What is IoT security?

IoT security describes the processes, tools and strategies for securing physical internet of things devices and the networks they connect to.

Internet connectivity has taken on new meaning in recent years. No longer restricted to internet-enabled computers and laptops, today’s digital landscape extends past the user and allows for the direct interaction of physical objects supported by built-in sensors, software and other technology. This new internet of things (IoT) provides increased user convenience, allowing individuals to perform complex tasks easily through smart, connected, everyday devices. Businesses likewise benefit, collecting and analysing user data to enhance customer service and improve decision-making capabilities.

But while IoT carries with it many key advantages, it also introduces a growing risk. This is because the current IoT is made up of billions of connected devices, and each one represents a possible threat vector for cybercriminals attempting to gain unauthorised access to sensitive networks. To combat this threat, organisations are investing in a new form of cybersecurity: IoT security.

Until relatively recently, business and personal networks operated with few potential access points. But IoT devices changed all of that. Every new thing—from the fitness tracker worn on a user’s wrist to the IP cameras stationed around an office—becomes a vulnerability. Often, these smart objects lack the more robust protection afforded to traditional devices, making them obvious targets. And when hackers breach IoT defences, they not only gain access to sensitive user data but may also move laterally into the rest of the network.

In other words, unsecured IoT can act as an unguarded backdoor to your systems and databases. And just like IoT itself, the number and types of threats are growing.

IoT creates an exponentially expanding attack surface that can be extremely difficult to defend. But what makes IoT even more dangerous is that many of the devices themselves operate under obsolete security standards. Without the benefit of modern IT-based malware prevention, IoT devices may fall prey to outdated attacks that would otherwise pose no threat to the network. At the same time, cybercriminals are creating sophisticated new tactics designed specifically to overcome IoT defences.

Examples of major IoT security threats include:

  • IoT worms
    Probably the most common IoT threat are IoT worms. These kinds of malicious software self-replicate and self-propagate, spreading throughout networks to take control of uninfected systems.
  • IoT botnets
    Often used to launch distributed denial-of-service (DDoS) attacks, botnets are collections of compromised IoT devices (such as routers) that have been infected with malware.
  • IoT ransomware
    IoT ransomware allows cybercriminals to take control of IoT devices to lock out authorised users. The hacker then demands payment in exchange for unlocking the device.
  • Man-in-the-middle attacks
    Unencrypted IoT devices may fall victim to man-in-the-middle (MitM) attacks, where a hacker will position themselves between the device and the network, eavesdropping on communications.
  • Firmware hijacking
    Cybercriminals may hijack an IoT device by sending users fake firmware update notifications linking to malicious websites.

Thanks to IoT’s ever-increasing attack surface, IoT security must likewise be extensive, covering a broad range of security methodologies. These methodologies must be capable of defending IoT devices and networks from various threats, old and new. Essential IoT security methods include:

API security

Application Programming Interface (API) is a form of software intermediary that enables applications to exchange information securely by validating and sanctioning data movement. As IoT devices exchange information with backend systems, organisations can employ API security to ensure that only authorised devices and users are interacting with the API.

Gateway security

IoT security gateways create another layer of defence between devices and networks. These gateways have the authority to deploy barriers (such as firewalls) to keep cybercriminals from moving through compromised devices into other connected systems.


Network access control (NAC) creates an inventory of all IoT devices connected to the network, empowering organisations with a solid foundation for monitoring devices and responding to anomalies.

Network security

Because the goal of many IoT attacks is to gain access to a private network, network security is an important consideration for any IoT connected business. Network security encompasses digital and physical components and includes anti-malware, port security, intrusion detection and protection, IP management and more.

Patch management

One advantage of connected devices is that their vulnerabilities can be addressed. Regular patching and updating of IoT objects (either through automation or over networks) helps ensure that known vulnerabilities are accounted for.

PKI authentication

Public key infrastructure (PKI) uses a two-key asymmetric cryptosystem, using digital certificates to enhance the effectiveness of encryption and decryption of IoT data. PKI is a major component of e-commerce.


