Solving the IoT attack surface challenge: a practical playbook for IT managers

IoT is expanding the digital frontier, but with devices forecast to reach 6 billion by 2026, the attack surface grows in size and has never been more exposed. These devices power everything from smart warehouses to public safety systems, each with its own security needs, which makes a one-size-fits-all approach inadequate. In the race to deliver affordable, feature-rich IoT, many devices are designed for a single function, constrained by limited processing power, limited battery life, and minimal on-board security capabilities. As a result, they often carry weak protections, rarely-changed factory default passwords or hard-coded credentials, and suffer from unsecured interfaces or infrequent updates. When attackers exploit these weaknesses, it can compromise confidentiality, integrity, and availability across the ecosystem.

Threats to IoT systems from internal and external attackers can include device compromise, unauthorised access to the network, attacks on the network control and user planes, cloud-based attacks, and access to the management through backdoors. The IoT attack surface includes the devices, wireless interface, network, IoT platform, application platform and applications that are the components in an IoT system, to which the attacker can gain access or affect the system.

Organisations have employed various strategies to secure IoT environments, and each has its own strengths and limitations:

• Virtual private networks (VPNs): Many businesses use VPNs to secure communication between IoT devices and central systems. VPNs provide an encrypted channel, preventing eavesdropping on data in transit. However, VPNs are increasingly seen as inadequate for IoT because they rely on a perimeter-based security model, which assumes that devices and users inside the network can be trusted. If compromised, VPNs can grant attackers broad access to the network.
• Carrier-delivered private access point names (carrier-delivered private APNs): Some organisations use carrier-delivered private APNs to enhance IoT security by creating isolated, private communication channels within mobile networks. Carrier-delivered private APNs allow IoT devices to connect directly to enterprise systems without using the public internet, reducing exposure to external threats. This isolation strengthens security by segmenting IoT traffic and restricting access to predefined enterprise networks. However, carrier-delivered private APNs also have their limitations. They do not inherently protect against insider threats or vulnerabilities within IoT devices themselves, such as outdated firmware or weak authentication.
• Device authentication, network access control, and secure boot: Implementing device authentication protocols only allows authorised devices to connect to the network, while secure boot mechanisms verify the integrity of IoT devices’ firmware during startup. These measures enhance security but require ongoing firmware updates and strict enforcement to remain effective.

Best practices for IoT security today

To effectively keep enterprise IoT data and a company’s overall network secure, organisations need layers of IoT security measures. Here are some current strategies to consider:

Zero trust alternatives to VPNs

Transitioning from VPNs to zero trust solutions ensures that every connection request — whether from an IoT device or a remote user — is authenticated, authorised, and encrypted. Zero trust networks provide granular access controls and isolate compromised devices, limiting their ability to spread threats across the network.

For IoT devices that do not have the processing power to deliver on Zero Trust, consider platforms or gateways that can add ZTNA functionality.

Physical isolation and air gapping

For highly sensitive environments, physically isolating IoT devices or employing an air gap can provide an extra layer of protection. While not practical for all scenarios, this method is still a strong defence for critical infrastructure or industrial systems.

Microsegmentation

Microsegmentation is a key network security technique to help implement a broader zero-trust approach at a granular level within the network. It isolates workloads, applications, and compromised areas within specific segments, which helps limit the spread of potential breaches.

This approach is not typically done at the router level. Instead, it is often implemented by using host-based firewalls or software-defined networking, which create secure zones where each segment can be secured individually with specific policies.

Robust device identity and management

Implementing unique, immutable identities for IoT devices and enforcing secure boot processes ensures only authenticated devices are permitted on the network. Regularly updating firmware and applying patches is essential to maintaining device security.

AI-driven threat detection

Automated tools that use machine learning to monitor IoT traffic for suspicious behaviour can proactively identify threats. By analysing device patterns and flagging anomalies, these systems provide early warnings and enable rapid incident response.

Endpoint protection for IoT

Lightweight endpoint security solutions tailored for IoT devices can provide protection against malware and unauthorised access. This is particularly valuable for IoT systems in healthcare or finance, where data privacy is critical.

Vendor collaboration

Organisations should work closely with IoT manufacturers to ensure devices meet security standards, including secure firmware updates and compliance with established security protocols. Partnering with vendors committed to security reduces risks across the device lifecycle.

How will IoT security continue to evolve over the next few years?

The future of IoT security will be shaped by smarter tools like AI and machine learning that can scan vast amounts of device data and spot suspicious behaviour in real time — things humans would struggle to catch quickly. That said, AI is a double-edged sword: it will supercharge detection and prevention, but attackers will also use it to craft faster, more sophisticated attacks, so defences need to keep pace.

Predictive analytics will let companies find and fix weak spots before they are exploited, and technologies like blockchain could make device identities and data exchanges more trustworthy. As IoT environments get more complex, adopting zero-trust architectures to verify every device and limit access will become essential. By combining these technologies with strong vendor partnerships and a shift from reactive to proactive security practices, organisations will be better positioned to protect their IoT networks against ever-changing threats.

Image credit: iStock.com/MF3d