October 24 2023
In this latest article, we will explore the challenges IoT Cybersecurity challenges the industry faces and outline the recommended solutions to ensure devices are secure ‘out of the box’.
Firstly, the importance of IoT security and the impact of the new Product Security and Telecommunications Infrastructure Act 2022 (PSTI) will be presented.
Secondly, the security challenges associated with IoT devices will be demonstrated.
Thirdly, the proposed solutions to these challenges will be outlined with reference to the requirements of the new legislation.
Finally, a selection of innovative IoT cybersecurity measures (such as those regarding Blockchain technology, Artificial intelligence and Machine learning) will be explained alongside the significance of user education and awareness regarding IoT.
What is the ‘Internet of Things’ (IoT)?
Firstly, let’s understand what IoT is. It can broadly be defined as an umbrella term for all types of internet or network connectable devices. This term typically encompasses any devices that contain sensors, processing ability, software or other technologies that connect and exchange data with other users, devices or systems across a network. These devices can be split into numerous categories, such as consumer IoT, industrial IoT or commercial IoT depending on the purpose of the device, but regardless of the category all devices are considered endpoints of the internet of things.
Why is Robust IoT Cybersecurity Such A Concern?
Since its inception in the early 1990s, there has been rapid growth in the use of the ‘Internet of Things’ (IoT) devices. A report from IoT Analytics showed the number of global IoT connections grew by 18% in 2022 to a total of 14.3 billion active IoT endpoints, with this number expected to rise to 16.7 billion by the end of 2023. Due to the uptake in smart home devices like washing machines and refrigerators, to wearable technology such as smart watches and wireless headphones, to personal medical devices like pacemakers and even transportation with the emergence of autonomous vehicles – there is now an IoT device for almost every aspect of modern life.
This ever-growing list of IoT devices and the vast array of sizes, functionalities and uses make them a serious security concern. Until recently, very little attention has been placed on standardising security measures across these devices, leaving the responsibility to the manufacturer to make their devices secure. Due to this regulatory oversight, there are now billions of connected devices with inconsistent security configurations that malicious actors can exploit to access private data, spread malware, or even cause tangible harm to a user or organisation.
Importance of IoT Security
Risks to the confidentiality, integrity and availability of an organisation’s data are truly endless, and unsecured IoT presents yet another attack vector that malicious actors may exploit. For example, passwords are typically the first line of defence against a hack. However, quite often, IoT devices will make use of default universal passwords that are weak and recycled across all devices. This means that unless the end user is tech-savvy enough to change the default password manually, the device will have weak and easily decipherable authentication credentials out of the box.
Malicious actors can then use straightforward password-cracking techniques to gain unauthorised access to the device and the network it is connected to. Once access is gained, a malicious actor can steal or manipulate data on the network, install any type of malware and/or disrupt any critical services provided over that network.
One example would be ransomware being installed on the device and spread throughout the network, encrypting data against the user’s wishes. Once encrypted, services associated with that data will be disrupted or completely shut down. If critical services are shut down, the impacts on users and organisations can be severe.
How Strong Security Measures Enhance User Confidence
However, by ensuring IoT devices are configured with solid security measures in mind, many of the associated risks, vulnerabilities and consequences can be mitigated or otherwise nullified entirely. For example, using unique per-device passwords for each device, encrypting all data in transit that passes through the device, ensuring software updates are automatically installed and that only genuine, fully supported and continuously assessed software applies to the device can ensure devices have robust security.
Robust IoT cybersecurity in a world where data breaches and the misuse of private information is rife can provide users and organisations with confidence that their devices are as secure as they can be now. Enhanced security and user confidence can only be a positive thing. Still, until recently, there has been minimal incentive to achieve this, and manufacturers have been left quite literally ‘to their own devices’ with regard to security measures.
Changing Legal Requirements Surrounding IoT Cybersecurity
This situation is now changing, and there are growing legal requirements to be met by data controllers, data processors and manufacturers of IoT devices. After the conclusion of Brexit, the UK government rolled out its new cyber strategy for 2022. It unveiled plans to improve cyber resilience with a ‘whole-of-society’ approach and to increase focus on countering cyber threats.
For example, the Network and Information Systems Regulations 2018 will soon be amended to increase its scope by including managed service providers under the regulations. Regarding IoT devices, the new Product Security and Telecommunications Infrastructure Act 2022 (hereby referred to as the PSTI) comes into force in April 2024 to reinforce consumer protection by mandating requirements for default security settings on consumer IoT devices. This new legislation is all-encompassing, and its obligations apply directly to manufacturers, importers and distributors of IoT devices in the UK.