Segmentation is an approach to IoT security that posits that IoT devices that connect to the internet should be segmented into their own separate networks and only allowed to access the primary network on a restricted basis. This allows businesses to monitor IoT networks more closely and to identify suspicious behaviour before it can go any further.

Although there are many different methodologies that each play a part in IoT security, there are also issues that make securing IoT devices a difficult prospect. Here, we highlight some of the challenges that may prevent an organisation from achieving a complete IoT security posture:

  • Lack of visibility/shadow IT
    As IoT devices become more ubiquitous, they are also becoming harder to account for. Users will often deploy their own IoT devices on company networks without the knowledge of the IT department, making it impossible to effectively monitor these new network access points.
  • Massive attack surface
    With every new wearable fitness tracker, digital assistant or smart light bulb brought into an organisation, the number of potentially exploitable vulnerabilities increases. Larger attack surfaces require more cost and energy to secure.
  • Difficult integration
    Most businesses rely on a variety of security tools. As new IoT devices are introduced, integrating these third-party devices with existing solutions may be problematic.
  • Open-source software
    Many IoT devices incorporate open-source software which uses publicly available code. Attackers can easily access information about the code to discover exploitable vulnerabilities.
  • Unmanageable data loads
    When it comes to data, it is possible to have too much of a good thing. An ever-increasing number of IoT devices can create an overload of data, making it difficult to manage and secure.
  • Weak user credentials
    Many IoT devices are designed for out-of-the-box deployment and include default passwords which users are then encouraged to change. Unfortunately, too often these place-holder passwords do not get updated, providing attackers with direct access.
  • Insufficient computer power
    Most IoT devices are small and may not have enough computing power to integrate important security software.

In most cases, the IoT devices that businesses purchase and deploy are not built for security. It therefore falls on the organisations and their IT departments to secure all connected objects that join or communicate with enterprise networks. To successfully integrate IoT in a way that does not open the doors for threat actors, consider the following best practices:

Prioritise risk

Most businesses have limited security resources. Apply these resources where they are most needed by prioritising those devices that connect directly with sensitive networks or handle valuable business or customer data.

Use device discovery

You can’t defend what you can’t see. Device discovery will take a thorough inventory of a company network and everything connected to it, giving IT a detailed account of every item, its technical details, and more. This can then be used to create a risk profile of the device.

Adopt strong user-credential policies

As previously mentioned, something as basic as a weak password can completely compromise an IoT device. Companies should create strong password policies and make sure that any device that connects to the network meets these standards — whether it’s owned by the organisation or the user.

Be proactive about updating

IoT devices don’t always have the same automatic updating capabilities as more traditional IT systems. Regularly visit the manufacturer’s website to see if any new security patches have been released. If they have, download and apply them as quickly as possible.

Constantly monitor network activity

Given their limited computing power, constant monitoring of IoT devices may not be an option. If you can’t track and monitor the devices themselves, focus instead on monitoring your networks. Implement real-time network monitoring to identify any anomalous behaviour that may be originating from your IoT endpoints.

Internet connectivity is so much more than it once was, and that creates distinct challenges for businesses that incorporate IoT devices into their networks. To prevent these new advances in smart technology from becoming exploitable vulnerabilities, organisations need reliable security solutions capable of matching the evolving needs of IoT.

ServiceNow Security Incident Response and Connected Operations empower businesses of all kinds with the tools and support they need to protect their valuable networks. Enjoy total transparency for all connected devices and get real-time device health updates. Bring together security operations and data loss prevention (DLP) to quickly contain and mitigate security incidents. Apply advanced automation capabilities to handle essential tasks and connected workflows. And manage it all through the single, centralised location of the award-winning Now Platform®.

Learn more about how ServiceNow can improve your IoT security posture; demo ServiceNow today!

Get started with SecOps

Identify, prioritise, and respond to threats faster.

Loading spinner