There are resulting challenges ahead in IoT security arena. Gartner predicts that over the next two years more than half of IoT manufacturers won't be able to contain weak authentication methods, which can pose a data risk. They estimate that "by 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets." Last April they projected security spending on IoT will approach $350M this year - nearly a 24% increase from last year, but this may not be enough.
Appropriate tactics will be a key element in the security battle. A recent Forbes article covered the topic of IoT security, advocating "strict regulatory standards," the need to "enhance security while simplifying compliance" and implementing "an end-to-end approach that integrates both IT and operations technology (OT)."
Let's look at some best practices to address the concepts of authentication, data privacy and botnets:
Devices which must authenticate against other systems (generally in order to access or transmit data) should be configured to do so securely, such as with unique IDs and passwords. It may also be possible to implement encryption (SSH) keys to provide device identity to permit it to authenticate against other systems (securing the keys themselves is obviously a critical priority for this model to work). Examples of IoT devices with this capability can include closed-circuit TV (CCTV) or DVR devices and satellite antenna equipment.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. The concept of building security into the device from the outset is an important concept for IoT manufacturers to consider, so that a careful consideration of possible vulnerabilities or flaws is factored into the design process. Some examples of IoT devices which can use SSL certificates are the Amazon Web Services IoT Button, smart meters and home energy management devices.
When it comes to device updates (software and firmware, for instance) authentication should be employed where possible to ensure these can retrieve code only from approved systems, such as internal servers or authorized devices.
Depending on your IoT devices, researching and implementing the capabilities above (if not already) present would be a good first step in security.
IoT devices can use hardware-based trust anchors, also known as "roots of trust", which utilize a trusted boot process to ensure devices operate in a known secured state and their contents remain private. It's also possible to defend against untrusted software attacks by isolating code in different hardware locations so they cannot access secured resources.
Whether data is moving or at rest, it should be encrypted to protect the contents where possible.
IoT on-chip memories can protect data from being accessed or stolen by utilizing cryptography to encrypt or decrypt information. Communication between IoT devices and other systems should be secured via encrypted links using protocols such as TLS (Transport Layer Security), which is commonly used with web browsers such as when conducting financial transactions. TLS can prohibit "man in the middle" attacks whereby data in transit is captured and analyzed for confidential material.
It's also a good idea to isolate data so it's only available to systems which need to access it.