IoT Security: Understanding the Growing Attack Surface


Safeguarding the Internet of Things (IoT) devices and networks have become the subject of scrutiny after many high-profile hacks have emerged in the media. In all cases, common IoT devices were used to infiltrate and attack the larger network.

A massive botnet attack lasting 13 days in duration occurred in April of 2019 – the attack featured firepower from over 400,000 IoT devices going after a targeted company in the entertainment industry. At one point, the botnet produced more than 292,000 requests per minute and was an application-layer attack because it targeted the company's web services. This was a costly endeavor to clean up and is more proof of the vulnerabilities of endpoints in networks.

Allowing devices to connect to the Internet opens them up to a wide variety of security risks that need to be managed accordingly. Implementing security measures on endpoints such as IoT devices is critical to ensuring the overall security of the underlying network and the organization as a whole.

“The security protecting IoT devices has lagged behind the hackers’ ability to penetrate them. Criminals can remotely control smart devices, disrupt the power grid, or interrupt industrial controls, for example. A compromised IoT device can serve as a springboard for an attacker to enter the network and steal or destroy sensitive information,” according to Larry Lunetta, Vice President of Security and Wireless LAN Marketing, Aruba.

There are several challenges to overcome when securing enterprise-connected IoT devices.

The first challenge is that having visibility into the flood of devices that have come aboard the network. This can include the connection of legacy assets that are not formally designed for IoT connectivity, such as building control systems addressing HVAC. Replacing all the legacy technology is far too expensive, and thus many assets are retrofitted with smart sensors, but without updates and security against modern threats, the attack surface is often broadened. 

The second challenge is having the ability to put proper security controls in place. This means discovering devices and then enforcing access control policies that treat devices in a way that enables them to function within the rules and keeps their productivity high. Device classification at the network edge is a key component of control, and having the capability to assess and reach all connected devices is another. Because devices are constantly changing, an organization must be able to adapt IT access policies when new conditions, threats, and vulnerabilities are presented.

A final challenge is scaling security to meet the growth of IoT devices through automation and orchestration. No IT staffer has the time to watch alerts on a network or manually check each device that connects. Having control through the automated application of wired and wireless policy enforcement ensures devices have the appropriate level of access based on their function and business need. At the same time, real-time attack response and enforcement are critical in the event a device is compromised or acting in an anomalous fashion.

This expanded IT attack surface and a constantly evolving network supporting the IoT means organizations not only need a secure network foundation, but also the right tools for additional visibility and control. Aruba’s ClearPass is designed for better device visibility through discovery and profiling with ClearPass Device Insight and manage an entire set of access control use cases that includes wired, wireless, guest and BYOD connectivity, to policy-based remediation and attack response.

Examining the IoT Security Gap
To better understand the perceived challenges of securing IoT and how IT security professionals expect to deal with those challenges, Aruba partnered with the Ponemon Institute who surveyed 3,866 IT and IT security practitioners in Asia-Pacific, EMEA, and North America, and found that:

  • Less than 25 percent of Ponemon survey respondents believe IoT devices are secure
  • 66 percent say they have little or no ability to secure IoT devices
  • 60 percent believe even simple “things” pose a threat

“IoT devices are unique in that they cannot be secured like traditional endpoints. They have little to no security built-in, and many perform sensitive, business-critical functions within the organization.  This makes applying the right level of security controls critical,” said Paul Kaspian, Senior Solutions Marketing Manager for Aruba.

The Ponemon study also explored IT professionals’ preferred approaches to secure IoT devices, and the multiple approaches the respondents identified were:

  • continuous monitoring of network traffic
  • network access control
  • closed-loop detection and response
  • peer group/anomaly detection

The business responsibility for IoT applications and devices itself may often lie with manufacturing, operations, or another business group and not within the IT department. In fact, the study shows that responsibility for IoT security has not been centralized. The CIO, CISO and CTO and the line of business were all named as responsible for IoT security. Thirty-three percent said the CIO, but interestingly, none of the other functional roles registered above 20 percent and “no function” came in third at 15 percent. This demonstrates that a major gap exists when it comes to security ownership within organizations; with an area as important as security, organizations cannot afford to let these gaps widen.

Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.

Edited by Ken Briodagh
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Special Correspondent

Related Articles

Today's Technology Do-Gooders: FlySense Vaping and Bullying Sensor from Soter Technologies

By: Alex Passett    6/5/2023

FlySense 286 from Soter Technologies addresses educational environments' needs to keep students safer when it comes to instances of on-campus vaping a…

Read More

From Semtech and Connected Development, the XCVR Development Board and Reference Design for IoT

By: Alex Passett    6/2/2023

Based on Semtech's LoRa SX126x Series, the XCVR Development Board and Reference Design simplifies design processes and reduces time-to-market for IoT …

Read More

At the KORE of Sustainability: Actioning Environmental Improvements in IoT

By: Alex Passett    6/1/2023

For KORE, smaller packaging means a decrease in plastic carbon emissions. This is just one measure KORE is taking to improve sustainability measures i…

Read More

ESG in IoT: Semtech Furthers Commitments to Global Sustainability

By: Alex Passett    6/1/2023

Semtech recently released its inaugural Corporate Sustainability report, detailing its operational impacts and how they affect sustainably supply chai…

Read More

Laird Connectivity Sensors and Iridium Edge Solar: A Partnership for Asset Ecosystems in IoT

By: Alex Passett    5/30/2023

Iridium Communications and Laird Connectivity are integrating respective technologies to enable longer-term IoT asset tracking, monitoring and managem…

Read More