Much like the previous year, 2016 has seen the Internet of Things (IoT) phenomenon continue to be a hot topic amongst the IT industry. As has been widely reported, Gartner predicts that there will be up to 20.8 billion connected devices in use by 2020.
Mass connectivity has developed from being a fad to being a credible approach to effective business management. In fact, according to a recent IDC survey, 38 percent of Australian organisations have launched IoT solutions, with an additional 46 percent looking to deploy in the next 12 months. Meanwhile, 60 percent of Australian businesses also see IoT as strategic to their business as a means to compete more effectively.
However, for many organisations, the idea of IoT for the enterprise is old hat. IoT is and has been a core driver for IT facilities for a number of years and has been key to advancing IT applications and integrating legacy devices. However, today’s conversations are changing the perceptions of IoT and the reality of creating a truly connected business.
The growth of IoT is almost exponential, as there are now millions of devices being used by organisations. However as the rate of devices expands dramatically, so too do the risks to security and concerns for privacy.
The security concerns
Undoubtedly, the significant number of new devices being connected to a variety of networks all over the globe will not only result in increased stress on both existing and new networks but, more importantly, increased threats.
According to a recent Quocirca report (commissioned by Neustar), the number one issue major IoT users worry about is privacy and a close second is the expanded attack surface that will be exposed as more IoT applications are deployed. The report identified four key security concerns relating to IoT, including:
1. Data protection: Many devices gather sensitive data, so the device’s transmission, storage and processing needs to be secure, for both business purposes and regulatory reasons.
2. Expanded attack surface: More IoT deployments mean more devices on networks for attackers to probe as possible entry points to an organisation’s broader IT infrastructure. Older devices with pre-IoT firmware are likely to be some of the most vulnerable.
3. Attacks on IoT enabled processes: Hacktivists wanting to disrupt a given business’s activities for some reason will have more infrastructure, devices and applications to target, for example, via denial-of-service attacks on networks or by compromising and/or disabling individual devices.
4. Botnet recruitment: Poorly protected devices may be recruited to botnets. Incidents of this have been reported, for example in September a DDoS attack on cyber security journalist, Brian Krebs’ website turned IoT devices (mainly surveillance cameras) into a botnet network that delivered more than 620 Gbps per second of traffic. This further emphasises the need for organisations to implement solutions to protect against DDoS attacks.
Ensuring device security
Effective management and security is only possible through great design. Security starts with identity and planning. Organisations are beginning to make headway in identification and authentication, with almost half of all organisations already scanning IoT devices for vulnerabilities, and another 29 percent planning to do so. At the same time, 67 percent of Australian organisations have outlined security policies and protocols when implementing their IoT strategy.
IoT security issues such as data protection, botnet recruitment and DDoS-style attacks on IoT enabled processes can be addressed through adapting and scaling measures that are already in place for existing IT infrastructure.
The adoption of a decentralised security and management model, where a gateway needing a unique IP address controls communications with the outside world, for example, network routers, set top boxes, smartphones etc, which in turn communicates onwards with remote devices that do not need unique IP addresses, avoids the need for each device to have a unique IP address. This approach can work at scale, making the selective, effective and cost efficient deployment of IoT security more straightforward, as scanning can be carried out using the same processes in place for existing IT endpoints.
Throughout 2016, the proliferation of IoT connected devices will continue to put pressure on the manufacturers of these devices to implement IoT security controls - if it can’t be secured - it shouldn’t be purchased no matter how amazing the functionality and connectivity is. For the internet enabled business, a key component is being able to confidently recognise millions of things, within and outside of the organisation, which for most requires upgraded device identity management capabilities.
As more and more devices become tied to the Internet, the security threat will continue to expand to new industries and areas. If the Internet of Things is to be secure for the future, there is much work to be done.