting a known vulnerability in these devices may not require sophisticated hacking capabilities but the damages can affect many devices.

(Learn about endpoint monitoring.)

IoT as highly distributed and heterogeneous technologies

Due to the significant distribution of IoT devices, devices likely do not comply with universally acceptable security standards and best practices. This opens the door for security vulnerabilities.

User awareness and IoT

End-users may not be adequately aware of the consequences of sharing sensitive information via IoT devices. A user may also inadvertently transmit sensitive information over the network, especially when the devices and networks are hacked to collect information without user consent and knowledge.

Cost-benefit analysis

Business organizations may be constrained by resources needed to periodically assess, monitor and upgrade IoT devices for security improvements. Conversely, cybercriminals may exploit simple security vulnerabilities with off-the-shelf malware sold on the dark web.

An important perspective here is that the cost savings from postponing a security update that temporarily disrupts IoT network operations is far outweighed by an IoT network intrusion resulting from vulnerable IoT devices.

Market competition and IoT Security

Many business organizations use real-time information that serves as a key competitive differentiation. In doing so, they may stretch the boundaries of user-privacy expectations and regulations.

Privacy by design vs IoT Security

The exact thing that makes IoT devices great — they’re designed to collect information continuously and ubiquitously— is also what makes them reliable cybersecurity targets.

Unlike personal smart devices, such as laptops and smartphones that are protected by multiple layers of security at the hardware, software and operating system level, IoT devices are always on and can be accessed from anywhere given access authorization.

In the case of IoT devices as dumb terminals, access controls may be limited to pin codes or network protocol verifications by interacting with external services. The endpoints themselves may not be equipped by the necessary features to enable privacy and security by design.

IoT Security best practices

To develop secure IoT systems, business organizations must reconsider a variety of controllable factors pertaining to IoT security.

First, consider the heterogeneous and distributed nature of IoT devices. Across all three tiers of the IoT technology stack – machine-level hardware; network communications; and service interfacing – should conform to the industry-proven security best practices and applicable security regulations.

Secondly, IoT data should be regulated by strict authentication and access controls, following the principle of least privilege access.

And perhaps most importantly, consider how you secure

  • Data at source, by enforcing strong access controls and regularly updating firmware for security performance improvements.
  • Data in transit. using strong encryption schemes, for instance.

(Read more about cyber hygiene and defensive & offensive security strategies.)

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza
Posted by

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.