“Standards to Secure the Sensors That Power IoT”
Communications of the ACM, June 2023, Vol. 66 No. 6, Pages 14-16
By Logan Kugler
“Yet as IoT adoption increases, IoT sensors and devices also are becoming more popular targets for cybercriminals.”
The use of Internet of Things (IoT) sensors has exploded in popularity in recent years as cheap, effective IoT sensors make it possible to connect devices that do everything from regulating smart home features to monitoring health and fitness using wearable devices.
IoT sensors also are increasingly making their way into business use-cases. In the industrial IoT, sensors are used in many different contexts, including to control and monitor machinery and to regulate core infrastructure systems.
IoT device and sensor usage has accelerated even more with advances in 5G connectivity and the shift to remote work, says Willi Nelson, chief information security officer for Operational Technologies at Fortinet, a cybersecurity firm. In fact, the number of IoT devices in use is projected to nearly triple to 29 billion in 2030 compared to 9.7 billion today, according to data from Statista.
Yet as IoT adoption increases, IoT sensors and devices also are becoming more popular targets for cybercriminals.
“They remain a prime target of cybercriminals as a fast path to gain access to enterprise networks,” says Nelson. Fortinet found 93% of companies using IoT sensors in some capacity had one or more cybersecurity intrusions in the past year. A full 78% had experienced three or more, and these attacks increasingly are targeting industrial IoT operations, too.
That is because IoT is a fundamentally different technology than existing systems—a technology with plenty of attack surfaces. Each sensor and device connected to an IoT network presents a possible security risk, opening up an attack vector into an individual or company’s hardware, software, and/or data.
In theory, IoT security standards are supposed to mitigate cybersecurity risks by encouraging companies to follow best security practices when designing and deploying IoT sensors and devices.
However, in practice, the standards available to manufacturers and companies using IoT technology do not always offer sufficient protection, are not always designed specifically for IoT, and are not always followed.
Despite the vulnerability of IoT devices, quite shockingly, there is no single standard for IoT security.
A Vulnerable Internet of Things
The issues with IoT sensor standards have larger implications for the overall security of the Internet of Things.
“The Internet of Things is very vulnerable in comparison with other categories of information systems,” says Alsmadi, because so many IoT applications are publicly visible and can be remotely controlled.
These vulnerabilities become even more pronounced as the adoption of IoT grows, especially as the industrial Internet of Things becomes a growing attack vector.
“The biggest change in operational technology systems over the past decade is that they have recently become more vulnerable to attacks from the outside as they are moving away from isolated, air-gapped environments and embracing more automation and digitally connected devices and systems,” says Fortinet’s Nelson.
Industrial IoT devices often run on hardware with little or no management interface and often are not able to be upgraded in the field. Physically, IoT devices in industrial use-cases frequently are installed in hard-to-reach or publicly inaccessible places (such as on top of a building). As such, they must be able to operate unattended for long periods and be resistant to physical tampering, he says.
About the Author:
Logan Kugler is a freelance technology writer based in Tampa, FL, USA. He is a regular contributor to Communications and has written for nearly 100 major publications.
- 2022 State of Operational Technology and Cybersecurity Report, Fortinet, Jun. 21, 2022
- IoT Standards and Protocols Explained, BehrTech
- Number of IoT connected devices worldwide 2019–2021, with forecasts to 2030, Statista by Vailshery, L., Nov. 22, 2022