Skip navigation
Like what you’re reading?

IoT security: How businesses solve the attack surface dilemma

The rise of the Internet of Things (IoT) has transformed industries, connecting everything from manufacturing equipment to video camera systems and kiosks. However, unique security challenges raise a key question: How can businesses secure their IoT ecosystems without widespread in-person intervention? 

Director of Wireless WAN and Security Product Marketing

Video surveillance camera on a city street.

Director of Wireless WAN and Security Product Marketing

Director of Wireless WAN and Security Product Marketing

The attack surface dilemma posed by widespread enterprise IoT is a complex challenge, but businesses are finding ways to fight back. From zero trust principles to micro-segmentation and AI-driven threat detection, organizations are evolving their IoT security practices to stay ahead of threats. 

No single solution can eliminate all IoT risks. IoT security requires layered security strategies — combining proactive management, robust security technologies, and vendor collaboration. As IoT adoption continues to grow, investing in these best practices today is crucial for protecting the networks and connected devices of tomorrow. 

Let’s examine and answer some key IoT security questions, including: 

  • What are the best practices for enterprise IoT security? 
  • When it comes to IoT device security and IoT network security, are there specific types of IoT devices that are most vulnerable?   

 

Why is IoT so at risk, from a security perspective? 

IoT devices are inherently more vulnerable to security threats than traditional IT systems for several reasons. Many IoT devices operate with limited computing power, which restricts their ability to support robust encryption or security protocols. Additionally, in regulated industries, many of these devices run on outdated firmware or can’t be regularly patched, leaving them exposed. 

IoT devices frequently lack standardized security practices, with manufacturers prioritizing functionality and ease of deployment over security. This inconsistency creates gaps that attackers can exploit. Also, the sheer number and diversity of IoT devices in enterprise environments — ranging from cameras and sensors to HVAC systems — make it challenging to monitor and secure them all. Compounding the issue is the fact that IoT devices often come with default passwords that sometimes aren’t changed, their data is generally not encrypted, and they connect to broader networks. This enables attackers to use IoT devices as entry points for lateral movement, threatening critical systems and sensitive data. 

 

Are there specific types of IoT devices that are most vulnerable? 

Imagine the havoc that hackers could cause a nation by systematically targeting its power grid. Or consider the implications of criminals taking control of a city's network of video cameras. Or, even worse: a hacker taking over a commercial airplane en route. 

While some of these risk scenarios may seem exaggerated, the fact remains: IoT security threats are real, and hackers can easily access and control many of our day-to-day devices, homes, and vehicles. In fact, just a couple of months ago, we learned that millions of vehicles could be easily hacked, tracked, and controlled, thanks to a simple website bug. According to WIRED, researchers found a flaw in a Kia web portal that let them virtually scan any internet-connected Kia vehicle’s license plate, use it to track millions of cars, unlock the doors, and even start the engines. Scary. 

While the list of vulnerabilities and IoT devices that could potentially be hacked is massive, here is a list of the 10 most vulnerable IoT devices (according to IOT World Today): 

  • Industrial facilities 
  • Cars 
  • Video cameras 
  • Power grids and utilities 
  • Buildings 
  • City infrastructure and transportation networks 
  • Medical devices and hospitals 
  • Airplanes 
  • Retail stores 
  • Databases 
     

Want to learn more about IoT security strategies for your organization?

Explore today's connection, security and management needs for cellular-enabled IoT deployments.

Download white paper

 

How have organizations tried to provide security for Enterprise IoT? 

