From smart buildings to environmental monitoring, IoT devices are everywhere, but this widespread adoption is raising new challenges, particularly in securing and managing the devices remotely
IoT devices offer unparalleled benefits, extending capabilities in many sectors. In smart buildings, for example, IoT devices manage energy use and improve security systems. Environmental monitoring relies on IoT to track air quality, water levels, and other metrics. And so on. However, such applications require reliable remote access to ensure continuous operation and prompt troubleshooting.
While many IoT devices do nothing more than send information to an IoT platform, a significant and growing number require remote access for controlling processes, making updates and troubleshooting. This access typically involves an internet-based user or system initiating a session to connect remotely to a device or gateway. This requires the device to be uniquely identifiable on the public internet, a need usually met through the use of static public IP addresses and VPNs.
Issues and limitations of traditional deployment approaches
This traditional approach of assigning static public IP addresses for remote access has several drawbacks.
- Firstly, the depletion of IPv4 addresses has led to higher costs for static IP addresses. While paying £5 to £25 per month per address may be manageable where just a few devices are involved, it can swiftly become prohibitive when scaling up to hundreds or thousands of devices.
- Another concern is scalability. While configuring VPN tunnels for remote access is usually feasible for a small number of devices, as the project scales, the configuration becomes increasingly time-consuming and complex.
- Security is also a significant issue with static public IP addresses. These addresses make devices visible and directly routable from the public internet, exposing them to cyber threats. The 2024 mid-year SonicWall Cyber Security report emphasises the risks, highlighting a 107% increase in cyber-attacks on IoT devices in the first half of the year. Vulnerabilities such as the TP-Link command injection flaw and Zyxel Remote Code Execution are prime targets for attackers, leading to the spread of malware like Mirai, which hijacks IoT devices to form botnets capable of large-scale
DDoS attacks.
IoT devices and their risk to security
The rise in IoT-related cyber-attacks is a testament to the vulnerabilities inherent in these devices. IoT devices often lack robust security measures, making them easy targets for cybercriminals. The TP-Link command injection vulnerability (CVE-2023-1389), which has seen a significant spike in attacks, is a clear example. This flaw allows attackers to exploit IoT devices, resulting in the spread of the Mirai malware. Mirai hijacks the devices to create botnets, which are then used to carry out large-scale Distributed Denial-of-Service (DDoS) attacks. Similarly, the Zyxel Remote Code Execution flaw has been exploited extensively, affecting a significant percentage of small businesses.
These vulnerabilities underline the urgent need for more secure IoT remote access solutions. As IoT devices continue to proliferate, the potential attack surface expands, making it increasingly important to adopt strategies that mitigate these risks.
Secure private networks: the better alternative
Given the limitations and security risks associated with static public IP addresses, a more secure and cost-effective solution using static private IP addresses on a secure, private network becomes increasingly appealing.
These private addresses are hidden from the public internet behind a single, fixed public IP address, using port forwards that map specific public ports to corresponding ports on the private addresses. This approach not only significantly enhances security, but also reduces the cost profile, with customers paying around £1 per month for the single public IP address required for remote access to all devices.
Further security can be applied with the use of access control lists, which lock down inbound remote access traffic to specified IP address sources. Secure remote access can also be provided via a single SSL VPN login to a centrally hosted enterprise-grade firewall solution. This setup offers direct access to devices configured with private IP addresses, simplifying scalability and reducing costs.
Tangible benefits for real-world applications in the public sector
This secure, private network approach has numerous real-world applications. For instance, in social housing, many councils today deploy environmental sensors to monitor conditions such as mould and dampness. These sensors collect potentially sensitive information, requiring secure remote access solutions to protect against cyber threats.
Organisations can also benefit from improved operational efficiencies. The reduced need for more complex infrastructure not only lowers the risk of system failures but also allows for the use of lower-cost devices. This private network approach can eliminate the need for additional encryption, with reduced data overheads. Moreover, the ability to deploy devices with less powerful processors and lower energy consumption aligns with the sustainability goals of many organisations.
Additionally, it simplifies the deployment process, resulting in less configuration and installation time, which is crucial for public sector IT teams that are often already stretched thin.
Just a single VPN required for secure remote access to all devices and gateways provides a far more efficient, sustainable, and secure remote access solution while reducing costs and deployment time.
A secure and efficient alternative for IoT device remote access
As businesses and the public sector continue to embrace IoT technologies, the need for secure, cost-effective remote access solutions becomes increasingly critical. Static public IP address solutions pose significant security risks and scalability issues, and using static private IP addresses with secured port forwards on a centralised firewall is one way to address these challenges.
This approach of leveraging private networks ensures that IoT devices remain protected from cyber threats while simplifying network management and reducing costs. As the IoT landscape evolves further, remote access solutions of this kind ensure that IoT deployments are not only secure and efficient but also sustainable.
And then…future-proofing with IPv6
As a final observation, while the private network approach offers immediate security, efficiency and cost benefits, it is always important to consider future-proofing IoT deployments. The rapidly depleting IPv4 address space dictates a need to explore alternatives such as IPv6, which offers near-limitless address space, and which we will review as a credible long-term IoT connectivity solution in our next article.
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.