When it comes to security, Internet of Things adopters are being left to their own devices

Dismal device security means IoT adopters must build their own defences

The breakneck growth of the Internet of Things (IoT) has taken many technology prognosticators by surprise – but there will be other, far less pleasant surprises in store if IoT manufacturers can't improve their security practices quickly enough to avoid a data disaster.

Those practices are slowly maturing as security vendors – having only recently come to grips with the security implications of an explosion of smartphones, tablets, laptops and other endpoint devices – are faced with a much faster growth curve as businesses adopt all manner of networkable devices and the technology goes mainstream at rapid pace. Gartner, for one, has predicted that the 6.4 billion connected devices in use this year will nearly double, to 11.4 billion, by 2018.

While ubiquitous networking offers untold potential for delivering new services, network effects also make that connectivity a massive security threat as devices gain the ability to access each other – and the Internet – without intervention or control through a central point. This creates untold new vectors for attack and compromise of devices that users may not even realise are communicating sensitive information online.

For now, IoT weaknesses are being discovered on a largely ad hoc basis for now as researchers probe the security of all kinds of high-tech new devices – and they inevitably fail to measure up. Recent warnings about one model of Internet-connected home thermostat, for example, highlighted the poor security controls built into the devices while another study identified 86,000 Internet-connected printers that have many ringing alarm bells. Cars, appliances, wearable health sensors and fitness trackers, drones, security cameras – the list of potentially exposed IoT elements goes on and on, each promising its own set of consequences in the case of a breach.

Efforts to secure these devices are expected to explode in coming years, with Gartner forecasting in April that the $US231.9m spent on IoT security in 2014 would grow by 23.7 this year over last – and nearly double, to $US547.2m, by 2018.

Early “moderate” growth in spending will give way to a “faster rate” after 2020 as early work around IoT security gives way to broader frameworks and IoT security infrastructure, the company's analysts said – while noting that by 2020, more than 25 percent of cyber attacks on enterprises will involve IoT.

"The effort of securing IoT is expected to focus more and more on the management, analytics and provisioning of devices and their data,” said Gartner research director Ruggero Contu, who highlighted the growing role of cloud-based security infrastructure that, by 2020, would be used by half of all businesses to impose security controls over IoT environments.

“IoT business scenarios will require a delivery mechanism that can also grow and keep pace with requirements in monitoring, detection, access control and other security needs,” he explained. “The IoT's fundamental strength in scale and presence will not be fully realized without cloud-based security services to deliver an acceptable level of operation for many organizations in a cost-effective manner.”

Just as vendors of networking equipment previously missed many of the loopholes that allowed hackers to bypass their security protections, IoT makers are similarly overlooking many of the intricacies and compromises that their devices necessarily introduce. Whether due to coding flaws or design decisions explicitly made for simplicity of user experience, lack of experience and lack of standardisation are already jeopardising the future security of the IoT world.

Vendors are racing to provide cloud-based frameworks to provide this control, but until those frameworks are widely used and adopted by IoT vendors there will still be a yawning gap between IoT device security and corporate security policies that apply to other types of information.

Filling this gap will take years as security-conscious customers wait for vendors to not only lift their games, but to working constantly to identify and patch security vulnerabilities before hackers do. And a key part of this effort, says Gigamon's ANZ security virtual field team lead Ian Farquhar, is to deploy powerful monitoring technology capable of extending current network visibility into cloud-based IoT environments.

“It's just not possible to figure out in milliseconds whether something is bad or safe,” Farquahar explains. “By moving security to a cloud provider you haven't lost responsibility for the workload. What you have lost is the visibility you need to properly deal with that responsibility.”

“That means we've also got to step away from the concept of controls that block, to embracing constant vigilance and operational security. It shouldn't matter where the network traffic is; you should be able to see it.”

Applying that level of operational security to IoT environments will take time – and flexible, widely adopted standards. Efforts such as the OWASP Internet of Things project, for example, have moved to help IoT vendors improve their security game by offering resources such as guidelines around IoT security, IoT testing, and IoT framework assessments. The International Telecommunications Union (ITU), for its part, last year ran a global standards initiative, known as IoT-GSI, whose scope includes security standards and was recently rolled into the ITU-T SG20 group.

Yet while such standards will be important in the long term, in the short term it has become clear that management tools will not be able to compensate for IoT vendors' poor security design. Corporate IoT echnology adopters will need to scope out and implement their own solutions that combine cloud-based management capabilities with the management visibility of security-focused monitoring tools. This approach will abstract IoT security away from the devices and bring the new, malleable security perimeter in towards the more-controllable corporate network.

“One of the challenges with advanced threats is that attackers always play around the margins,” Farquhar says. “They are looking for the way in that you are not looking at. To get this, we need situational awareness in the cloud – and the first step to get that is visibility.”

Join the CSO newsletter!

Error: Please check your email address.

Tags analyticsGartnerubiquitous networkingGigamonInternet of ThingsIoTCSO Australia

More about GartnerGigamonITU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place