Finding a Way Out of the IoT Security Arms Race

Stephen Kines argues that IoT stakeholders should adopt a security-by-design mantra.

IoT security needs a rethink. According to one estimate, the number of connected IoT devices is expected to grow 13% annually to reach 18.8 billion by end of 2024. Yet they present a unique set of security challenges that organisations must grapple with.

With IoT cyber threats continuing to evolve, how should companies go about building a robust security response to safeguard their critical assets?

The “default disconnect” mindset

The National Protective Security Authority (NPSA) states in rule Dev.400 of its CAPSS 2024 – Security Characteristic document that network ports and services should only be connected when needed, otherwise known as a “default disconnect” strategy.

Keeping IoT devices disconnected from the network when they are not actively in use significantly reduces the attack surface, minimising the risk of malicious activity. Using network segmentation, organisations can keep devices physically disconnected until they are needed. Firebreak technology allows devices to be immediately reconnected, using a remote non-IP trigger, to ensure business operations remain smooth without compromising on security.

“Keeping IoT devices disconnected from the network when they are not actively in use significantly reduces the attack surface.”

This principle is incredibly important in driving stronger IoT security. Given the rapidly expanding number of IoT devices in UK critical infrastructure, we should aim to prioritise making default disconnect a legal requirement.

Making things easier

Default disconnect is even more important in the context of current endpoint security solutions. Many products marketed to smart device operators are actually not designed for the unique requirements of the IoT ecosystem. They may require expensive and disruptive “forklift” upgrades and the removal of legacy systems in order to work effectively.
And they overlook a critical aspect: the user experience.

It’s important to remember that users interacting with IoT devices aren’t always IT professionals. They need clear-cut solutions that are easy to understand and implement, avoiding security jargon and convoluted processes. This is especially important because IoT security isn’t implemented at the network level; it involves securing multiple individual devices.

From the ground up

Instead of retrofitting existing solutions onto IoT devices, organisations need a fresh perspective. This means layering security from the ground up.

With a “security-by-design” approach, businesses can deploy secure safeguards that work seamlessly with existing legacy systems and the physical aspects of devices. This will ultimately lead to easier deployment and a more user-friendly experience, which is crucial for the continued growth of the IoT sector.

“There needs to be a culture where vulnerability disclosure is seen as a strength.”

More effort must also be put into building trust across the industry. We hear a lot about the importance of collaboration, and yet there’s a general reluctance to share vulnerability information. It’s easy to see why organisations don’t want to expose themselves to criticism, but this lack of trust and transparency is ultimately hindering progress.

To overcome this obstacle, there needs to be a culture where vulnerability disclosure is seen as a strength. Establishing safe spaces for open dialogue about security concerns, free from judgment, is paramount to fostering trust and collaboration. When this happens, responsible disclosures can be made to the authorities to help security researchers develop stronger IoT solutions. The result? More resilient devices and a safer digital landscape for all.

It’s time to pick up the pace

While progress is being made, the momentum for improving IoT security isn’t accelerating fast enough. The IEC 62443 standard provides a solid foundation, but its lack of enforceability hinders its full potential.

To truly move the needle, there must be stronger collaboration across government, industry and academia. By prioritising the adoption of default disconnect strategies, building secure-by-design solutions from the physical layer upwards, and creating stronger economic incentives for more resilient IoT products, we can finally close the security gap.