November 7, 2022
Individuals, businesses, and governments alike rely on IoT devices to keep everything going. Each of us is surrounded by IoT almost every moment of every day, with an estimated 75.44 billion IoT devices to be installed worldwide by 2025. These devices are making our buildings, infrastructure, supply chain, cars, gadgets, and many other systems smarter, better, and more efficient.
But, as reliance on IoT grows, so does cyberattacker interest, putting a big target on every IoT device. IoT represents a “way in” to an organization - once in, they can do almost anything (eavesdrop, steal information, disrupt operations, or perpetrate other attacks).
Unfortunately, that “way in” is usually wide open for an attacker. Why? Because IoT devices are notoriously difficult to lock down and secure. Case in point, over half (57%) of IoT devices are vulnerable to medium and high-severity attacks.
Understanding Top IoT Security Challenges
The current security solutions available to protect IoT devices, place manufacturers and operators at a disadvantage. They all operate on the periphery, managing patches and providing old-school perimeter defenses that can only try to contain threats once they are identified.
As the rest of the security ecosystem has evolved, IoT security has stagnated, lacking any equivalent of on-device (e.g., XDR) or in-code (e.g., RASP) solutions that are routinely applied to protect endpoints, cloud-native and web applications. As a result, manufacturers and operators are stuck with solutions that:
1. Reactive approach to zero-day threats
The majority of device manufactures still rely on security patches to address zero-day threats. In other areas of cybersecurity this would be considered a flawed strategy, since the average time between a vulnerability disclosure and patch being issued is several days or more which gives attackers plenty of time to exploit. While other sectors have moved on to use proactive zero-day defenses (e.g., WAF, XDR, etc.), IoT manufacturers and operators are still stuck playing catch up with an age-old (and expensive) game of patching.
2. No ongoing visibility into devices in the field
By and large, device manufacturers lose device-level visibility once devices are shipped. They have no way to monitor their devices to spot or address emerging issues. Meanwhile, a malfunction in a single device could lead to security breaches, loss of trust, mass recalls or worse. Even when issues are discovered, the lack of live visibility and change history needed for effective root cause analysis makes in-field debugging labor-intensive and time-consuming.
3. Exposure to third-party vulnerabilities
IoT devices often use third-party software libraries for communication, encryption, authentication, OTA updates, and other basic functions. Any vulnerability within this third-party software is an avenue for exploitation. From the attacker’s point of view (POV) this software supply chain is an unaddressed security gap - it has contributed to over 40% of all attacks.
4. Outdated security tools and methods
Cryptography can be bypassed, and static analysis (e.g., SAST) and vulnerability discovery tools find only ~50% of vulnerabilities on a good day. Perimeter protections and network segmentation, which still dominate the IoT security industry, are limited in their ability to detect and prevent attacks on IoT devices. They can do nothing to protect isolated (unconnected) devices, or attacks on the IoT device itself because they completely miss advanced EDR/XDR-like endpoint protection.
5. Lack of shift-left approach to security
Cloud-native and application developers usually have tools to help them integrate security into the development lifecycle of their products. However, for IoT devices, this is not the case - embedded engineers lack security tools that can be easily integrated into their development process.
6. A hard choice between security and performance
The inherent resource limitations of IoT devices (CPU, memory, storage, etc.), measured against the bulky nature of existing security solutions (e.g., agents and complex network segmentation approaches) force IoT manufacturers to compromise. Many admit to knowingly sacrificing some security features within their IoT devices just to "get the job done”. This leaves many devices vulnerable because there is no such thing as “halfway secure”.
Mending the Gap(s)
If you are in the IoT manufacturing space, some (or maybe even all) of the above challenges will feel familiar. They certainly did to us, which is why we created Sternum - a security solution purpose-built to take these challenges head on.
Here is a quick look of what Sternum has to offer...
The platform you see in this video represents a paradigm shift for IoT security, combining the adaptive protection of RASP with an agentless EDR/XDR-like deployment model, addressing the aforementioned challenges with:
- Automatic mitigation of known and zero-day threats: Our patented EIV solution introduces a vulnerability-agnostic approach that deterministically blocks exploitation attempts to deliver blanket protection from current and future threats.
- Live in-field insights: Our platform offers granular device-level visibility that gives users the actionable insights they need to identify and resolve complex issues to improve product performance, quality, and security.
- Out-of-the-box 3rd party protection: Our security solution relies on binary instrumentation to protect all running code, including third-party and OS libraries, to effectively prevent any exploitation.
- Runtime security for all devices: Taking a page from leading runtime security solutions, we deliver deterministic self-correcting protection that is equally effective for any IoT device - any device/OS combination, whether it’s old or new, connected or isolated (air-gapped).
- A shift left approach: Our platform natively integrates with popular integrated development environments (IDEs) and can be introduced directly into CI/CD builds. This enables the ongoing profiling of a device’s software to identify and alert on any security gaps during development stages that help make devices more secure by design.
- Agentless and lightweight solution: Our in-firmware approach allows Sternum to be easily embedded into the most resource-restricted devices (e.g., RTOS, embedded devices, legacy models, etc) without sacrificing performance (only 1-3% overhead) or operations.
And this is just on the security side. In addition, we have robust observability and anomaly detection solutions to support the needs of teams in charge of developing, deploying, and managing IoT fleets.
Interested to learn more about Sternum? Schedule a demo and see our platform in action: https://www.sternumiot.com/request-demo
Better Performance with Autonomous Observability
Gain complete visibility by monitoring and analyzing events in your device or across an entire fleet, from the first line of code and until post-deployment maintenance.
Diagnose software bugs and vulnerabilities by using instrumentation, to pinpoint flaws, gain dynamic profiling and analysis of the software, including third-party code.Learn about Sternum observability >>