As the volume of IoT devices connecting to enterprise networks continues to climb, the number of security threats has been increasing in lockstep. Cybersecurity threats, alongside supply chain issues, chip shortages and geopolitical instability, are a major reason that IoT growth has been slower than many analysts had predicted.
Even so, the scale of the IoT security problem is great enough that 52 IoT startups raised a total of $840 million in the latest quarter, and even cautious analysts believe the IoT market will grow steadily in the coming years. In fact, research firm IDC predicts that the IoT market will expand to 55.7 billion connected IoT devices by 2025, with those devices generating 80B zettabytes (ZB) of data.
In response to IoT-based security threats, enterprises are turning to startups to fill gaps in their existing security infrastructure. Here are five key IoT security challenges that organisations face, and that startups can help to address.
1. The attack surface is growing
Recent IoT security breaches are enough to keep any CISO awake at night. Here are just a few of the known IoT security incidents from the past few years:
- In May, a mother who runs a large TikTok account discovered that an attacker had breached the family’s connected baby monitor and spoken to her children late at night.
- As part of its ongoing invasion of Ukraine, Russian special services have hacked IoT cameras in residential complexes and coffee shops to surveil adjacent streets, gather intelligence on Ukrainian citizens, and monitor aid convoys.
- Hackers supporting Ukraine have hacked Russian TV networks to play videos supporting Ukraine’s armed forces; other hackers penetrated CCTV networks in several Russian cities to broadcast a speech from Ukraine President Zelensky.
- In 2019, a Milwaukee couple’s smart home system was attacked; hackers raised the smart thermostat’s temperature setting to 90°, talked to them through their kitchen webcam, and played vulgar songs.
- In 2016, Mirai botnet malware infected poorly secured IoT devices and other networked devices and launched a DDoS attack that took down the Internet for much of the eastern U.S. and parts of Europe.
- In 2015, hackers remotely took control of a Jeep Cherokee, which led to the recall of 1.4 million Fiat Chrysler vehicles.
As troubling as those incidents are, IoT security risks could become even worse as edge computing expands into the mainstream and advanced 5G networks roll out features, such as Reduced-Capability (RedCap) 5G, that are intended to spur the accelerated adoption of enterprise IoT.
With RedCap 5G, mobile devices with cellular connections, such as smart phones and watches, will be able to serve as hubs that provide ad-hoc connectivity to nearby constrained devices. While this could help streamline workflows and deliver business efficiencies, poorly secured mobile devices that automatically connect to, for instance, industrial equipment for diagnostics could also expose those devices to threats like Stuxnet-style malware that could cause the machine to self-destruct.
“Obviously, more endpoints mean that attackers have a greater attack surface to exploit, and security teams must manage many more risks,” said IDC analyst Jason Leigh. There is a saving grace, however, that may inadvertently limit IoT risks. “With constrained devices, it’s difficult to get complex malware through them,” Leigh said. “Additionally, new networking specifications [such as 5.5G] include details about security components that can be deployed at the network level to reduce risks,” Leigh said.
New specifications will help, but attackers are already targeting IoT networks, meaning that organizations must act now to mitigate risks. Many organizations find that they need to engage new vendors to solve this problem.
2. A fractured market means IoT visibility is getting worse
One of the most common cybersecurity credos is that you can’t secure what you can’t see. The fractured nature of the IoT market exacerbates the issue. With no single vendor claiming more than a 3% market share, according to IoT Analytics, interoperability and visibility are two major challenges to improved IoT security.
At Dayton Children’s Hospital – a $600 million pediatric network with an acute care teaching hospital, two primary campuses, and another 20 ambulatory care sites – IoT, Internet of Medical Things (IoMT), and Bring Your Own Device (BYOD) proliferated over the past decade as the organisation grew.
The hospital’s IT staff estimates that there are now approximately 25,000 devices connected to the hospital’s networks, including smart TVs, security cameras, and critical medical devices like X-ray machines, MRI machines, and robots that aid in neurosurgery.
This situation is by no means unique to Dayton Children’s Hospital. IoT growth is rapid across the healthcare sector, and IT teams must figure out how to provide consistent connectivity to caregivers without undermining safety or violating various industry regulations that prioritise privacy.
Mount Sinai Health System, based in New York City, also faced significant challenges when trying to boost the security of their vast network of medical equipment and IoT devices. The lack of visibility into the devices connecting to the network was a major headache. In addition, Mount Sinai had operated with separate teams responsible for biomedical and IT operations, so the lack of coordination between these teams led to limited visibility and awareness of many devices’ nature and purpose.
As the organisation sought to streamline and modernise its IT systems, Dr. Tom Mustac, senior director for cybersecurity, was frustrated by the inability to accurately identify assets using the system’s existing resources. This visibility gap posed significant challenges, as IT was unable to assess a device’s impact on patient care and potential network vulnerabilities.
Additionally, the biomedical team was severely constrained by vendor patches, end-of-life operating systems, and non-remote upgradable devices. Mount Sinai also faced unique challenges beyond medical devices. Their diverse network environment encompassed a wide range of connected devices, including automobiles, gaming systems, and exercise equipment. Without proper context, identifying and managing these devices was a nightmare that just kept getting worse.
In order to gain visibility, these healthcare organisations first had to grapple with the next challenge on our list: legacy constraints.
3. Legacy constraints are prevalent
Like many large healthcare systems, both Mount Sinai and Dayton Children’s relied on Cisco infrastructure and software. Whatever IoT-specific security tools they brought on board would need to integrate into existing Cisco-based systems.
