5 Reasons Vulnerability Management for IoT Isn’t Enough

Saying that the use of Internet of Things (IoT) devices has grown over the years would be a gross understatement. According to research from IoT Analytics, 16.6 billion connected IoT devices were in use by the end of 2023 with an estimated 13% growth to 18.8 billion by the end of 2024. Further, 51% of enterprise IoT adopters plan to increase their IoT budget in 2024 with 22% of them expecting a budget increase of 10% or more compared to 2023. 

As IoT device use continues to grow, so does the cybersecurity risk. From sensors used in manufacturing to increasing reliance on Internet of Medical Things (IoMT) for patient care, the risks inherent in these devices now touch upon more than data. They increasingly impact human life.  Many current vulnerability management practices fail to secure these devices appropriately, especially as most tools lack the necessary context. To improve vulnerability management for IoT devices, organizations should consider why current practices fail and how to overcome these challenges.

1. The Expanded Attack Surface is Overwhelming

Every new IoT device connected to a company’s networks increases the attack surface. The devices and their connected applications become new access points that attackers can exploit to gain unauthorized access to sensitive information and systems. 

As these devices proliferate, many organizations have no way to identify or manage them, often leaving them with unpatched vulnerabilities. Vulnerability management strategies often fail to keep pace with the growing threat, especially when the organization cannot continuously discover new devices. Without the ability to detect, inventory, and manage IoT devices, organizations increase their cybersecurity risk. 

2. Traditional Vulnerability Scanners Take Devices Offline

Traditional vulnerability scanners can inadvertently take IoT devices offline by bombarding them with automated requests that may exceed their capacity. This overwhelming load can lead to service disruptions that impact critical operations. 

Furthermore, many traditional tools confirm that a vulnerability exists without providing context into whether an attacker can actively exploit it within the context of the organization’s IT infrastructure. 

3. The Compliance Landscape Keeps Changing

As legislative bodies and industry standards organizations seek to keep pace with these new risks, they add IoT devices to their long list of compliance requirements. For example, in April 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published new incident reporting rules for the critical infrastructure vertical. Without visibility into potentially exploitable vulnerabilities arising from IoT devices, companies within this vertical may not be able to identify or report on attacks as required by the agency. As more laws and standards incorporate IoT devices, organizations need to implement additional security protections around them. 

4. Manufacturers Failing to Deliver Patches Quickly

As many IoT manufacturers often prioritize product development over deploying firmware updates, they often fail to deliver timely patches that respond to newly discovered vulnerabilities and exploits. Without the ability to promptly apply security updates, organizations increase the risk that attackers will exploit the vulnerability. 

Even when manufacturers provide updates, installing them can be time-consuming and resource intensive across a large fleet. Without visibility into the risk context, IT teams have no way to prioritize their activities, either overwhelming them or leaving vulnerable devices at risk. 

5. Traditional Threat Intelligence May Not Identify IoT Attack Vectors

Traditional threat intelligence often fails to provide insights about attack vectors unique to IoT devices. Common threats against these devices include:

• Malware targeting them so attackers can use them as part of a botnet during a Distributed Denial of Service (DDoS) attack
• Ransomware targeting their specific vulnerabilities

Further, traditional threat intelligence cannot analyze IoT traffic’s volume and variability, creating a visibility and security gap. With no context into how attackers exploit a vulnerability or the organization’s other risk mitigation controls, the information fails to provide the expected value. 

Beyond the Patch: Context, Microsegmentation, and Device Hardening

Many aspects of IoT security lend themselves to unique approaches, and vulnerability management is one of them. Knowing that devices have vulnerabilities is the first risk mitigation step. However, without context using an exploitability analysis, overwhelmed teams have no way to prioritize their activities. Mitigating IoT risk requires a multi-layered approach. 

Identify Devices

Before you can implement security controls, you need to identify and inventory your IoT device fleet. A technology purpose-built for IoT devices will use passive scanning to detect and collect information like:

• Hardware: manufacturer, model, serial number
• Software: operating system, version, firmware revisions
• Device type and function
• Security assessment: vulnerabilities and risks

Use Context to Assess Risk 

Using an IoT-focused security solution enables holistic visibility by providing a risk score that includes context like:

• Device importance
• Neighbors
• Likelihood of exploit
• IoT’s value
• Level of exploit difficulty

With insight into the risk’s context, your team can prioritize activities more effectively.  

Segment by Device Categorization

Targeted segmentation is a strategy that focuses on isolating devices with similar exploit vectors so that your team can create IoT-specific mitigation strategies. By creating security risk profiles and using them to categorize devices, your team can implement targeted risk activities like:

• Security governance 
• Patching 
• Device configuration management 
• Upgrading or replacing insecure devices 

For example, some devices pose a higher risk for being used as part of a low and slow attack while others are better suited to be used in a volumetric DDoS attack. With targeted segmentation, you can place devices with similar risk profiles together to make monitoring easier and focus alerts on what matters for that specific risk type. 

Disable Unnecessary Features and Services

IoT devices often come with features or services that you don’t need. For example, you may not need the microphone on a smart refrigerator in the break room. By disabling these unnecessary functionalities, you reduce risk. 

Maintain a Secure Configuration

After hardening your devices, you need to maintain secure configurations. Configuration drift can happen any time you:

• Add new devices to your network
• Update software and/or firmware

Reviewing IoT metadata, like version numbers or settings, can help you mitigate configuration drift. 

Monitor for Anomalous Activity

Including IoT devices as part of your larger security monitoring is critical. You should create a baseline for normal connectivity to identify connections for typical activities, like firmware updates. With this information, you can identify anomalous activity, like a connection that might indicate an attacker’s command and control (C2) server. 

Asimiliy: Context and Risk Management

Asimily is purpose-built to manage IoT devices so that organizations have visibility into and control over their fleets. Our platform provides context, taking into account vulnerabilities and the IT environment, so organizations can mitigate risk more effectively. 

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.