Each October, Cybersecurity Awareness Month encourages individuals and organizations to prioritize cybersecurity. This initiative has played a vital role in raising awareness about IoT security and promoting responsible IoT device usage.
2023 marks the 20th anniversary of Cybersecurity Awareness Month, and it seems like the perfect time to reflect on the ever-evolving landscape of IoT (Internet of Things) cybersecurity over the past two decades. IoT devices have become an integral part of many industries including Industrial/Manufacturing, Energy, Medical and Automotive to name a few.
According to Forrester, the number of IoT devices increased by 16% to 16.7 billion globally in 2022. Their increasing prevalence has brought about significant challenges in terms of security. This blog will take you through a year-by-year journey to see how IoT cybersecurity has evolved, highlighting improvements, key incidents, and legislative changes in both the United States and Europe.
2003: The Dawn of IoT
In the early 2000s, the concept of IoT was still in its infancy. Most IoT devices were proprietary and operated in isolated environments, limiting their exposure to cyber threats. However, as the technology started gaining traction, the need for security measures became apparent.
2006: The First Security Incidents
By 2006, we saw the emergence of the first IoT security incidents. Worms and malware started targeting vulnerable devices, demonstrating the potential risks of interconnected technology. These early attacks prompted the industry to explore security protocols and best practices.
2010: The Birth of Legislation
In 2010, the United States introduced the National Strategy to Secure Cyberspace, marking the beginning of federal efforts to secure IoT. Meanwhile, the European Union (EU) issued directives focusing on data protection. These developments laid the groundwork for future legislation.
2014: The IoT Explosion
IoT’s popularity exploded with the introduction of devices like the Nest Thermostat and Fitbit. While the convenience of these devices was undeniable, security vulnerabilities started to surface. It became evident that more robust measures were needed.
2015: The Jeep Hack
Back in 2015 the IBM Security Intelligence website reported a significant incident involving the hacking of a Jeep. Their report noted, “It was just one incident, but it was a wake-up call. In July of 2015, a group of researchers successfully gained complete control of a Jeep SUV by exploiting vulnerabilities in the vehicle’s CAN bus. Using a firmware update vulnerability, they were able to hijack the vehicle’s systems over the Sprint cellular network, demonstrating their capability to manipulate its speed, direction, and even veer it off the road. This served as a proof of concept for the emerging realm of Internet of Things (IoT) hacks, highlighting the alarming reality that companies often neglect the security of peripheral devices and networks, leading to potentially disastrous consequences.”
2016: Mirai Botnet Attack and the Birth of Device Authority
One of the most significant incidents in IoT security history occurred in 2016 with the Mirai botnet attack. Hackers exploited weak passwords to hijack millions of IoT devices, creating a massive botnet for distributed denial-of-service (DDoS) attacks. This incident exposed the critical need for better security in the IoT ecosystem.
(Interesting note: KeyScaler was created in 2016 as a response to these industry events and is today a leading provider of IoT security).
2018: GDPR and the European IoT Security Framework
In 2018, the General Data Protection Regulation (GDPR) came into effect in Europe, placing strict requirements on data privacy. This pushed IoT device manufacturers to consider not only security but also user data protection. Additionally, the EU introduced a Cybersecurity Act to establish an IoT certification framework.
2019: The US Takes Action with the IoT Cybersecurity Improvement Act
In response to growing IoT threats, the United States passed the IoT Cybersecurity Improvement Act, signifying a landmark moment in the industry. This act mandated that IoT devices used by the federal government meet certain security standards, setting a precedent for the private sector to follow.
2021: Executive Order 14028 and the SBOM Requirement
2021 saw a pivotal moment in U.S. IoT cybersecurity with the issuance of Executive Order 14028 by the Biden administration. The order recognized the urgent need for improved IoT security and mandated the development of cybersecurity performance standards. Notably, it introduced the concept of Software Bill of Materials (SBOM), which would provide transparency about the software components in a device. This step significantly enhanced supply chain security and was a turning point in IoT security evolution.
2022: Strengthening EU IoT Security Regulations
Europe followed suit with the EU Cybersecurity Act’s implementation, further solidifying IoT security regulations. The European Union began to establish a comprehensive framework for IoT cybersecurity certification, reinforcing the region’s commitment to ensuring the security and privacy of IoT devices.
2023: Notable IoT Security Incidents
In 2023, several high-profile IoT security incidents reinforced the necessity for stronger security measures. Attacks on critical infrastructure, smart cities, and healthcare systems underscored the potential for widespread harm if IoT vulnerabilities were left unchecked. These incidents fueled a global sense of urgency in enhancing IoT security.
Forrester reported a 41% increase in average number of weekly attacks per organisation in Jan/Feb 2023 vs 2022
A Brighter Future for IoT Security
The journey of IoT cybersecurity over the past 20 years has been marked by significant progress, though challenges persist. Legislative actions in the U.S. and Europe, exemplified by Executive Order 14028 and the SBOM requirement, have provided a foundation for more secure IoT ecosystems. High-profile incidents have underscored the urgent need for robust security measures.
As we reflect on the evolution of IoT security during Cybersecurity Awareness Month, it is evident that awareness and education are essential to safeguarding our connected world. The future holds promise as stakeholders increasingly prioritize security, leading to a safer and more resilient IoT landscape.
In the coming years, continued cooperation among governments, industries, and individuals will be crucial in ensuring that the benefits of IoT can be fully realized without compromising our security and privacy.
To find out more about how Device Authority can help secure your IoT device network, please contact us here: https://www.deviceauthority.com/contact-us/