IoT pushes IT security to the brink

The Internet of Things (IoT) offers many possible benefits for organizations and consumers—with unprecedented connectivity of countless products, appliances and assets that can share all sorts of information. IoT also presents a number of potential security threats that organizations need to address.

The Internet of Things (IoT) offers many possible benefits for organizations and consumers—with unprecedented connectivity of countless products, appliances and assets that can share all sorts of information. IoT also presents a number of potential security threats that organizations need to address.

“There is no doubt the levels of risk are set to increase alongside the growth in deployment of IoT devices,” says Ruggero Contu, research director at Gartner. IoT will introduce thousands of new threat vectors simply by increasing the number of networked points, Contu says.

While IoT offers great opportunities, in interconnected environments “the security risks increase exponentially and the attack vector or surface is—in theory—potentially limitless,” says Laura DiDio, director enterprise research, Systems Research & Consulting at Strategy Analytics.

“Additionally, the burden on IT departments is much more onerous,” DiDio says. “They have much, much more to track.” Endpoint or perimeter security is the focal point of a lot of attention and with good reason, DiDio says, because it’s the first line of defense and takes the brunt of the full frontal assault.

[ ALSO ON CSO: Security and the Internet of Things – are we repeating history? ]

“That said, it is not the only vulnerable point in the IoT infrastructure,” DiDio says. In fact, in IoT environments where every thing and increasingly every person will be interconnected, careless end users constitute the biggest security threat to their organization’s IoT networks, according to Strategy Analytics 2016 survey data.

Not surprisingly, IoT security spending is on the rise. Gartner in an April 2016 report said worldwide spending on IoT security will reach $348 million in 2016, a 24 percent increase from 2015 spending of $281.5 million. And spending on IoT security is expected to reach $547 million in 2018.

iot spending chart

Gartner predicts that IoT security market spending will increase at a faster rate after 2020, as improved skills, organizational change and more scalable service options improve execution.

The market is growing as both consumers and businesses start using connected devices in ever greater numbers, the firm says. Gartner has forecast that 6.4 billion connected things will be in use worldwide this year, up 30% from 2015, and will reach 11.4 billion by 2018.

The firm predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.

Security vendors will be challenged to provide usable IoT security features because of the limited assigned budgets for IoT and the decentralized approach to early IoT implementations in organizations, Gartner says. The effort to secure IoT is expected to focus more on the management, analytics and provisioning of devices and their data. And by 2020, Gartner predicts that more than half of all IoT implementations will use some form of cloud-based security service.

IoT is likely to be among the top cyber security priorities for organizations in the coming years. The Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University in May 2016 released a report identifying 10 at-risk emerging technologies, and some are related to IoT.

In the study, “2016 Emerging Technology Domains Risk Survey,” CERT examined the security of areas such as the connected home, which involves the automation of home devices, appliances and computers. Another area is smart sensors, one of the enabling technologies of IoT.

In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that might arise from new technologies, Christopher King, vulnerability analyst at the CERT division, said in a blog post. “Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study,” he said.

Carnegie Mellon has been an early developer of IoT, and has made security a priority.

The university is working on an open IoT platform called Giotto, named after the innovative Renaissance painter. “We are building out an end-to-end stack, going from hardware to middleware to app layers, integrating machine learning, privacy, and security throughout, and also focusing on the user experience,” says Jason Hong, head of the research group at Carnegie Mellon’s Computer Human Interaction: Mobile Privacy Security Lab at the School of Computer Science.

“We want to make it so that people have IoT-in-a-box, so they can quickly use some of our sensor platforms, demonstrate examples of things to sense [such as an window opening or someone knocking on a door], and create apps that are triggered by those sensed actions,” Hong says.

IoT offers lots of potential for improving everyday life, “but also poses new kinds of risks to safety,” Hong says. “It's useful to think of IoT as a pyramid. At the top you have a few devices that you will use a lot and have a lot of computational power,” such as laptops, smartphones, watches and gaming consoles.

In the middle are dozens of devices used occasionally, and which have moderate computational heft. This tier would include thermostats, TVs, refrigerators, etc. At the bottom are hundreds of devices that people are barely aware of, such as HVAC, badges, implanted medical devices, digital picture frames, electronic locks, and more.