The new PSTI requires companies to possess a “statement of compliance” to legally permit their products to be available in the UK as a consumer-connectable product (an IoT device). The statement of compliance is a document created by or on behalf of the manufacturer that conforms to the prescribed format and states that the manufacturer has complied with the applicable IoT cybersecurity requirements of the PSTI.
Importers must retain a copy of the statement of compliance and can be required to make the statement available upon request. Distributors, conversely, must satisfy themselves that a product is compliant before distributing it within the UK – essentially obligating them to ensure that a statement exists for the product before agreeing to distribute it.
While statements of compliance can be drafted by the manufacturer themselves, it makes far more commercial sense to have the product accredited on their behalf by a third-party expert under an IoT certification scheme that conforms to the requirements of the PSTI.
The importance of not only ensuring the device complies with the requirements but also that your statement of compliance is correct cannot be understated. The PSTI bestows a vast array of powers for its enforcement body to utilise:
Firstly, a compliance notice can be issued that requires the person to whom it is given to comply with the relevant PSTI duty specified in the notice within a specified period.
Secondly, a stop notice can be issued that requires the person to whom it is given to either;
- Take specified steps
- Provide evidence of compliance
- Take steps to inform customers of risks
- Provide proof of compliance with a notice.
Finally, A recall notice can be issued that requires the person to whom it is given to make arrangements for the return of the offending products to them or another person specified in the notice.
Failure to comply with the above enforcement notices is a criminal offence liable upon summary conviction to a maximum fine of £10 million or up to 4% of the company’s worldwide revenue. The only defence available to this offence would be to show that all reasonable steps to comply with the notice were taken – which is a high threshold to meet in cases of continued noncompliance. In addition to a fine, the enforcement body can apply to the court for a forfeiture order on the entire UK stock of any non-compliant products.
Therefore, the sooner a manufacturer addresses the security concerns raised by the PSTI regarding their devices, the sooner those devices can be safely brought to market without exposing the company to liability. However, robust security measures should not be viewed as a means of avoiding liability but instead as a means of contributing to the longevity and overall success of the emerging IoT ecosystem.
By taking security seriously, opportunities for experimentation and growth within the IoT environment can be pursued without exposing the users and organisations within the environment to more risk.
IoT Security Challanges
There is a plethora of risks and vulnerabilities associated with the current IoT ecosystem and the design and manufacturing of the devices. Here is a rundown of the most common.
Diverse device landscape
Firstly, the sheer range of IoT devices available to the consumer and their differing functionalities make for a wide attack surface for malicious actors. If an actor cannot access the network directly, they will seek to exploit a device that is already connected to it. If a user has their SmartTV, Amazon Alexa, Smart kitchen appliances, Smartlights, Smartlocks, Smart door bell and all their personal devices connected to the same network – every single one will have different capabilities (stemming from both its software and hardware) and accompanying security configurations. Therefore, each device presents a new opportunity for entry to the actor.
Lack of standardised security protocols
Following this, it is not difficult to see how the absence of universal security standards across different IoT platforms contributes to the risks associated with using them. The interconnected web of devices that make up the IoT ecosystem means the weaker measures of another can significantly undermine the strong IoT cybersecurity measures of one device.
For example, most of the devices connected to a network might encrypt all data in transit that passes through them, but if one device is compromised and gives a malicious actor access to the destination of that data in transit, then the encryption has achieved nothing. The same can be said for updates to a device. If the majority of devices used by a user automatically install their patch updates, then any devices that do not can go overlooked.
Inherent resource constraints
Secondly, IoT devices do not follow the mantra of “bigger is better”. Instead, the fashion for IoT devices has been to make them as small and compact as possible to allow the user to fill their day-to-day lives with devices and not feel overwhelmed. This is easy to achieve where the IoT device has limited functionality or only serves a few purposes. However, the small and compact nature of the device leaves very little processing power and memory to implement IoT cybersecurity measures, significantly hindering the use of any complex actions that might be necessary to secure the device properly.
Data privacy concerns
Finally, insufficient security measures across devices with wide functionality can expose highly personal data. For example, it is not uncommon for IoT devices to be voice-activated or have varying biometric functionality. To do this, the device must store enough of the data to enable it to be recognised and used to activate the device. If such a device doesn’t have secure storage or doesn’t encrypt data in transit and is subsequently compromised, a malicious actor now has access to aspects of a user that weren’t possible before. What they can then do with this data is only limited by their imagination.
For example, a malicious actor with hours of voice recordings of a user may splice these together and gain access to any service with voice authentication security measures – such as Santander Online Banking. Therefore, IoT devices make what was once considered highly personal and unique forms of data accessible to anyone with knowledge of it.
