The United States has finally launched its Cyber Trust Mark program, which provides cybersecurity labels for IoT devices. It's Like the cybersecurity version of the Energy Star labels used to indicate the energy efficiency of appliances and other electronic devices. It helps consumers distinguish IoT products that are secure from those that are not.
This is a significant step towards securing the Internet of Things and the digital world in general. However, it would be reasonable to say that it is far from enough. There are still many challenges in securing the IoT ecosystem. The methods currently in place and this new label system cannot magically eliminate most of the security risks that come with the use of IoT products. Nevertheless, there are corresponding solutions that everyone using IoT devices should be acquainted with.
The situation is different for IoT device makers, though. How can they secure their devices when they even have a hard time keeping track of the products they sell? If they were to readily install security solutions into their devices, they would have to expand the computing power of their products. This is not practical technically or business-wise.
Addressing the IoT security challenges and risk factors enumerated above requires a comprehensive solution, not something that addresses one or two of the problems at a time. While third-party software component vulnerabilities may be resolved to some extent by having a meticulous review process, there is no guarantee that no other security issues will arise in the future.
For IoT device makers to holistically address the security problem, it is advisable to get a solution that provides adaptive protection and an agentless system to detect and manage threats. This would be a system that integrates the functions of Runtime Access Self-Protection (RASP) technology and the abilities of an agentless extended detection and response system.
The good news is that an IoT security solution like this already exists. A quick online search should lead to a few security platforms that can address the challenges of securing IoT devices. They provide functions like automatic zero-day threat mitigation, granular device-level security visibility, third-party software protection, and deterministic runtime security.
All of these functions can secure IoT without the solution being installed on individual devices. It can be integrated into development environments or added directly into CI/CD builds to achieve continuous monitoring for devices, making it possible to detect threats and raise the corresponding alerts promptly.
A comprehensive IoT security platform that automatically addresses zero-days and provides comprehensive security visibility is a boon for the shift-left efforts of organizations. A few innovative cybersecurity solution providers are already making this possible.
An authoritative large-scale study on the number of IoT manufacturers’ use of advanced IoT security is yet to be undertaken. However, given that not many manufacturers advertise or emphasize the security of their IoT products, it would not be an exaggeration to say that IoT security still has a long way to go. Hopefully, with the implementation of the IoT cybersecurity label program, the shift toward better security starts rolling.
This is a significant step towards securing the Internet of Things and the digital world in general. However, it would be reasonable to say that it is far from enough. There are still many challenges in securing the IoT ecosystem. The methods currently in place and this new label system cannot magically eliminate most of the security risks that come with the use of IoT products. Nevertheless, there are corresponding solutions that everyone using IoT devices should be acquainted with.
Breaking down the risks and challenges
Any discussion about IoT security challenges and solutions naturally starts with the presentation of the problems and risk factors. There are quite a number of them, but this article will only focus on the biggest concerns concerning IoT device manufacturers, which are as follows:- Zero-day threats and reactive threat handling - Cybercriminals never run out of new attack strategies. They find new approaches to defeat defenses, which are often undetected. The targeted organizations are usually clueless about how to respond. They are generally reactive in dealing with threats, often relying on threat intelligence so they are unable to detect anomalies if an attack is not yet profiled. The usual response is to simply send out security patches to try to remedy security issues only after they have been discovered.
- Third-party vulnerabilities - Most of the software used in IoT devices include third-party software libraries or dependencies, which are necessary for various functions including data transmission, encryption, authentication, communication, and OTA updates, among others. Unfortunately, using these third-party software components also means inheriting their vulnerabilities. Of note, around 71 percent of the open-source third-party libraries used in apps have security flaws.
- Lack of ongoing visibility - Adding to the problem of reactive threat handling is the tendency of many organizations to be unable to account for all of their devices. Usually, IoT manufacturers lose visibility over their devices once the devices are shipped to buyers. As such, they are unaware of the security problems that may be plaguing their products. It is usually already too late before they learn about these issues, so their only option is to send out software updates, which do not prevent or undo the security breaches that have already taken place. Manufacturers may have to issue product recalls and reputational damage is inevitable.
- Using ineffective security solutions and mechanisms - It is not uncommon for IoT manufacturers to settle for the bare minimum when it comes to security. Unfortunately, the bare minimum no longer cuts it when dealing with highly aggressive and rapidly evolving threats. Threat actors can easily find ways around perimeter defenses and they have developed ways to bypass encryption and evade static analysis tools.
- The performance-security balancing act - IoT devices are low-resource technologies that are incapable of running full-fledged security solutions. Device makers admit that if they were to choose between performance and security, they would prioritize the former. This results in weak security rationalized by the steady performance of devices, which is generally what users prefer.
- Inability to adapt the shift-left strategy - Shifting security left is quickly becoming the norm in the tech industry. However, it is difficult to apply it to resource-constrained IoT devices, which cannot run their own security solutions.
What is the most suitable solution?
For device users, there are ways to secure IoT devices. They can create unique usernames and passwords to regulate access. Also, multi-factor authentication may be implemented in addition to the generation of strong login credentials. Additionally, they can put these devices behind a firewall and use a next-generation security information and event management system that continuously monitors traffic involving these devices and detect potentially harmful activities.The situation is different for IoT device makers, though. How can they secure their devices when they even have a hard time keeping track of the products they sell? If they were to readily install security solutions into their devices, they would have to expand the computing power of their products. This is not practical technically or business-wise.
Addressing the IoT security challenges and risk factors enumerated above requires a comprehensive solution, not something that addresses one or two of the problems at a time. While third-party software component vulnerabilities may be resolved to some extent by having a meticulous review process, there is no guarantee that no other security issues will arise in the future.
For IoT device makers to holistically address the security problem, it is advisable to get a solution that provides adaptive protection and an agentless system to detect and manage threats. This would be a system that integrates the functions of Runtime Access Self-Protection (RASP) technology and the abilities of an agentless extended detection and response system.
The good news is that an IoT security solution like this already exists. A quick online search should lead to a few security platforms that can address the challenges of securing IoT devices. They provide functions like automatic zero-day threat mitigation, granular device-level security visibility, third-party software protection, and deterministic runtime security.
All of these functions can secure IoT without the solution being installed on individual devices. It can be integrated into development environments or added directly into CI/CD builds to achieve continuous monitoring for devices, making it possible to detect threats and raise the corresponding alerts promptly.
A comprehensive IoT security platform that automatically addresses zero-days and provides comprehensive security visibility is a boon for the shift-left efforts of organizations. A few innovative cybersecurity solution providers are already making this possible.
Wide room for improvement
Despite the availability of suitable solutions for the different security challenges and risks associated with the use of IoT devices, it can be said that modern organizations are still far from having an edge against threat actors. This is mainly because of the lack of awareness among IoT manufacturers about viable security solutions or their refusal to use these solutions.An authoritative large-scale study on the number of IoT manufacturers’ use of advanced IoT security is yet to be undertaken. However, given that not many manufacturers advertise or emphasize the security of their IoT products, it would not be an exaggeration to say that IoT security still has a long way to go. Hopefully, with the implementation of the IoT cybersecurity label program, the shift toward better security starts rolling.