The top tier will be well protected, Hong says, as the companies that make these products have lots of expertise and experience, and the devices can run a lot of security software. “However, the middle and bottom tiers are where we will see lots of problems,” he says. “Many of the manufacturers have little or no experience with software, and these devices also can't do much to protect themselves.”

The biggest IoT threat will be ransomware, Hong says. “Today's ransomware attacks involve encrypting a victim's data and holding it hostage until they pay you,” he says. “Tomorrow, IoT offers a range of new ransomware attacks. Script kiddies might annoy people by locking them out of their house or their cars.” Anonymous might fiddle with a company's HVAC or lighting, raising electrical bills or irritating occupants, he says, and attackers might seek to break into multiple autonomous vehicles or medical devices, holding people virtually hostage, he says.

The lab at Carnegie Mellon is investigating several ideas for security within Giotto. One is how to use proximity as a way of gaining access, Hong says. For example, if you're in a room, you might be able to get access to some of the room's sensors and services, such as the temperature. If you're outside the room, you might get degraded or no information.

We're also looking at how to differentiate between public and private data,” Hong says. “For example, at our university, we might designate sensors in hallways as public data that anyone affiliated with the university can see and use. But data and services associated with private offices might be only accessible to the occupant of that office as well as the building manager.”

Also, the lab is looking at how different layers of Giotto can support different parts of security. For instance, the physical layer needs to make it easy for people to understand that the sensors are there, check what data the sensor is collecting, see how that data is used, and understand who can see that data, Hong says.

“The logical and middleware layers need to offer access control, as useful defaults for what data and services people can access, and really simple controls that don't require a PhD to understand,” Hong says. “The app layers need to make it easy for average developers to make use of the data while also respecting people's privacy.”

In corporate IT, there's a strong emphasis on endpoint security—or putting security software on laptops, desktops and smartphones, Hong says. “This only works for the top-tier of devices, but not for the billions of devices that will make up the middle and bottom tier,” he says. “There will need to be major advances in network security to protect these kinds of devices.”

Organizations will also need significant innovations in artificial intelligence and big data techniques to detect unusual behaviors, Hong adds. “We can barely manage the security of our desktops, laptops, and cloud servers today, and adding thousands or tens of thousands of devices to a home or corporate network will mean that we will need new and automated ways of quickly detecting and responding to attacks.”

Overall, no single, homogeneous security technology can protect all IT assets including IoT edge processing, IoT platform middleware, back-end systems and data, Contu says. “A multi-faceted security approach is required to address expanded digital and physical risks,” he says.

At the endpoint, different approaches can be used, from embedding security features within chip architecture to deploying software agents to perform different security controls, Contu says. Gateways will provide valuable help in a complex architecture such as IoT ecosystems that are difficult to secure as a result of heterogeneous devices and identity profiles.

“Gateways will be deployed to align and handle specific IoT domains, managing a specific set of devices with similar trust requirements, and therefore the domains can be shaped using principles of a common trust model,” Contu says. “Federation of trust models allows interoperability between different domains and the devices that use different trust models.”

Key technologies in IoT security will likely be machine learning and artificial intelligence, says James Beeson, CISO and IT risk leader at financial services firm GE Capital Americas.

“As billions of additional devices get connected to the Internet, it will become impossible to manually deal with the number of alerts and/or unknown assets and events,” Beeson says. “The technologies need to be able to deal will mass quantities of data and quickly make decisions.”

Even before considering technology, organizations have to implement strong security policies and procedures, DiDio says. “If you don’t have a policy or a plan in place, you’ve got real problems,” she says.

Then, organizations should buy and install the appropriate security tools and software packages that are right for their business. “And they must stay up to date with the latest patches and fixes,” DiDio says. “Many companies experience problems because they fail to upgrade and apply patches and find their devices and applications wide open and vulnerable.”

Security in IoT environments is not static, but a moving target. “You have to constantly reassess and monitor your security and security policies and procedures and enforce them to stay abreast of the external threats posed by hackers and the internal threats posed by your own employees—deliberate or careless,” DiDio says. “Corporations can never declare victory. Complacency is your worst enemy.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartnerGEMellonRenaissanceTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts