Smart homes, connected cars, and smart watches: these are examples of consumer-focused devices in the Internet of Things (IoT). But the Internet of Things extends beyond consumer use as new technologies are implemented in industrial settings and critical infrastructure.
With the continuing development of the Internet of Things come new attack surfaces and cybersecurity risk directly related to the IoT.
What is the Internet of Things?
The Internet of Things refers to the system of connected devices that share data across networks. These devices offer convenience to the everyday user and efficiency optimization in commercial or industrial applications. As such, many individuals and organizations seek the functionality offered by IoT technology.
IoT technology includes both consumer-oriented devices and applications, as well as industrial Internet of Things tools. Examples of IoT devices include the following:
- Smart home devices, such as IoT-enabled appliances, virtual assistants like Google Home and Amazon Alexa, smart thermostats, lighting systems, speaker systems, and wifi-enabled smart locks
- Wearable devices, such as smart watches, fitness trackers, Bluetooth devices
- Industrial devices like IoT sensors, smart meters, and connected grids that require industrial control settings
- Healthcare devices in the Internet of Medical Things like glucose sensors, infusion pumps, and other wireless clinical wearables
Some infrastructure deploys edge computing in the IoT for faster response times and increased operational efficiency. In many circumstances, IoT devices can be managed through endpoints available on mobile devices, though some practitioners opt for dedicated IoT routers. These technologies are still developing and novel uses for the IoT may soon be ubiquitous among households.
As these technologies develop, so do the regulatory requirements that protect against potential risks.
Regulatory guidance for IoT networked devices
Like any extended network infrastructure, the Internet of Things introduces new attack vectors and security risks. To accommodate this shifting risk landscape, governments and lawmakers around the globe have developed new regulations to establish standards and set expectations around the use of IoT devices.
Though legal standards and compliance regulations for the Internet of Things are still developing, some existing guidelines include the following:
- The European Union's General Data Protection Regulation (GDPR)
- The EU Cybersecurity Act and currently proposed Cyber Resilience Act
- The NIS Directive 2
- The UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Guidelines specific to the United States include:
- The Internet of Things Cybersecurity Improvement Act of 2020
- Executive Order 14028 on Improving the Nation's Cybersecurity (2021)
- The US Federal Trade Commission's 2015 staff report on Privacy & Security in a Connected World
- NIST IR-8228 on Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks and IR-8259 on IoT Device Cybersecurity Capability Core Baseline
- Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products
- Homeland Security's (DHS) Securing the Internet of Things
- The California Internet of Things Security Law (Senate Bill 327)
- Oregon's House Bill 2395
While each law or recommendation differs in its exact guidance, overall these regulations intend to improve cyber resilience among IoT networking and protect personal information associated with IoT devices. IoT-based security measures help your organization prevent vulnerabilities and other security issues that could disrupt operations.
IoT security risks
The threat landscape for your IoT system may vary, depending on your industry, security policies, and connected devices. Cyber threats that lead to IoT attacks are likewise dependent on attack vectors unique to your profile.
Common security issues and cyber risks include the following:
- Lack of encryption: Because many IoT devices do not encrypt data by default, any information transmitted between IoT devices remains vulnerable to eavesdropping. If your IoT network transmits sensitive data (as is the case for many industrial, critical infrastructure, and healthcare settings), then the data exposure can be catastrophic.
- Insecure ecosystems: If the interface is insecure and the organization has not deployed physical hardening to limit access, then devices remain subject to malware and other cyberattacks. Implementing both physical and digital security controls is paramount with IoT devices. Controls include device management and data protection.
- Authentication issues: Weak authentication, such as weak passwords or a lack of multi-factor authentication, provide avenues of exploitation to attackers. Hackers and botnets can brute force simple and default passwords to gain access to the IoT network.
- Denial-of-service attacks: A denial-of-service (DoS) attack (and its corollary in distributed denial-of-service attacks known as DDoS attacks) disrupts the functionality of devices. If your IoT network is not secured and can receive data transmission from anywhere, then cybercriminals may leverage botnets to overwhelm your system by crashing the IoT devices.
- Device theft: Whether by obtaining the physical device or by spoofing it, attackers may leverage your device to gain access or persistence on your system. Device theft can also lead to data exfiltration and data breaches.
- Firmware exploits and software vulnerabilities: Attackers target known vulnerabilities to disrupt service or gain access to the system. Network segmentation of your IoT devices can help prevent attackers from gaining a foothold in your more valuable systems. Install software updates promptly to prevent attacks due to known security vulnerabilities.
- Ransomware: Ransomware attacks block access to the system. If your IoT devices are necessary for critical use cases, this attack can prevent your network and operating systems from functioning to full utility.
Preventing IoT security threats necessitates thoughtful application of security features and control measures.
