IoT Security: Understanding the Growing Attack Surface


Safeguarding the Internet of Things (IoT) devices and networks have become the subject of scrutiny after many high-profile hacks have emerged in the media. In all cases, common IoT devices were used to infiltrate and attack the larger network.

A massive botnet attack lasting 13 days in duration occurred in April of 2019 – the attack featured firepower from over 400,000 IoT devices going after a targeted company in the entertainment industry. At one point, the botnet produced more than 292,000 requests per minute and was an application-layer attack because it targeted the company's web services. This was a costly endeavor to clean up and is more proof of the vulnerabilities of endpoints in networks.

Allowing devices to connect to the Internet opens them up to a wide variety of security risks that need to be managed accordingly. Implementing security measures on endpoints such as IoT devices is critical to ensuring the overall security of the underlying network and the organization as a whole.

“The security protecting IoT devices has lagged behind the hackers’ ability to penetrate them. Criminals can remotely control smart devices, disrupt the power grid, or interrupt industrial controls, for example. A compromised IoT device can serve as a springboard for an attacker to enter the network and steal or destroy sensitive information,” according to Larry Lunetta, Vice President of Security and Wireless LAN Marketing, Aruba.

There are several challenges to overcome when securing enterprise-connected IoT devices.

The first challenge is that having visibility into the flood of devices that have come aboard the network. This can include the connection of legacy assets that are not formally designed for IoT connectivity, such as building control systems addressing HVAC. Replacing all the legacy technology is far too expensive, and thus many assets are retrofitted with smart sensors, but without updates and security against modern threats, the attack surface is often broadened. 

The second challenge is having the ability to put proper security controls in place. This means discovering devices and then enforcing access control policies that treat devices in a way that enables them to function within the rules and keeps their productivity high. Device classification at the network edge is a key component of control, and having the capability to assess and reach all connected devices is another. Because devices are constantly changing, an organization must be able to adapt IT access policies when new conditions, threats, and vulnerabilities are presented.

A final challenge is scaling security to meet the growth of IoT devices through automation and orchestration. No IT staffer has the time to watch alerts on a network or manually check each device that connects. Having control through the automated application of wired and wireless policy enforcement ensures devices have the appropriate level of access based on their function and business need. At the same time, real-time attack response and enforcement are critical in the event a device is compromised or acting in an anomalous fashion.

This expanded IT attack surface and a constantly evolving network supporting the IoT means organizations not only need a secure network foundation, but also the right tools for additional visibility and control. Aruba’s ClearPass is designed for better device visibility through discovery and profiling with ClearPass Device Insight and manage an entire set of access control use cases that includes wired, wireless, guest and BYOD connectivity, to policy-based remediation and attack response.

Examining the IoT Security Gap
To better understand the perceived challenges of securing IoT and how IT security professionals expect to deal with those challenges, Aruba partnered with the Ponemon Institute who surveyed 3,866 IT and IT security practitioners in Asia-Pacific, EMEA, and North America, and found that:

  • Less than 25 percent of Ponemon survey respondents believe IoT devices are secure
  • 66 percent say they have little or no ability to secure IoT devices
  • 60 percent believe even simple “things” pose a threat

“IoT devices are unique in that they cannot be secured like traditional endpoints. They have little to no security built-in, and many perform sensitive, business-critical functions within the organization.  This makes applying the right level of security controls critical,” said Paul Kaspian, Senior Solutions Marketing Manager for Aruba.

The Ponemon study also explored IT professionals’ preferred approaches to secure IoT devices, and the multiple approaches the respondents identified were:

  • continuous monitoring of network traffic
  • network access control
  • closed-loop detection and response
  • peer group/anomaly detection

The business responsibility for IoT applications and devices itself may often lie with manufacturing, operations, or another business group and not within the IT department. In fact, the study shows that responsibility for IoT security has not been centralized. The CIO, CISO and CTO and the line of business were all named as responsible for IoT security. Thirty-three percent said the CIO, but interestingly, none of the other functional roles registered above 20 percent and “no function” came in third at 15 percent. This demonstrates that a major gap exists when it comes to security ownership within organizations; with an area as important as security, organizations cannot afford to let these gaps widen.

Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.

Edited by Ken Briodagh

Special Correspondent

Related Articles

United for Infrastructure Calls for America to Lead With Infrastructure: Private, Public and Labor Leaders to Speak at Multiple Events Next Week

By: Arti Loftus    5/7/2021

As the U.S. continues to roll out economic recovery investments, including potentially trillions of government funding to be allocated across all fift…

Read More

Cloud Services Fueling Formula 1 Results

By: Maurice Nagle    5/6/2021

Legacy solutions get lapped in a competitive landscape, and Zadara wants to ensure all partners can keep pace with the lead pack. Just as the cloud ca…

Read More

How Two Companies Partnered to Turn Up 70 Smart Cities in India

By: Juhi Fadia    5/3/2021

India is the global leader in IoT with over 40% market share. According to several analyst firms' predictions, the 2020-2025 CAGR will average 55%. Th…

Read More

Innovations in "Industrial Strength" Infrastructure: Preparing for the Potential to Upgrade The Physical and Digital World as the U.S. Congress Considers Massive Investment

By: Arti Loftus    5/3/2021

Last month over 75 companies virtually attended the 2021 Frontier Conference, a two-day virtual conference for up-and-coming leaders in the industrial…

Read More

ZEDEDA Introduces Kubernetes Clusters and Hardware Simplification Solution Citing Collaboration with SUSE

By: Arti Loftus    4/30/2021

Following on a series of announcements over the past few months, ZEDEDA today introduced a new Kubernetes direct integration solution designed to simp…

Read More