Strategies to secure long-life IoT devices

In this Help Net Security interview, Rob ter Linden, CISO at Signify, discusses priorities for CISOs working on IoT security, including the need for compliant infrastructure, easy device management, and preparing for future tech like quantum computing and AI. He also covers challenges with IoT visibility, security, and new regulations.

For CISOs building or improving an IoT security strategy, what should be the top 3 priorities?

1. First off, creating an IoT infrastructure that matches global expectations and meets local legislative requirements within each market where you operate is key.

2. IoT infrastructure, such as central and IoT devices, should also be easily upgradable and straightforward to maintain, and able to be remotely monitored.

3. Finally, there are always new challenges and opportunities in such a fast-moving area. Prepare for quantum computing (edge and central) and applying AI capabilities and ensuring separation of duties regarding connectivity.

Many organizations are still grappling with visibility. What’s your take on the current state of IoT asset discovery and inventory in enterprise environments?

Visibility of the IoT ecosystem is important in terms of managing risk and improving efficiency but is not without its challenges. IoT devices generally use older software and hardware, and their security capabilities (protection) are not up to current standards. It’s clearly important to know what we are dealing with and finding these devices on enterprise networks can be a chore, as they mainly rely on Wi-Fi connectivity. If proper authentication is also lacking, devices can be added easily to the network; which is even more of an issue if you offer a BYOD Wi-Fi network.

As the number of such IoT-enabled devices increases day-by-day, and as they become more deeply embedded in home, building and street lighting networks, security becomes more crucial. Security is embedded in all aspects of our innovation, products, systems, and services.

Firmware and software updates are notoriously difficult in IoT. What strategies or technologies are helping close that gap, particularly in legacy or long-life devices?

Applying separate networks/authentication and implementing a “zero trust” network architecture, treating every network connection as a potential threat, is a good place to start. Isolating these devices and limiting the exposure and impact when things go wrong is absolutely paramount. Ultimately, the best thing to do is replace these devices, which I recognize is not always possible or cost-effective.

What impact are you seeing from evolving regulations like the EU CRA, U.S. labeling initiatives, or NIST guidance on IoT cybersecurity? Are they helping or complicating things?

This activity creates an important awareness among companies providing IoT devices, which is a good thing because ultimately it will accelerate the maturation of security.

There is increased complexity though of course due to legislation, some of which is continent-specific but also country-specific, with restrictions regarding storing data or hosting infrastructure.

How concerned should organizations be about AI-driven threats to IoT, such as automated exploitation or deepfake signals in industrial settings?

It’s no different than any other attack surface. IT security measures are in place to prevent, detect and respond to attackers from causing damage to systems and gaining access to critical data, systems, and services. The increase in attacks is already there and here to stay. Yes, we should be concerned. But, as always, our focus should be on being agile, limiting impact and creating resilience.