How to improve your IoT network security
Whether you need to strengthen your network due to regulatory changes or simply because you want to prevent reconnaissance by potential attackers, you can take action for a more secure IoT network with the following security measures.
1. Assess IoT risks
Adding new hardware and software to your network requires an awareness of potential risks that could be introduced. In a business environment, procurement personnel can partner with the security team to ensure any new devices and software entering your supply chain receive a thorough risk assessment. This initial review and any subsequent assessments negotiated as part of a third-party IoT service provider's contract should follow best practices outlined in your Third-Party Risk Management policy.
Related: How to Perform a Cybersecurity Risk Assessment
2. Map your IoT network
Maintain a network map of your IoT connected devices, particularly if your organization uses those devices to share data for predictive maintenance. Visibility and device management systems ensure that no IoT devices are unmonitored or untracked, thus helping you maintain awareness over your entire attack surface.
When you know each device in the network and how they communicate with each other, you can keep track of the data packets and any atypical behavior. For industrial IoT ecosystems, abnormalities in any data or energy consumption should be evaluated immediately.
3. Segment your IoT network
Consider implementing network segmentation for your IoT devices. Creating a separate network for IoT technology ensures you can track behavior across connected devices and contain any threats introduced through your IoT toolchain. Separating your IoT connected devices can also improve data privacy and overall functionality across your networks, as you can allocate only the required resources and permissions to the IoT network.
Related: Top recommended practices for network segmentation
4. Require authentication to access IoT network
Once segmented, set access control measures for the IoT network. Access management protocols mean that hackers cannot achieve unauthorized access of the network, ensuring device security across your IoT surface and secure data storage for information that your IoT devices share. Network access controls determine who has access to data, as well as what validation measures are required to connect to the network.
Related: What is Privileged Access Management?
5. Implement alerting on your IoT network
With real-time alerting across your networks, you remain informed about any unexpected behavior. If you separate your IoT network from the rest of your infrastructure, you can also set up specific alert triggers for just that IoT network. There are a variety of automation tools available to notify your organization, as well as various integration options to ensure that information flows directly to your communication channels. A continuous monitoring security solution tracks behavior and security issues so that your notification system can triage alerts.
How UpGuard can help
With UpGuard, you can perform continuous monitoring for your external attack surface with BreachSight and for your third-party vendor ecosystem with Vendor Risk. UpGuard scanning includes techniques that use standardized and publicly accessible network-based protocols to query hosts across a variety of categories. UpGuard's scanning process identifies the following IoT ports that should be reviewed:
- 'AMQP' port open
- 'CoAP' port open
- 'MQTT Broker' port open
- 'OPC UA' port open
The Advanced Message Queuing Protocol (AMQP) is sometimes used for IoT hubs to direct communications. AMQP is widely compatible with many clients, though it is not deployed for IoT as frequently as MQTT. AMQP typically uses port [.rt-script]5671[.rt-script], which should be closed if not in use by your organization. If you use AMQP for your IoT hub, access to the service should be restricted behind a firewall or virtual private network (VPN) to ensure it cannot be accessed publicly.
The Constrained Application Protocol (CoAP) supports machine-to-machine communication for resource-constrained devices, such as those used in the Internet of Things. CoAP provides efficient integration with the web for IoT devices with low memory or power supply. Built on the User Datagram Protocol (UDP), CoAP uses small byte payloads. By default, CoAP uses port [.rt-script]5683[.rt-script], though it can also be used for [.rt-script]coaps[.rt-script] on port [.rt-script]5684[.rt-script]. The latter includes Datagram Transport Layer Security (DTLS), which adapts the Transport Layer Security (TLS) protocol for privacy in UDP communications. CoAP does not offer encryption or authentication, so using [.rt-script]coaps[.rt-script] with DTLS ensures any CoAP data will be encrypted. If you are not using CoAP for device communications, close the port.
MQTT, originally known as the Message Queue Telemetry Transport, offers a lightweight machine-to-machine messaging protocol. The MQTT broker provides bi-directional message routing and stores information about client devices. MQTT uses port [.rt-script]1883[.rt-script] by default and port [.rt-script]8883[.rt-script] for encryption. If you do not use MQTT for device communications, close the port. If it is explicitly required, access should be restricted to authorized IP addresses and authenticated with a secure VPN.
The OPC UA (Open Platform Communications Unified Architecture) provides machine-to-machine communication for automation and the Internet of Things (IoT). The OPC UA uses port [.rt-script]4840[.rt-script] by default, which should be closed to the internet.
Current UpGuard users can access their Risk Profile in BreachSight to assess whether any of the database findings referenced in this article are impacting their organization. For more information about other services UpGuard identifies through port scanning, see our support article on What services does UpGuard identify with port scanning.
