IoT is a significant threat surface. Even devices such as modern smartphones, which are perhaps the first IoT device that hit many of our networks, carry out many actions that are largely invisible to many of us. Other devices were developed with few security controls, where "if it works - ship" rules, into environments where that were never anticipated.
At a panel discussion at the CSO Perspectives Roadshow in Perth, former FBI agent Jeff Lanza, Mark Loveless, Senior Security Researcher at Duo Security, and Mark Jones, the CEO of ENEX Carbon, discussed the security issues facing our new IoT dominated world.
With price pressure driving many IoT device manufacturers, there is a challenge in delivering low cost devices with strong security baked in. One response from the panel was the application of an appropriate standard. However, no such standard exists yet. There are some principles being developed in different countries but these haven't yet coalesced into a coherent collection that can be broadly applied.
There is an opportunity for governments to provide positive input that support businesses. For example, there are schemes in place for the energy efficiency of home appliances. Similar schemes, such as the energy efficiency ratings system, could be used to promote the security credentials of a device. That could make security into a feature that makers could promote, rather than an overhead they are forced to develop.
One of the other challenges are the security of the device's supply chain. How do we know the maker of the device is trustworthy? With many IoT sensors and control equipment built for consumers, rather than enterprises, security integration might not be developed with sufficient rigour. And they may end up being used in commercial environments where those devices were never intended.
Similarly, the data collected by these devices may end up being exposed and used in ways that were never intended. For example, shodan.io is a search engine that locates internet-connected devices. This can be used by threat actors, taking advantage of owners who are unaware of how vulnerable their technology is, to locate people or compromise devices in a Mirai-like DDoS attack.
One of the things companies need to be doing is not just looking at who is coming into your network but also what data is leaving it.
As one panelist put it - we don't yet know how the IoT will be used and how the data will be shared. It will be a massive social challenge that will drive considerable change. And broader awareness of the issues will only come when an incident of sufficient severity occurs. With recent tests demonstrating how it is possible for a connected car to be taken over and crashed, the panel agreed that it may take one or more fatalities for the issue to receive the attention it requires.
A further complexity comes from companies that have outsourced all or part of their IT function. As a result, they lack a complete understanding of what is really happening on their network. And many businesses are already struggling to manage the data they have, much less the explosion of information that occurs when IoT devices are deployed.
The panel closed by saying there needs to be a significant education process. Like awareness of the importance of patching servers, keeping IoT devices up to date, hardened and secure will increase in importance. Also, improved network monitoring, so malicious traffic and activity can be detected, could be an important step forward.