The Internet of Things (IoT) offers many possible benefits for organizations and consumers—with unprecedented connectivity of countless products, appliances and assets that can share all sorts of information. IoT also presents a number of potential security threats that organizations need to address.
“There is no doubt the levels of risk are set to increase alongside the growth in deployment of IoT devices,” says Ruggero Contu, research director at Gartner. IoT will introduce thousands of new threat vectors simply by increasing the number of networked points, Contu says.
While IoT offers great opportunities, in interconnected environments “the security risks increase exponentially and the attack vector or surface is—in theory—potentially limitless,” says Laura DiDio, director enterprise research, Systems Research & Consulting at Strategy Analytics.
“Additionally, the burden on IT departments is much more onerous,” DiDio says. “They have much, much more to track.” Endpoint or perimeter security is the focal point of a lot of attention and with good reason, DiDio says, because it’s the first line of defense and takes the brunt of the full frontal assault.
[ ALSO ON CSO: Security and the Internet of Things – are we repeating history? ]
“That said, it is not the only vulnerable point in the IoT infrastructure,” DiDio says. In fact, in IoT environments where every thing and increasingly every person will be interconnected, careless end users constitute the biggest security threat to their organization’s IoT networks, according to Strategy Analytics 2016 survey data.
Not surprisingly, IoT security spending is on the rise. Gartner in an April 2016 report said worldwide spending on IoT security will reach $348 million in 2016, a 24 percent increase from 2015 spending of $281.5 million. And spending on IoT security is expected to reach $547 million in 2018.
Gartner predicts that IoT security market spending will increase at a faster rate after 2020, as improved skills, organizational change and more scalable service options improve execution.
The market is growing as both consumers and businesses start using connected devices in ever greater numbers, the firm says. Gartner has forecast that 6.4 billion connected things will be in use worldwide this year, up 30% from 2015, and will reach 11.4 billion by 2018.
The firm predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.
Security vendors will be challenged to provide usable IoT security features because of the limited assigned budgets for IoT and the decentralized approach to early IoT implementations in organizations, Gartner says. The effort to secure IoT is expected to focus more on the management, analytics and provisioning of devices and their data. And by 2020, Gartner predicts that more than half of all IoT implementations will use some form of cloud-based security service.
IoT is likely to be among the top cyber security priorities for organizations in the coming years. The Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University in May 2016 released a report identifying 10 at-risk emerging technologies, and some are related to IoT.
In the study, “2016 Emerging Technology Domains Risk Survey,” CERT examined the security of areas such as the connected home, which involves the automation of home devices, appliances and computers. Another area is smart sensors, one of the enabling technologies of IoT.
In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that might arise from new technologies, Christopher King, vulnerability analyst at the CERT division, said in a blog post. “Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study,” he said.
Carnegie Mellon has been an early developer of IoT, and has made security a priority.
The university is working on an open IoT platform called Giotto, named after the innovative Renaissance painter. “We are building out an end-to-end stack, going from hardware to middleware to app layers, integrating machine learning, privacy, and security throughout, and also focusing on the user experience,” says Jason Hong, head of the research group at Carnegie Mellon’s Computer Human Interaction: Mobile Privacy Security Lab at the School of Computer Science.
“We want to make it so that people have IoT-in-a-box, so they can quickly use some of our sensor platforms, demonstrate examples of things to sense [such as an window opening or someone knocking on a door], and create apps that are triggered by those sensed actions,” Hong says.
IoT offers lots of potential for improving everyday life, “but also poses new kinds of risks to safety,” Hong says. “It's useful to think of IoT as a pyramid. At the top you have a few devices that you will use a lot and have a lot of computational power,” such as laptops, smartphones, watches and gaming consoles.
In the middle are dozens of devices used occasionally, and which have moderate computational heft. This tier would include thermostats, TVs, refrigerators, etc. At the bottom are hundreds of devices that people are barely aware of, such as HVAC, badges, implanted medical devices, digital picture frames, electronic locks, and more.
