Vendors and users can follow these guidelines to improve IoT security

With IoT becoming more prevalent, cybersecurity issues are also on the rise. That said, there are certain guidelines that vendors and users can follow to improve IoT security.
 
Needless to say, the Internet of Things (IoT) phenomenon has become more common in the everyday life, bringing convenience to all users. In fact, connected devices have become so popular they are expected to grow from 20.4 billion this year to 75 billion by 2025, according to Review42.
 
Yet given the ubiquity of IoT devices, they also introduce to new risks. Consider the following statistics from the 2020 Unit 42 IoT Threat Report:

• 98 percent of all IoT device traffic is unencrypted, exposing personal and confidential data on the network and allowing attackers the ability to listen to unencrypted network traffic, collect personal or confidential information, then exploit that data for profit on the dark web;
•  57 percent of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers;
•  41 percent of attacks exploit device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses.

 
These threats necessitate certain guidelines that need to be followed by IoT vendors and users. “Yes, cyberattacks are still serious threats to IP cameras and other IP devices. Despite the fact that vendors have made real progress in: providing hardening guides, forcing the change of default passwords, making it possible to use secure, strongly authenticated connections and putting in place modern cybersecurity controls and promoting best practice – it still remains the case that these have to be followed,” said Salvatore D’Agostino, CEO, IDmachines.
 

Guidelines for vendors and users

 
Fortunately, there exist such guidelines that vendors and users may find helpful. For vendors, they might refer to “Foundational Cybersecurity Activities for IoT Device Manufacturers” published by the National Institute of Standards and Technology (NIST). The document lists a set of IoT cybersecurity capabilities that the user might need  -- including device Identification, device configuration, data protection, logical access to interfaces, software and firmware update and cybersecurity state awareness – and recommends vendors to engage in certain pre-sale and post-sale activities to make products suit customer needs.
 
As for end user organizations, they can refer to another document by NIST titled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” The document asks organizations to ensure that their cybersecurity, supply chain and privacy risk management programs are executed with security in mind. This includes determining which devices have IoT device capabilities, identifying IoT device types, assessing IoT device risk, and determining how to respond to that risk by accepting, avoiding, mitigating, sharing or transferring it.
 
Further, D’Agostino recommends certain baseline requirements that would include not only capabilities but also policy and specific security and privacy controls for users to follow, including:

• Mandatory changing of default passwords to strong ones;
• Deceleration for bad login attempts (that is, don’t allow a login for a period of time after a number of failed login attempts);
• Role-based access control that restrict and have different privileges for administrators, operators and users;
• Least privilege: namely only provide credentials to those that absolutely need them;
• Absolutely no service account backdoors;
• Segmented network, with firewalls;
• Use of https for all connections and use certificate-based authentication;
• Close all unnecessary ports and services;
• Have camera applications run in trusted execution environment;
• Logging to support performance and if necessary forensic analysis;
• Proper key management for certificates and other credentials;
• User account management.