Merging the cyber and the physical aspects of security for an Internet of Things (IoT) infrastructure is a tall order for many businesses. That’s because it requires an end-to-end strategy to secure far-flung components that can include IT systems, operational controls, cloud services, physical devices and sensors, and consumer technologies.
Securing the IoT will demand that businesses identify cyber and physical threats to their IoT infrastructure, determine the consequences of these threats, and carefully evaluate security strategies. This requires close collaboration among device manufacturers, resellers, deployers, solution developers, and cloud providers—a huge challenge given varying priorities of these stakeholders. Other roadblocks include a lack of standards for IoT security, disparate hardware and software capabilities, and a range of communications protocols and control systems.
Nonetheless, the risks of an IoT-based attack are too consequential to ignore. Consider the October 2016 DDoS attack on Dyn, an Internet DNS provider. The powerful assault harnessed connected devices like DVRs, webcams, and cable set-top devices to take down hundreds of websites around the world. At great cost: The financial impact alone of a DDoS attack can cost a company $250,000 an hour.
Also consider that risks are amplified as more equipment and devices are connected in the IoT. Traditional threats extend to a broader range of interlinked systems, and the IoT introduces a new level of risk as it links physical equipment and consumer technologies like self-driving automobiles and connected medical devices. Nefarious activity can result in threats to human safety and even loss of life.
The first step to mitigate these risks will be to identify the threats that are most relevant. In addition to DDoS attacks, these can include breach of personal data, communications interception, natural disasters, physical attack, and hijacking.
This evaluation should factor in the entire lifecycle of an IoT infrastructure design, deployment, and operations. We recommend a critical threat-modeling analysis of infrastructure to discover the most likely threats and define actionable mitigation.
And because IoT devices often ship with disparate operating systems, computational capabilities, and access-control methods, a review of authentication and access-control schemes is also important. Consider, for instance, that devices typically come with default passwords enabled—and businesses often do not implement strong passwords. After deployment, companies should continue ongoing risk assessments of devices and make sure that a disciplined firmware update policy is followed.
Another critical action is network traffic analysis. IoT devices employ a variety of network topologies and communications protocols, and a standards-based approach can improve compatibility and security. As more manufacturing, facility management, and critical infrastructure organizations embrace the IoT, they should ensure that specialized protocols like SCADA systems are secure.
The right security evaluation framework
The components of an IoT security framework will vary among businesses, and each organization will need to design evaluation strategies that deliver the most value in time and money.
Microsoft’s IoT Security Evaluation Framework is a good place to start. It’s a step-by-step guide for assessing IoT infrastructure that uses existing threat models, links threats to consequences, and defines evaluation strategies that can detect flaws in IoT infrastructures. Whether you have already implemented an IoT infrastructure or are in the process of designing or deploying one, Microsoft can show you how a comprehensive IoT security framework can help grow, scale, and transform your business. To learn more, download our whitepaper, Evaluating Your IoT Security.
 Neustar, Worldwide DDoS Attacks & Cyber Insights Research Report, May 2017.