We continue to hear dire warnings about the inherent security risks of the Internet of Things (IoT), and indeed IoT-related incidents are happening. With many companies beginning to capture IoT data from connected devices, a key question is are they doing enough to ensure that data and networks are secure?
If security executives thought they had a lot to handle with the growth of mobile devices and the expanding digital enterprise, the emergence of connected products, corporate assets, vehicles and other “things” is taking security coverage to a whole new level.
A December 2016 study by the Institute for Critical Infrastructure Technology (ICIT) — a cyber security think tank that acts as a conduit between private sector companies and U.S. federal agencies, points out how vulnerable enterprises are to attacks such as distributed denial of service (DDoS) via IoT.
Cyber criminals are expanding their control over vulnerable IoT devices, which can be used in DDoS-for-Hire services for an array of layered attack methods, the report says.
Meantime, IoT continues to take hold. A survey of nearly 1,000 enterprise IT buyers worldwide conducted by 451 Research from August to October 2016 shows that 71 percent of enterprises are gathering data for IoT initiatives today. Organizations expect to increase their IoT technology investments by 33 percent over next the 12 months, the study says. A huge majority (90 percent) will increase IoT spending over the next 12 months, and 40 percent will raise IoT-related investments by 25 percent to 50 percent compared with 2016.
However, security remains a concern, with half of the respondents citing it as the top impediment to IoT deployments.
“When it comes to IoT and security, I think it’s nearly impossible to overstate the need and the critical nature of security readiness,” says Laura DiDio, research director at 451 Research and lead author of the study.
“In IoT environments where devices, people and applications are interconnected, the attack surface or attack vector is potentially limitless,” DiDio says. “Threats are everywhere. This is a situation where organizations and their IT departments are well served by being a bit paranoid rather than being lax.”
Every IoT application, process and device is vulnerable, DiDio says. “Even the most stringent security mechanisms and measures can be undone by a single careless user who fails to follow the rules and implement security” on various devices, she says.
The largest security threats in IoT are those inherent in the need to interconnect devices, says Ed McNicholas, co-leader of the privacy, data security and information law practice at Sidley Austin LLP, who focuses on IoT as a part of his practice.
Laura DiDio, research director at 451 Research
“A wide variety of smart technologies are being integrated into an incredible variety of objects by a multitude of companies, often using novel technologies,” McNicholas says. “The drive to push these devices to market quickly, combined with the need for communication with a wide variety of other devices, will result in gaps that can be exploited and which will dramatically increase the attack surface of organizations.”
A number of factors determine just how great the security risk is with any given connected device.
“Obviously those with a bigger attack surface such as internet-facing devices have greater risk,” says Scott Laliberte, managing director and global lead of the security and privacy practice at consulting firm Protiviti.
Another factor is how common the device is. “The greater the adoption of the device, the more likely it is to be targeted by bad guys,” Laliberte says. “The theory is the attackers’ efforts will be focused on devices that reap them greater rewards by having greater impact.”
Also, the more complex a device is, the more device functions there are to protect, and the more there is that can go wrong. Finally, high-risk functionality will likely draw interest of people trying to wreak havoc. “The riskier the functionality, the greater the importance that the manufacturer secures the device effectively,” Laliberte says.
Device manufacturers need to make sure security is incorporated into the design and embedded in the product life cycle, Laliberte says. “Design the product to be easy for the consumer to secure,” he says. “Do not rely on them to perform critical activities needed to secure the device. They will likely not do it.”
Ultimately, users of IoT and the product manufacturers “have an obligation to install and create IoT products in ways that maximize usefulness and minimize risk,” Laliberte says. “The use of IoT devices is going to expand rapidly, and without adequate security we have the potential to introduce unknown dangers into our homes, workplaces and communities.”
The overwhelming amount of insecure and unsecured IoT devices worldwide practically ensures that we’ll continue to see attacks such as DDoS continue to proliferate worldwide for the foreseeable future, DiDio says.
While much of the focus is on protecting the network perimeter because it’s the so-called first line of defense, organizations can’t ignore key applications and servers located in the data center. “Another all too common security mistake organizations and IT departments sometimes make is the failure to physically secure devices,” DiDio says.
One of the first things an organization should do as it looks to bolster IoT security is gain a solid understanding of what IoT devices it currently has, as well as those it’s planning to deploy.
“Having an inventory of your devices is a fundamental part of asset management,” says Andrew Wild, CISO at QTS, an international provider of data center, managed hosting and cloud services.
“We’ve also developed a policy that requires a review and approval process for new types of devices that will be attached to the network,” Wild says. “Secondly, the infosec organization is tracking all of the device types on the network to monitor the appropriate vendor vulnerability disclosures and continuing to perform network wide vulnerability scanning to identify and fix vulnerable devices, including IoT devices.”
QTS has many network-enabled sensors and control systems that collect and forward various types of information, from environmental data to power system monitoring.
Devices should be secure by default
Having an IoT security policy and enforcing it strictly is a wise approach, DiDio says. “Organizations can mitigate and decrease the risk to an acceptable level by being proactive,” she says. “That means that in IoT environments security must be built-in from inception. The IoT environment must be secure by design, secure by default, secure in use, secure in transmission and secure at rest.”
Other “must dos” include conducting vulnerability testing to find out where the weak points are in the network and work to shut them down; staying up to date on security fixes and patches; deploying the appropriate security devices and software; training and re-certifying IT staff on the latest security mechanisms and investing in security awareness training; and taking inventory of what’s on the network.
Companies using or planning to use the IoT can also work with other organizations to push for security standards for connected objects.
“It took years for the technology community to realize the need to build security protocols into internet communications,” McNicholas says. “Companies can advance their security effectively by attempting to formulate and seek consensus on technical standards that allow for more secure communications.”
A key to developing strong IoT security will be acquiring the needed skills.
Most organizations do not have the internal skill sets that securing IoT devices will require,” Laliberte says. “Securing IoT devices requires a unique mix of hardware, development, network, and embedded security skills. Finding these at all, let alone in one person, is extremely difficult.”
One of the skills most needed to develop better security protocols for IoT is the ability to communicate more effectively about risk, McNicholas says. This communication needs to take place among technologists, attorneys and business leaders.
“Only if the company can speak a common language can robust discussions about risks and rewards take place,” McNicholas says.