The top tier will be well protected, Hong says, as the companies that make these products have lots of expertise and experience, and the devices can run a lot of security software. “However, the middle and bottom tiers are where we will see lots of problems,” he says. “Many of the manufacturers have little or no experience with software, and these devices also can't do much to protect themselves.”
The biggest IoT threat will be ransomware, Hong says. “Today's ransomware attacks involve encrypting a victim's data and holding it hostage until they pay you,” he says. “Tomorrow, IoT offers a range of new ransomware attacks. Script kiddies might annoy people by locking them out of their house or their cars.” Anonymous might fiddle with a company's HVAC or lighting, raising electrical bills or irritating occupants, he says, and attackers might seek to break into multiple autonomous vehicles or medical devices, holding people virtually hostage, he says.
The lab at Carnegie Mellon is investigating several ideas for security within Giotto. One is how to use proximity as a way of gaining access, Hong says. For example, if you're in a room, you might be able to get access to some of the room's sensors and services, such as the temperature. If you're outside the room, you might get degraded or no information.
“We're also looking at how to differentiate between public and private data,” Hong says. “For example, at our university, we might designate sensors in hallways as public data that anyone affiliated with the university can see and use. But data and services associated with private offices might be only accessible to the occupant of that office as well as the building manager.”
Also, the lab is looking at how different layers of Giotto can support different parts of security. For instance, the physical layer needs to make it easy for people to understand that the sensors are there, check what data the sensor is collecting, see how that data is used, and understand who can see that data, Hong says.
“The logical and middleware layers need to offer access control, as useful defaults for what data and services people can access, and really simple controls that don't require a PhD to understand,” Hong says. “The app layers need to make it easy for average developers to make use of the data while also respecting people's privacy.”
In corporate IT, there's a strong emphasis on endpoint security—or putting security software on laptops, desktops and smartphones, Hong says. “This only works for the top-tier of devices, but not for the billions of devices that will make up the middle and bottom tier,” he says. “There will need to be major advances in network security to protect these kinds of devices.”
Organizations will also need significant innovations in artificial intelligence and big data techniques to detect unusual behaviors, Hong adds. “We can barely manage the security of our desktops, laptops, and cloud servers today, and adding thousands or tens of thousands of devices to a home or corporate network will mean that we will need new and automated ways of quickly detecting and responding to attacks.”
Overall, no single, homogeneous security technology can protect all IT assets including IoT edge processing, IoT platform middleware, back-end systems and data, Contu says. “A multi-faceted security approach is required to address expanded digital and physical risks,” he says.
At the endpoint, different approaches can be used, from embedding security features within chip architecture to deploying software agents to perform different security controls, Contu says. Gateways will provide valuable help in a complex architecture such as IoT ecosystems that are difficult to secure as a result of heterogeneous devices and identity profiles.
“Gateways will be deployed to align and handle specific IoT domains, managing a specific set of devices with similar trust requirements, and therefore the domains can be shaped using principles of a common trust model,” Contu says. “Federation of trust models allows interoperability between different domains and the devices that use different trust models.”
Key technologies in IoT security will likely be machine learning and artificial intelligence, says James Beeson, CISO and IT risk leader at financial services firm GE Capital Americas.
“As billions of additional devices get connected to the Internet, it will become impossible to manually deal with the number of alerts and/or unknown assets and events,” Beeson says. “The technologies need to be able to deal will mass quantities of data and quickly make decisions.”
Even before considering technology, organizations have to implement strong security policies and procedures, DiDio says. “If you don’t have a policy or a plan in place, you’ve got real problems,” she says.
Then, organizations should buy and install the appropriate security tools and software packages that are right for their business. “And they must stay up to date with the latest patches and fixes,” DiDio says. “Many companies experience problems because they fail to upgrade and apply patches and find their devices and applications wide open and vulnerable.”
Security in IoT environments is not static, but a moving target. “You have to constantly reassess and monitor your security and security policies and procedures and enforce them to stay abreast of the external threats posed by hackers and the internal threats posed by your own employees—deliberate or careless,” DiDio says. “Corporations can never declare victory. Complacency is your worst enemy.”