Securing IoT: Job #1 for Everyone
If you’ve followed my blogs for long, you know I’m a big believer in the Internet of Things (IoT). IoT is part of a digital transformation that will revolutionize virtually every industry—manufacturing, healthcare, mining, transportation, agriculture, and the list goes on. But to fulfill its promise, IoT must be secure.
Today, I would give the overall state of IoT security the grade “C+.” We have made progress, but security remains the greatest barrier to IoT adoption. Just last week, researchers disclosed the “BlueBorne” attack vector, which puts at risk 5.3 smartphones, printers, and IoT devices that use Bluetooth communications.
IoT also represents a huge opportunity. A new report from IoT Analytics predicts that in the next five years IoT security will grow into a $4.4 billion worldwide market.
To be fair, IoT presents a unique security challenge: It is more distributed, more heterogeneous, and more dynamic than traditional IT security environments. It also introduces new scenarios (think networks of connected cars or sensor swarms) and new elements (a plethora of traditionally unconnected consumer-class devices) that require brand new approaches to security. And in many cases, IoT deployments operate in mission-critical situations, where a security breach could bring down a whole production line or transportation system.
Like the Internet of Things itself, the increasingly complex world of IoT security requires unprecedented levels of collaboration, cooperation, and co-innovation along the entire IoT value chain. Rather than assuming that cybersecurity is someone else’s job, everyone should have a sense of personal responsibility for keeping IoT secure.
Own your role in IoT security
IoT security isn’t just the Chief Information Security Officer’s (CISO) job; it’s everybody’s job throughout the value chain—from manufacturers to end users.
It starts with device vendors. Too often, device connectivity (especially for consumer-class devices) is an add-on feature with little consideration for enterprise-level requirements including security. Unlike highly standardized personal computers, servers or smartphones, IoT connected devices vary a lot in capabilities, which makes it difficult to provide consistent security treatment across all of them. It has also been a challenge to convince device vendors—especially consumer device makers—to invest in security. They often view the extra cost, complexity, and time to market as extra burdens with unclear payoff. Thus, it’s no wonder that we still find rudimentary vulnerabilities such as default names and password hard-coded into these devices. And hackers are more than happy to exploit them.
Security vendors are responding just as they did 15 years ago when Wi-Fi took off and consumer-class Wi-Fi clients started proliferating across enterprises. Granted, the challenge back then was at a significantly smaller scale and complexity. Still, the industry got together to work on standards, interoperability, and certifications, and we’re doing the same thing for IoT today. I’m glad to say that following last year’s IoT Distributed Denial of Service (DDoS) attacks, pretty much all major security vendors have finally started to invest appropriately in IoT security.
Standards are evolving in horizontal and vertical standards bodies and in consortia. For example, the Internet Engineering Task Force is working on developing standards governing the ways manufacturers should disclose how their devices are expected to function, so that networks can detect and block anomalous device behaviors. Other organizations such as the Industrial Internet Consortium’s (IIC) security working group and IEEE have also been very active in developing IoT security frameworks, standards, and methodologies to help ensure cybersecurity across interconnected IoT systems. In vertical standards bodies such as ODVA or ISA the IT and operational technology (OT) teams evolve industry-specific best practices and combine them with horizontal approaches.
Governments have a role in overcoming these security challenges as well. In the United States, the Federal Trade Commission has recently released new guidelines for how manufacturers should inform customers about device security, including whether and how the device can receive security updates, and the anticipated timeline for the end of security support. However, it is critical that the governments work closely with the industry to establish consensus around a core set of requirements at the device level that address critical security, data protection and privacy needs. Such baseline capabilities will also facilitate richer interactions between devices and the network to ensure that IT professionals have the tools to effectively manage security in the face of rapid proliferation of Internet-connected technologies.
Businesses are also evolving rapidly. Back in the day when industrial enterprises ran self-contained, proprietary systems, “security by obscurity” was standard practice—if you’re not connected to anything, no one can break in. That approach no longer applies in today’s connected IoT environment (if it ever did), so businesses must rely on a policy-based architectural approach and ask CISOs to own security strategy for the entire enterprise.
Start with a few best practices
So, how do we get our head around the IoT security challenges? First, we must realize that if we want to enjoy the full benefits of connected systems there is no silver bullet or foolproof solution ensuring complete IoT security. Nonetheless, everyone can make informed decisions around risk versus cost by applying a few key principles:
- Use risk assessments to determine how much risk you can tolerate for each system and business process. Then use policies, analytics, and automation to enable your systems to prioritize, contain, and defeat attacks based on these assessments. Engage top management in this process since enterprise security issues already put their jobs on the line.
- Take an architectural approach, break down current functional silos, engage with your CISO to create a unified and policy-based security architecture across the enterprise, and design security into everything, right from the start.
- Minimize “Shadow IT.” To avoid compromising enterprise-wide security, work with your IT and security teams to “bring into the fold” all the teams and departments implementing their own tools, devices, and connections.
- Adopt a comprehensive before/during/after approach. Implement strategies before an attack to prevent unauthorized access (from both external and internal players). During an attack, quickly identify the breach and shut it down. Then, after the attack, assess and minimize the damage—and adjust security practices based on lessons learned.
- Integrate physical security and digital security. Many IoT security attacks originate inside the organization. Thus, implementing security best practices that include both physical security (including tailgating prevention policies and use of biometrics to control access) and digital security (role-based access, etc.) is essential.
- Adopt industry-supported standards. Proprietary approaches will cripple your security efforts down the road and increase their cost.
- Automate and monitor IoT security end-to-end. Build in intelligence and predictive analytics. The fast-growing volume of IoT activity will quickly swamp manual efforts, even in small organizations. We suffer from a severe shortage of security experts—especially in IoT—and this challenge will continue. Automation and deployment of smart tools is the answer.
- Apply well established best practices such as device and traffic segmentation and use a multi-tenant network infrastructure to isolate problems. It’s one thing to have a DDoS attack that shuts down employee access to the HR system for a few hours. It’s quite a different thing to have a breach that crashes your production line. So keep interface components separate from critical infrastructure.
- Keep your systems up to date. According to recent Verizon study, most security incidents in enterprises take advantage of known vulnerabilities (things we know are broken and we know how to fix them). So, be rigorous about applying patches and keeping your systems up to date.
- Finally, educate everyone about security practices and policies. This includes employees, partners, vendors—everyone in your business ecosystem. Remember that your security architecture is as good as its weakest link.
It’s a journey
Like IoT itself, IoT security is never “one and done.” It’s a journey. For most organizations, the logical first step is to leverage 30+ years of experience and best practices that IT security systems give us. You don’t need to reinvent the wheel. Instead, take a comprehensive, strategic, policy-based architectural approach by extending and enhancing current IT security architectures to cover IoT devices, infrastructure, solutions, and use-cases. Then evolve your technologies and security practices as the threats evolve. Implement IoT as an ongoing process like the IoT journey itself. And that begins with making security job one for everyone.
How are you approaching IoT security in your organization?