Standard IoT Security Solutions
Data encryption is one of the many fundamental IoT cybersecurity measures that must be implemented into devices to ensure their ongoing security. In simple terms, encryption is the act of taking information and scrambling it in such a way as to make it inaccessible to any outsider who doesn’t hold the key (encryption key) to unscramble it. Even with a very rudimentary understanding of how encryption works, we can see how its use dramatically improves IoT cybersecurity.
However, a study conducted in 2019 found that over 90% of data transactions on IoT devices were unencrypted, and around 41% of devices were found to not use TLS encryption at all. The introduction of the PSTI should see these alarming statistics improve in the coming years, and soon, all devices in the UK should encrypt data in storage and in transit.
Access controls and authentication
Robust access controls and authentication is also a fundamental IoT cybersecurity measure to be implemented as standard for IoT devices. Authentication requires a device to receive the correct user information to permit access to it. This information can come in multiple forms, such as usernames and passwords, PINs, Biometrics etc, and multi-factor authentication can require a combination of these.
The better the authentication, the harder it is to access a device and, subsequently the more secure a device is. However, it has been found that around 15% of IoT devices use a universal default password readily available to anyone who purchases a device and that only around 33% of IoT users actually change the default password to something unique. A survey of these default passwords in 2021 has found that almost none of them conform to any of the strong password recommendations published by the NCSC and all would be highly vulnerable to brute force and dictionary password cracking attacks. The PSTI forces devices to come out of the box with unique passwords to ensure this is no longer an issue for UK users.
Regular software updates
Another fundamental IoT cybersecurity measure for IoT devices is the ability to automatically update themselves to the latest version of its software. Updates ensure any vulnerability patches that are made to the functioning of the device are installed and operational as soon as they are published by the provider. Vulnerabilities are constantly being identified and made known via reporting mechanisms, online blogs and feeds, articles and other publicly accessible sources.
This means that malicious actors can be as equally aware of vulnerabilities as IoT manufacturers and software providers are. This problem is 2 fold: firstly, if an IoT provider does not provide continual support for their devices or is not party to vulnerability reporting then a device can quickly become legacy software and remain vulnerable; secondly, if a device does not automatically update when a patch is published, the user is responsible for actioning the update – and studies have shown this isn’t performed consistently where devices don’t automatically do so. The PSTI requires organisations to provide on-going support for devices during their lifetime and that they should have a clear reporting process for vulnerabilities and other bugs, with a short time frame between report and patch publication.
The PSTI also stipulates that devices should either automatically update or at the very least notify the user that an update is required. These requirements should further improve the security posture of a lot of IoT devices in the UK.
Finally, network segmentation and properly configured network interfaces are often overlooked but are also key to strong IoT cybersecurity. Network segmentation is the act of dividing a network into multiple segments or ‘subnets’ that operate like their own small networks. This allows for better control over the flow of traffic across the entire infrastructure by using tailored policies for each subnet.
From a security perspective, if one subnet is compromised, adequate segmentation will allow for that subnet to be cut off and stopped from exposing the others. In regard to network interfaces, it is important that these provide only minimal and necessary information to unauthenticated users and that background functionalities such as debug interfaces are disabled. Improperly configured interfaces can pose a security risk where a malicious actor has physical access to a device and can open hidden, background functionality using peripheral devices.
The PSTI requires devices to conform to these best practices – although segmentation is left to the user to decide what is most appropriate for their infrastructure.
Innovative IoT Cybersecurity Measures
Looking to the future, there are a number of emerging technologies being developed that could further bolster the security posture of IoT devices out of the box.
Blockchain technology, an umbrella term for a decentralised ledger system used to record data points (for example, transactions, product inventories, identification data etc.) would bring multiple benefits to the IoT environment. Firstly, the utilisation of Blockchain to power IoT networks would allow for a distributed architecture across multiple nodes and effectively avoid single points of failure and the unavailability of data.
Secondly, the immutable nature of the blockchain also makes the records unchangeable, leaving the integrity of the data intact. Finally, data on the blockchain can be easily encrypted (asymmetric-key cryptography), ensuring its confidentiality. Overall, blockchain technology is far more secure than traditional data storage models.
AI and machine learning
AI and Machine Learning are also innovations that can be utilised to improve security measures. AI can be programmed to learn an IoT devices normal network fingerprint and use this information to monitor and detect anomalies on that network. Alerts from any threat detection can then be automated and security incidents escalated where required. This could unburden IoT cybersecurity professionals and assist in compliance with reporting duties under the Data protection regime and the PSTI.
