Securing the Internet of Things

You’ve likely heard the term Internet of Things (IoT) – but do you know what it means? Do you understand its composition? It is a bit of an unspecific name because of its vastness. Essentially, any electronic device can be part of the IoT if it has sensors and processing capability that enable connectivity to a network.

The concept of remotely accessing almost any device from our car to our toaster oven presents a heretofore unparalleled level of convenience, but the secondary effects are complex and incalculable. Renowned global data and business intelligence platform Statista reports that there are nearly 20 billion IoT connected devices in use today. That means that in addition to the traditional computers and peripheral devices connected to the Internet, there are now 20 billion additional points of entry. Each and every one of those entities is an addition to the attack space – a potential point of compromise that a malicious actor can exploit to get a foothold into unauthorized networks. Statista also estimates that the number of IoT devices will double by 2033.

The IoT’s origins resemble the wild west. Almost every manufacturer building new electronic products is incorporating a sensor and sticking an Internet Protocol (IP) address on it so it can be accessed and controlled via cyberspace. Security, often times, is not only an afterthought, but a non-consideration. So, not only have we exponentially increased the attack surface, but we have also introduced the most exploitable pieces of infrastructure in cyberspace history. Companies prioritize production, convenience, and profit over security, and the IoT is Exhibit A.

The good news is that we are now doing more than acknowledging and admiring the problem. In January, the United States Government announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet of Things (IoT) devices. A key part of this initiative is that products receiving this credential will be labeled with an easily scannable QR code that provides critical information about the product’s cybersecurity and helpful cybersecurity guidance (like instructions how to change the default manufacturer created password).

The program is not mandatory, but its establishment is a landmark measure and step forward when it comes to IoT security. In order to achieve certification, manufacturers must submit their products for testing by one of eleven prominent companies that have been initially identified as independent Cyber Trust Mark certifiers. In their formal statement, the White House noted that products will be evaluated against established cybersecurity criteria from the National Institute of Standards and Technology (NIST). While details are still being finalized, leveraging NIST developed cybersecurity criteria as the standard going forward is a tremendous step toward better securing the IoT, and therefore, better securing any interconnected device anywhere – including the devices targeted by our adversaries which we leverage when handling sensitive data.

Cyber Trust Mark is a step, but it cannot be stand alone. Each of us has a responsibility to inventory and secure any device in our orbit that can provide an inroad to the Internet. We have to examine, evaluate, and subsequently secure each and every one, because if we don't, it won't be long before a bad actor puts it in his crosshairs and leverages it for access, obfuscation, and a launching point for offensive cyber operations.