The dramatic surge of IoT devices has transformed how we interact on a day-to-day basis. From industrial sensors for environmental monitoring and asset tracking to smart home sensors for lighting and leak detection, a plethora of IoT devices connected to networks are helping drive innumerable benefits for users. While the benefits of IoT are undeniable, security remains a primary concern for individuals and businesses. This week on the blog we interview cybersecurity expert, Dick Wilkinson to provide insight on risks, prevention and predictions surrounding IoT security.

What is IoT security and what industries are most vulnerable to security threats?

I define IoT security as the process of making sure smart or connected devices only do what you want them to do, and they always work when you expect them to work. If you can achieve that, then you have secured your IoT devices. Of course, that is much easier said than done, even simple devices can harbor multiple serious threats to your overall network or environment.

Every industry is at risk from IoT threats. The highest risk of a headline grabbing catastrophic failure exists in the critical infrastructure and medical fields. The most vulnerable, meaning likely to be attacked, products are the more accessible devices like home consumer or smart city devices that sit out in the open to collect information or provide surveillance through data and sensors. The risk from smart devices exists on a fluid spectrum and each use case presents unique threats with a different risk profile, even if the device itself is not changed from scenario to scenario.

What are the biggest security challenges in an IoT deployment?

People worry about the high number of devices and assume asset identification and management will be the hardest challenge. I would argue that monitoring and inspecting the traffic from these devices to know when you have an anomaly is a much harder and more valuable to challenge to take on. Identifying anomalous, and possibly threatening, behavior from 200 devices is harder than just keeping track of them and where you put them.

What steps can companies take to better protect their IoT systems and devices?

My suggestion is to make a detailed deployment or use plan and identify all of the capabilities and possible configuration options of your new device(s). Do not take the device out of the box and immediately put it in service on your production environment. Just because the device is simple or serves a simple function does not mean that it is secure by design. Security features may exist and be disabled by default to ensure your new tech works easily the first time. Check every configuration option and disable functions or features you know you don’t need. Every input on the device is a possible attack vector, don’t leave open doors to your network, even if the doors are tiny or invisible.

How can companies better communicate their IoT security efforts to reassure stakeholders?

Right now, most stakeholders will be satisfied to know you are even thinking about security around your IoT devices. IoT security has been neglected and too much trust has been offered to these devices. Being aware that smart devices pose new risks and being able to communicate how you are assessing those risks is probably a great starting point to reassure any kind of stakeholder.

What predictions do you have for IoT security in the next 3-5 years?

IoT use is already exploding in almost every industry. I believe the trust that consumers have offered to these devices is quickly fading away. Both product consumers and government regulators are increasing scrutiny of smart devices and new cybersecurity standards will be published very soon. The market appeal of selling verified secure products and the government drive to regulate security into the production of smart devices will help drive down the risk of using IoT. Product verification for cybersecurity threats, not just functionality or safety, will become a standard requirement to enter the market with a new IoT product. Consumers will not tolerate insecure devices existing on the market 3-5 years from now.