- Security breaches are expensive and with the Internet of Things, threats will increase.
- IoT devices can have problems with lack of protocols and unauthorized access.
- Comprehensive security measures must consider a multitude of factors.
- No unified hardware protocols; software bugs
- Lack of data protection; sensors can be hacked
- Transport of data may have no encryption
- Apps have problems with data privacy and theft
- Network lacks data integrity; unauthorized access via firmware
- Factory-set passwords may be insecure and can be hijacked
IoT devices also differ depending on their application regarding firmware, connectivity and whether they automatically update.
Security must address three layers:
- Applications. Software used to analyze collected data
- Infrastructure. Wired and wireless technology, operating systems
- Devices. Sensors, cameras, identification tags, mobile phones
There are many factors to consider: protocols, access control, encryption management, network security, source code review, data protection, privacy guarantees, regulatory compliance, certification, audits and security assessment. These include:
- Consider IoT on the same level as IT and monitor your IoT systems for abnormal behavior
- Monitor all applications with access to data and make sure systems are secure
- Create specific access controls for all users and limit access to the systems they use
- Assign a unique ID to each person and authenticate access to systems
- Include well-defined IT security requirements in all vendor contracts
- Continuously educate and train your users on best practices, including passwords
- Collect detailed logs on all systems and applications that have no internal logging
- Maintain security patches for all software and hardware with up-to-date anti-malware signatures
- Monitor activity to verify that users are following security practices
- Make sure your IoT systems have remote access session monitoring and authentication to servers
- Conduct ongoing vulnerability scans to help find unpatched systems and holes
- Make sure all backups are thoroughly protected and encrypted, and that they're frequently updated
- Create strong passwords (long, complex and fully unique); use two-factor authentication
- Prohibit employees from using passwords on other accounts and sharing with each other
- Change default passwords for IoT devices immediately; they're easily found on the internet by hackers.
If you're still hacked, create an incident response plan to limit damage from data breaches and include session replay on event logs.
For additional information, see the National Institute of Standards and Technology's Computer Security Resource Center. The Baldrige Cybersecurity Excellence Builder is a self-assessment tool to help organizations improve their cybersecurity risk management efforts.