A new encryption standard for Internet of Things (IoT) should help advance security for these connected devices in businesses, manufacturers, critical infrastructure, and other sectors running this equipment.
But many of these devices continue to lag behind in cybersecurity functions and practices.
On Feb. 7, the National Institute of Standards and Technology (NIST) announced it had selected a group of cryptographic algorithms, known as Ascon, to be the formal encryption standard for “lightweight” electronic devices and their communications. The standard should help devices makers and their customers better secure the data and devices from attackers increasingly targeting operational technology even though such devices have limited processing power and storage.
The algorithms allow encryption protections for even the smallest devices, NIST computer scientist Kerry McKay said in the announcement of the standard.
“The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation,” she said. “These algorithms should cover most devices that have these sorts of resource constraints.”
Why IoT Is Exploding
Connected devices in business and industrial settings are a rapidly growing application driven by two major forces over the past three years. Initially, the pandemic spurred the need to support remote operations, while the current concerns of a recession are pushing companies to automate operations using connected devices.
For example, the Industrial Internet of Things (IIoT) — an umbrella term for connected devices that monitor and control physical systems and industrial processes — is predicted to grow dramatically. The number of industrial IoT connections — a measure of the number of devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020, according to Juniper Research.
However, the massive growth also brings a massive attack surface area. Vulnerabilities in the so-called Extended Internet of Things (XIoT), which includes both devices and the systems that manage those devices, jumped 57% in the first half of 2022 continuing a dramatic rise from the prior year. On the enterprise side, security researchers demonstrated 63 exploitable vulnerabilities in a variety of connected devices at this year’s Pwn2Own, such as printers and network-attached storage.
Meanwhile, enterprise and industrial IoT devices and systems are often used for decades without regular updates, unlike conventional IT environments, which are replaced every three to five years and updated regularly in between, says Bill Malik, vice president of infrastructure strategies at cybersecurity firm Trend Micro.
“Right now, tens of thousands of industrial IoT environments are open to the Internet, either through carelessness or a lack of awareness of the risks,” he says. “Many of these systems ship with default passwords, which are rarely changed by the use, and those systems are often incapable of being updated.”
Lightweight — but Not Light — Security
The NIST standard aims to give even low-power devices a base level of cybersecurity by encrypting stored data and communications. The process took several years, starting with 57 candidates in March 2019, which were whittled down to 10 finalists in 2021.
“The ability to provide security was paramount, but we also had to consider factors such as a candidate algorithm’s performance and flexibility in terms of speed, size, and energy use,” NIST’s McKay stated in the Feb. 7 announcement. “In the end, we made a selection that was a good all-around choice.”
Implementing the NIST standard will take time, as many IoT vendors are still catching up to cybersecurity best practices, with devices often lacking strong authentication capabilities, no easy way to distribute and install patches, and poor visibility into activity, including weak or nonexistent logging, Trend Micro’s Malik says.
The level of maturity for the industrial sector in North America, for example, continues to lag behind other some other countries. Compared to the worldwide average of 57%, only half the companies (50%) in the region have adopted technologies that look for anomalous behavior or use automation and orchestration to manage and secure devices, considered the top two tiers of security maturity for operational technology, according to Fortinet’s “2022 State of Operational Technology and Cybersecurity Report.”
The risks to connected enterprise and industrial devices is growing, especially against the manufacturing sector, which accounted for 68% of observed attacks against industrial systems in the third quarter of 2022, according to Dragos, a cybersecurity services firm. Russia’s invasion of Ukraine has created an online battlefield with threat actors on both sides targeting a variety of systems and devices, aiming at causing physical damage and disruption through cyberattacks.
As enterprises and industries continue to move toward ubiquitous monitoring and control, enabling smart factories, smart cities, and smart infrastructure, cyberattacks will become more impactful, Deloitte stated in its “Industry 4.0 and Cybersecurity” report.
Detection Alone Is “Not Enough”
Focusing on detection, however, is not enough, says Keao Caindec, a principal analyst with Farallon Technology Group and chair of the Security Working Group at the Industry IoT Consortium (IIC).
“A lot of the security controls that we use today, focus more on detection and remediation, a lot of monitoring and then prioritizing events and alerts,” he says. “The problem is that leaves you always just one step behind the attacker, so companies need to really focus on addressing initial access, preventing compromised access, preventing unauthorized discovery and reconnaissance and preventing lateral attacks.”
Yet the ability to protect enterprise and industrial IoT remains with companies, which should seek to gain as much visibility as possible into what devices are connected to their environments, Caindec says. He points to an already-pursued defensive framework, zero-trust architectures, as perhaps the best current approach to securing enterprise and industrial IoT devices and systems.
In addition, companies need to have the top decision makers on their side. Cybersecurity efforts are a significant investment, especially if they include replacing devices, so you need executive support, says Wendy Frank, cyber IoT leader with consultancy Deloitte.
“I think a lot of this comes down to really talking to your boards, making sure they’re aware of the specific problems around devices, because they don’t do this for a living,” she says.