Importance of IoT Trust Grows as Post-Quantum Reality Unfolds

The Chinese government has made a variety of attempts to hack into United States-based devices and more has come to light about the depth and breadth of these hacks in 2024. These attacks, given the name “Typhoon” to signify their relation to China, target American organizations and data, looking to scrape and dismantle critical infrastructure.

In the past few years, several Chinese attacks have plagued the United States. Salt Typhoon has targeted American intelligence since 2020, as well as communication data collected by companies like AT&T. Volt Typhoon has been active since 2021, taking aim at critical infrastructure providers across a variety of sectors, including communications, manufacturing, utilities, transportation and more. As of the summer of 2024, Flax Typhoon has breached upwards of 200,000 IoT devices like smart cameras, routers and consumer technology, across the nation. Now, most recently, Chinese hackers have targeted mobile devices of both the Harris and Trump campaigns, breaching telecommunications networks to collect call data from those associated with the presidential candidates.

This is a real threat to national security. For IT leaders, the stakes are high to not only establish visibility to their potential risk areas but also secure any vulnerabilities in their IoT ecosystems. In order to respond agilely and prepare, comprehensive digital trust must be at the center of any organization’s cybersecurity strategy.

Related:NIST Selects 14 Candidates for Next Post-Quantum Standards Stage

All Kinds of Devices, All Secured

While not every leader is going to be well-versed when it comes to international espionage, they should be highly aware of what assets and connected devices require protection in their organization. Across sectors, IoT devices continue to grow in variety and number – and consequently, so does the data housed in those tools – making this a tall order for cybersecurity professionals to fill.

To better understand the types of devices that Typhoon hackers and other bad actors seek out, it’s helpful to break them into two categories: High-volume and high-value targets.

High-volume IoT devices are those vast in number and made by a single manufacturer, an example being all Xfinity Wi-Fi routers in the U.S. To hackers, these are lucrative targets for the sheer volume of data they house – phone numbers, addresses, banking information and more, all easily scraped right from a common device. Other high-volume identities might include smart energy meters or Ring cameras.

On the other end of the spectrum are high-value IoT devices. These are part of the critical infrastructure that supports daily function in the country. While less commonplace than high-volume targets, they are extremely valuable targets. Examples include control systems in factories, wind turbines, cellular towers and hospital equipment. Should one of these kinds of IoT devices be compromised, it could shut down national systems as important as water purification and vaccine development.

Related:Preparing for the Reality of Quantum Computing Threats and Solutions

These two categories of devices already require manufacturers to think about security by design from the beginning. However, once they are in the hands of a user organization, the responsibility shifts to the provisioning company to manage updates and security of the machine identity.

Getting Ahead of the Next Typhoon

Business leaders and IoT operators need to secure communications between all of these highly connected, highly distributed devices. To start, leaders must ensure that each device has a unique identity. The connected device’s identity is key to proving authenticity and creating secure connections between devices. With IoT security budgets expected to increase by as much as 45% in the next five years, the outlook is positive for leaders establishing more robust IoT security.

In addition to establishing the identities of connected devices, leaders should secure the firmware inside their devices, too. This will include validation of both the credibility and origin of the firmware before IoT devices are updated regularly. To make sure that security is part of this process from the get-go, IT professionals should consider using public key infrastructure (PKI) to guide their devices, systems and connections. PKI builds in secure functionality from the moment an operator begins provisioning an IoT device, creating continuous trust until the moment a device is deprovisioned. By providing mechanisms for authenticating devices over a network and between other devices, PKI builds in digital trust at all edge points. By leveraging PKI, IoT devices are established in a secure, encrypted communication channel.

Finally and perhaps most crucially, organizations need visibility into all the cryptographic assets across their networks. Creating an inventory of these assets can be a feat in and of itself, so automation and AI can confirm that no identity is left behind, while simultaneously freeing up IT security teams from the tedious inventory work. Organizations should also frequently test their crypto-agility to assess how quickly they can manage, update and secure machine identities within their established PKI infrastructure. This could include conducting cryptographic audits, monitoring issuance and deployment to find any weak keys or algorithms, or re-issuing or renewing vulnerable keys and digital certificates across their organization in the event of an update.

Agility and Trust Are Key

Establishing trust becomes increasingly important as post-quantum reality unfolds. Each IoT device is a potential gateway into an organization’s data, meaning that every single one must have security incorporated. Whether that’s clear communication between a manufacturer and operator, or including the latest PQC algorithms in connected devices, cybersecurity leaders must have better visibility into their IoT ecosystems.

Because the threats facing U.S. infrastructure and data continuously change, IoT security should be a flexible and constantly updated practice. Connected systems designed today need to incorporate PKI and crypto-agility to adequately protect against the threats of the future.