Zero Trust architecture
Zero-trust architecture should also be considered for further IoT network protection. The concept of zero-trust requires all users, no matter where they are originating from, to be authenticated and continually validated before being granted access and being allowed to maintain that access. This model could assist the IoT environment by ensuring no unauthorised devices can access the network.
Innovative IoT cybersecurity measures do not just come in the form of software either. Hardware-based security is vulnerability protection using physical devices, and common examples include hardware firewalls, proxy servers and security modules for authentication purposes. It also includes the protection of physical systems, such as those facilitating connectivity and communication to large numbers of IoT devices, from harm. Hardware based security measures can provide a foundational layer of protection that can operate below the operating system level and spot anomalies before they reach any data.
3 Ways to Ensure User Education and Awareness
The fast emergence and adoption of IoT devices have left many users with a lot of catching up to do regarding security best practices, and given the vulnerabilities of these devices, users also have a lot of responsibility to ensure these best practices are actually observed. We must remember that despite a secure, out of the box configuration post-PSTI, it is still the user that is ultimately in control of their devices. Default settings can be changed, disabled functionality can be re-enabled, and corners can be cut. No amount of secure configuration can make up for a reckless and ill-informed user oversharing their data, exposing their credentials or falling victim to malware.
Privacy settings and Phishing awareness
Privacy settings are one of the first lines of defence for a user to control their data and who/what can access it. It is commonplace for almost all devices and software to ask for and store personal details to create accounts, tailor experiences to each user and allow for sharing and social networking features. It is important that a user is mindful of what information they use and allow to be shared, as this information can be utilised in a multitude of ways.
For example, a malicious actor can use the information shared online by a user to better inform their password cracking techniques and subsequently increase their likelihood of success, or access your location, history and other data to spot trends and habits. An individual’s data can also be used to better carry out social engineering attacks (such as phishing, pharming and whaling) to induce unsuspecting users into divulging their user credentials. Multiple IoT devices makes for multiple opportunities for communication and access to a user to perform these attacks.
Therefore, it is advisable for a user to tighten their privacy settings:
- Enable auto-delete for certain log history (e.g., location history, browsing history, web and app activity)
- Disable tracking where possible
- Set data entries to private or make them only visible to the user
- Ensure limited default permissions for software and apps (for functions such as camera, microphone, location, contacts etc.)
As for taking extra care regarding social engineering attempts, there are a few things to look out for:
- Any communication asking for information should be highly scrutinised, starting with the email address/phone number it originates from, how the communication is drafted/phrased, whether it contains any suspicious links or attachments and how tailored the communication is to the user themselves.
- Any links to webpages should also be highly scrutinised, starting with the URL/Web address and the contents of the website itself (any unusual logos, buttons and instructions)
- Almost all services will never ask for your password via email or over the phone
- Almost all services will provide alternative ways of engaging with the service provider (such as contact numbers or addresses) and suspicion should be raised where this is not the case
By taking extra care and configuring privacy settings appropriately, users can significantly limit the possibility of data exposure and the likelihood of their data being used against them.
A user can only take extra care and configure their settings properly with the appropriate training. In cyberspace, malicious actors are notoriously one-step ahead of everyone and continuously evolve their strategies to exploit new technologies. This, coupled with the fact that the biggest driver for almost all cyber-attacks is human error, means that there is really no substitute for regular, thorough and up-to-date security awareness training.
The purpose of awareness training is to embed IoT cybersecurity best practices into individuals so that those individuals effectively become “human firewalls”. However, this kind of training can be expensive. A large aspect of the PSTI is to ensure that users of new IoT devices are given all the appropriate information in order to use their devices safely. This includes easy to understand user manuals, proper notifications/prompts regarding updates and adequate reporting of discovered vulnerabilities. The fact of the matter is this – the more information a user has, the better informed their decisions will be.
This article has endeavoured to outline some of the main challenges posed by the emergence of IoT and the lack of standardised security measures that are now being addressed by the Product Security and Telecommunications Infrastructure Act 2022 (PSTI). The challenges highlighted in this article included the diverse device landscape, it’s lack of security protocols and accompanying data privacy concerns, and the devices inherent design and resource constraints.
The outlined solutions contained within the PSTI included the role of encryption, access controls and authentication practices, regular software updates and adequate network segmentation. Innovative IOT cybersecurity measures such as Blockchain technology, AI and Machine Learning, Zero Trust and Hardware based security were also presented as possible measures to bolster IoT cybersecurity and compliance in the future. Readers should consider implementing all the security measures discussed in this article to get ahead of the curve in the UK that’s angling towards mandatory IoT cybersecurity compliance.