Physical IoT
Security:
How to secure
the physical layer
in IoT

Author: Mike Elgan

The Internet of Things (IoT) revolution is transforming business, enabling new efficiencies and changing information technology management practices. IoT devices are usually small, low cost, packed with sensors and connected to the network. The fact that they are "connected to the network" is where some risk is involved, and that's why it's vital to focus on the physical IoT security.

While your everyday, garden-variety IoT device may be low-powered, it's still a doorway to other connected devices and networks. And 1,000 IoT devices are 1,000 doorways - or potential backdoors.

With the number of IoT devices growing, and as wider deployment of 5G creates new opportunities for connectivity, the security of the IoT is vital for data security, regulatory compliance, customer data privacy, and the high availability and reliability of services, generally.

IoT security is cyber security. But the demands of securing IoT devices are unique.

What could go wrong with IoT security?

As software-based defenses have gotten better, some attackers have turned their attention to physical security to gain access. IoT devices can sometimes be relatively easy to access, especially if they're in remote or unmonitored locations.

Of course, the physical security layer is fundamental in all cyber security. But with data centers and office space locked behind closed doors, physical security is often assumed to be inherently strong. With many IoT devices deployed in the field, businesses can't take the physical layer security for granted.

A breach of the physical IoT security layer could allow malicious attackers to gather information about an IoT device itself, copy any data about or gathered by the device, and even change its programming. Physical access to IoT devices could enable side-channel analysis, settings resets, physical tampering, optical or electromagnetic fault injection, and other attacks. Ultimately, a compromised IoT device can be used to access other parts of the network.

Physical security threats also go beyond cyber security attacks. IoT devices are vulnerable to theft and damage from leaks, flooding, natural disasters, fire, electrical surges, overheating, accidents, vandalism and other causes.

Another challenge is overcoming faulty assumptions in your organization about who is responsible for IoT security. Cooperation between the physical security team, the cyber security team, and even property and ops teams is essential to ensuring IoT devices are physically secure.

The physical IoT security layer in devices

Securing IoT devices does involve the selection of secure and standards-compliant devices, continuous monitoring, and capable networked security infrastructure. But also important is good old-fashioned physical security. Here are a few tips for locking down physical IoT security.

  • The security of IoT infrastructure should not be the exclusive responsibility of the cyber security team. Establish cooperation and shared responsibility between the cyber security team, operations and management team, and physical security team. Getting all three involved will ensure the best outcome.
  • Remove any connectivity hardware—optical ports, radios—that exist purely for development reasons. Also, if it makes sense given the structure and purpose of the devices, consider removing all test points or disabling test access and otherwise secure devices from unauthorized digital access. Any sort of test or admin access is likely to be the target used by attackers.
  • Ensure all devices are in operations mode and not accidentally left in default setup, reset or pairing modes.
  • Favor devices that offer safeguards against physical tampering. If that isn't possible, use physical locks and place devices in restricted areas.
  • Train employees to recognize and deter social engineering attacks that could be exploited by attackers to gain access to restricted areas where IoT devices are installed.
  • Review storage and usage policies to make sure they do their part to protect IoT assets.
  • Make sure all IoT devices are protected against fire, water, general damage, and vandalism.
  • While IoT devices are supreme at site monitoring, make sure the devices themselves are being monitored with appropriate systems that detect unauthorized access and tampering.
  • Review and update your organization's hardware decommissioning policy, or create one if you don't have one. Just as hard drives and other data storage media must be wiped and destroyed, so must IoT devices.

As 5G continues to enable widespread use of the IoT, physical layer security in IoT is paramount. Learn more about how Verizon can help support IoT security.