For the past couple of weeks, security and the Internet of Things (IoT) have been in the news like never before. During the first few days after the massive distributed denial of service (DDoS) attack on domain name service Dyn, I almost couldn’t look at a news outlet without seeing or hearing a discussion highlighting the security vulnerabilities of IoT.
As it turned out, this DDoS attack could have been prevented simply by requiring users to reset the default passwords on Internet-connected cameras during the setup process. This proves once again that most security breaches take advantage of well-known vulnerabilities that haven’t been addressed, despite ample alerts.
And while the attack caused a great deal of inconvenience to users of Twitter, Netflix, Spotify, and the like, it did have its upside, shining a bright light on the need for a comprehensive approach to security in IoT deployments. Bottom line: IoT security is everybody’s responsibility: Users, manufacturers, integrators, security vendors, technology vendors, IT teams, Operational Technology teams, employees—all of us have a role to play.
In an upcoming blog, I’ll talk more about security as a key ingredient in my recipe for IoT success. But for now, I’ll highlight some basic principles and best practices.
The first thing to realize is that there is no such thing as foolproof IoT security if you want to enjoy the benefits of connected systems. Even physical isolation doesn’t work—as demonstrated by the Stuxnet virus, which made its way into industrial operations via a thumb drive. But you can make informed risk vs. cost decisions by applying a few principles:
- Use risk assessments to determine how much risk you can tolerate for each system and business process. Then use policies, analytics, and automation to enable your systems to prioritize, contain, and defeat attacks based on these assessments. Engage top management in this process, since enterprise security issues already put their jobs on the line.
- Take an architectural approach, break down current silos, create a unified enterprise policy-based security architecture, and design security into everything, right from the start. Don’t just bolt-on security at the end.
- Minimize “Shadow IT.” Work with your IT and security teams to “bring into the fold” the teams and departments implementing their own tools, devices, and connections—and compromising enterprise security in the process.
Adopt a comprehensive before/during/after approach. Implement strategies before an attack to prevent unauthorized access (from both external and internal players). During an attack, quickly identify the breach and shut it down. Then, after the attack, assess and minimize the damage—and adjust security practices based on lessons learned.
- Integrate physical security and digital security. Many IoT security attacks originate inside the organization. Thus, implementing security best practices that include both physical security (including tailgating prevention policies and use of biometrics to control access) and digital security (role-based access, etc.) is essential.
- Adopt industry-supported standards. Proprietary approaches will cripple your security efforts down the road.
- Automate and monitor IoT security end-to-end. Build in intelligence and predictive analytics. Manual efforts will quickly be swamped by the volume of IoT activity, even in small organizations.
- Segment traffic and use a multitenant network infrastructure to isolate problems. It’s one thing to have a DDoS attack that shuts down employee access to the HR system for a few hours—and quite a different thing to have a breach that crashes your production line. So keep interface components separate from critical infrastructure.
- Finally, educate everyone about security practices and policies. This includes employees, partners, vendors—everyone in your business ecosystem.
It is true that IoT security is in many ways unique: it is more distributed, more heterogeneous, and more dynamic than traditional IT security environments. It also introduces new scenarios that require brand new approaches to security (think connected cars, sensor swarms and consumer-class devices in the workplace).
For most organizations, the logical first step on their IoT security journey is to leverage 30+ years of experience and best practices that IT security systems give us. So let’s not reinvent the wheel. Let’s take a comprehensive, strategic, policy-based architectural approach by extending and enhancing current IT security architectures to cover IoT devices, infrastructure, solutions, and use-cases.
Yes, we are dealing with an active adversary. But it doesn’t mean that security should be something we fear or demonize. The right answer is to develop an informed risk assessment and monitoring strategy, accompanied by an appropriate and proportional security response that accounts for the particular threat level and the amount of value at risk. And because securing your IoT deployment is not a one-time event, let’s implement it as an ongoing process, like IoT journey itself.
Strategic innovation in the digital age is powered by people connected to the Internet of Things (IoT). Maciej Kranz has written a definitive guide on how to implement and capture the unprecedented value of IoT. The first of its kind, Building the Internet of Things,” gets past the hype to guide organizations across industries through the IoT journey. His book is available online at major retailers.