Organizations have employed various strategies to secure IoT environments, and each has its own strengths and limitations: 

  • Virtual private networks (VPNs): Many businesses use VPNs to secure communication between IoT devices and central systems. VPNs provide an encrypted channel, preventing eavesdropping on data in transit. However, VPNs are increasingly seen as inadequate for IoT because they rely on a perimeter-based security model, which assumes that devices and users inside the network can be trusted. If compromised, VPNs can grant attackers broad access to the network. 
  • Carrier-delivered private access point names (carrier-delivered private APNs): Some organizations use carrier-delivered private APNs to enhance IoT security by creating isolated, private communication channels within mobile networks. Carrier-delivered private APNs allow IoT devices to connect directly to enterprise systems without using the public internet, reducing exposure to external threats. This isolation strengthens security by segmenting IoT traffic and restricting access to predefined enterprise networks. However, carrier-delivered private APNs also have their limitations. They do not inherently protect against insider threats or vulnerabilities within IoT devices themselves, such as outdated firmware or weak authentication. 
  • Device authentication, network access control and secure boot: Implementing device authentication protocols only allows authorized devices to connect to the network, while secure boot mechanisms verify the integrity of IoT devices’ firmware during startup. These measures enhance security but require ongoing firmware updates and strict enforcement to remain effective. 
      

What are some best practices for IoT security today? 

To effectively keep enterprise IoT data and a company’s overall network secure, organizations need layers of IoT security measures. Here are some current strategies to keep in-mind:

Zero trust alternatives to VPNs 

Transitioning from VPNs to zero trust solutions ensures that every connection request, whether from an IoT device or a remote user, is authenticated, authorized, and encrypted. Zero trust networks provide granular access controls and isolate compromised devices, limiting their ability to spread threats across the network. 

Physical isolation and air gapping 

For highly sensitive environments, physically isolating IoT devices or employing air gapping can provide an extra layer of protection. While not practical for all scenarios, this method is still a strong defense for critical infrastructure or industrial systems.  

Microsegmentation 

Microsegmentation is a key network security technique to help implement a broader zero-trust approach at a granular level within the network. It isolates workloads, applications, and compromised areas within specific segments, which helps limit the spread of potential breaches. 
This approach is not typically done at the router level. Instead, it is often implemented by using host-based firewalls or software-defined networking, which essentially create secure zones where each segment can be secured individually with specific policies.  

Robust device identity and management 

Implementing unique, immutable identities for IoT devices and enforcing secure boot processes ensures only authenticated devices are permitted on the network. Regularly updating firmware and applying patches is essential to maintaining device security. 

AI-driven threat detection 

Automated tools that use machine learning to monitor IoT traffic for suspicious behavior can proactively identify threats. By analyzing device patterns and flagging anomalies, these systems provide early warnings and enable rapid incident response. 

Endpoint protection for IoT 

Lightweight endpoint security solutions tailored for IoT devices can provide protection against malware and unauthorized access. This is particularly valuable for IoT systems in healthcare or finance, where data privacy is critical. 

Vendor Collaboration 

Organizations should work closely with IoT manufacturers to ensure devices meet security standards, including secure firmware updates and compliance with established security protocols. Partnering with vendors committed to security reduces risks across the device lifecycle. 

 

How will IoT security continue to evolve over the next few years? 

The future of IoT security will hinge on integrating advanced technologies like artificial intelligence (AI) and machine learning to address the ever-expanding attack surface. AI-driven systems will play a pivotal role in real-time threat detection, analyzing vast amounts of IoT data to identify anomalies and potential breaches faster than human teams could. 

That said, AI is also a double-edged sword when it comes to IoT security. It will be a valuable tool in detecting and preventing breaches, but it will also increase the frequency and sophistication of attacks on IoT devices. 

Predictive analytics will also enable enterprises to anticipate vulnerabilities and proactively address them, while blockchain technology could enhance device authentication and secure data exchanges. 

As IoT ecosystems grow more complex, more and more businesses will need to continue to adopt zero trust architectures to verify device identities and enforce granular access controls. With these innovations, approaches and strategic collaborations with vendors, enterprises can be ready and more likely to evolve from reactive to proactive security strategies. As a result, many organizations will be able to help ensure robust protection against the dynamic challenges of IoT networks in the coming years. 

The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.