“We have a variety of Cisco products, and what I love is that they're designed to work with each other in a way that you can correlate if something is going on,” said Nicholas Schopperth, Dayton Children's Chief Information Security Officer.
Schopperth's team had already deployed Cisco Secure Network Analytics, a cloud-based network monitoring tool, and Cisco Umbrella, a SASE service. But to secure and manage IoT, IoMT, and BYOD , Dayton Children’s security team needed help finding and classifying devices, managing IoT/IoMT flows, and deciphering communication patterns to identify anomalies.
The cybersecurity team at Mount Sinai faced a similar challenge, relying on Cisco ISE (Identity Services Engine) to handle network access control. However, Mount Sinai needed another tool to help it identify, classify, and monitor the devices moving in and out of its network.
Both organisations knew they would need to bring in new technologies, but they prioritised finding ones that would interoperate with existing networking and security systems.
4. Controlling IoT access without impeding business goals
Both Dayton Children’s and Mount Sinai turned to different startups that provide IoT security integration with Cisco infrastructure. Dayton Children’s selected the IoT security platform from Ordr, a Santa Clara-based startup that was founded in 2015, while Mount Sinai chose the security platform from Claroty, a New York-based startup that was also founded in 2015.
Dayton Children’s used Ordr’s Connected Device Security software to identify device contexts, baseline normal device communications flows, and perform behavioral analytics of both devices and users. Dayton Children’s cybersecurity team then used this tool to generate policies and access controls that could be automated and enforced using Cisco ISE on Cisco wireless controllers and firewalls.
By moving to a zero-trust architecture, Dayton Children’s is now able to segment its devices and only allow them to connect to specific VLANs, limiting access between devices as well as device access to the network.
Mount Sinai pursued a similar strategy, deploying Medigate, a healthcare IoT security platform recently acquired by Claroty, and integrating it with Cisco ISE.
With Medigate, Mount Sinai gains insights into device behavior, communication patterns, and potential policy violations. Medigate’s continuous monitoring and violation detection helps Mount Sinai actively monitor application dependencies and ownership, enhancing their ability to assess potential risks and implement proactive measures.
The IoT visibility tools enable Mount Sinai to monitors traffic, identify ports and protocols, and learn what applications are installed on IoT devices. This allows Mount Sinai to be situationally aware of and to apply policies to any new device. The IT team can also segment the network from newly discovered, unmanaged devices.
Next, Medigate automates policy creation and enforcement by defining typical device behaviors, monitoring traffic, and identifying communication patterns. These patterns are used to create policies and best practices, and once approved, they are transferred to Cisco ISE for enforcement.
“Our integration with Medigate and Cisco has allowed us to enforce stringent security policies across our network, preventing unauthorised access and ensuring the integrity of our critical clinical systems,” Dr. Mustac said. These protections ensure that only authorised communications occur between devices and clinical systems, so Mount Sinai can prioritise patient safety without impeding critical clinical communication necessary for effective care delivery.
5. Trusted/untrusted partners
Insider risks have long been one of the most difficult cybersecurity threats to mitigate. Not only can power users, such as C-level executives, overrule IT policies, but partners and contractors often get streamlined access to corporate resources, and may unintentionally introduce risks in the name of expediency.
As IoT continues to encompass such devices as life-saving medical equipment and self-driving vehicles, even small risks can metastasize into major security incidents.
For San Francisco-based self-driving car startup Cruise, a way to mitigate the many risks associated with connected cars is to conduct thorough risk assessments of partners and suppliers. The trouble is that third-party assessments were such a time-consuming and cumbersome chore that the existing process was not able to scale as the company grew.
“The rise in cloud puts a huge stress on understanding the risk posture of our partners. That is a complex and non-trivial thing. Partnerships are always under pressure,” said Alexander Hughes, Director of Information Security, Trust, and Assurance at Cruise.
Cruise is backed by $10B in funding from General Motors, Honda, Microsoft, SoftBank, T. Rowe Price, Walmart, and others, but even with eye-popping amounts of funding, as Cruise scaled up its manufacturing, the company struggled to manage a growing ecosystem of suppliers. With limited personnel, the cybersecurity team was under constant pressure to review new vendors. Turnaround times got longer and longer, eventually cascading to slow down other security reviews, as well.
Cruise chose the IoT security platform from VISO TRUST, a startup founded in 2016, based in San Geronimo, CA. The VISO TRUST risk management platform automates manual risk management tasks.
Using AI and machine learning, the VISO TRUST platform has helped Cruise reduce manual assessments, cut overall assessment times in half, and shorten the turnaround time to onboard new vendors. “VISO Trust has completely automated the [security review] process, allowing us to reduce staff expenses by 90% and improve time to complete by 50% while supporting 117% more vendor assessments,” Hughes said.
For the foreseeable future, IoT security, like the IoT market in general, will be a complicated problem with no simple, single-vendor solution. Organisations would be wise strengthen protections with existing vendors, and then tap into those vendors’ partner ecosystems.
Startup partners are often laser-focused on industry-specific IoT security issues, and the solutions that interoperate with what you already have typically will offer the highest, quickest ROI.
(Jeff Vance is an IDG contributing writer and the founder of Startup50.com, a site that discovers, analyses, and ranks tech startups. Follow him on Twitter, @JWVance, or connect with him on LinkedIn.)