IoT: Challenges of securing IP-enabled devices
- 12 July, 2014 03:46
A few years ago, the idea of home and office appliances being connected to a network, may have seemed like something out straight out of science fiction. Today, however this is fast becoming a reality, as technology continues to develop and evolve, increasing in complexity and sophistication.
Commonly referred to as the 'Internet of Things' (IoT), we are now seeing a surge in everyday appliances being IP-enabled and connected to the network, a trend which seems set to continue.
However, the benefits of IoT, while often cited as significant, have been countered with talks of increased security risks, which could be substantial, particularly when this trend is applied to critical infrastructure, forming target points for nation states and criminal organizations intent on accessing confidential data and information.
What are the vulnerabilities posed by IoT?
Analyst group Gartner projects that by 2020, the number of IP-enabled devices, not including PCs, tablets and smartphones, will hit 26 billion units globally, while IDC's assessment concludes at 212 billion units. These numbers are significant, as each device represents another potential entry-point for hackers to launch targeted attacks on enterprises. With more devices communicating and sharing potentially confidential and sensitive data, coupled with the emergence of unprotected networks, the worrying conclusion is the creation of a considerable number of new vulnerability points for targeted attacks on enterprises.
Secondly, vendors with little or no security expertise are likely to develop these low margin IP-enabled devices often at a low-cost. Due to this, it is common to find basic security features absent in these devices. Moreover with the majority of these devices differing in purpose, utilizing different operating systems and working on a myriad of networks and systems, the challenge to protect the devices and the communication between them has exponentially increased.
The third major risk faced by IoT security is the devices' connection to cloud-based applications and services. New data is constantly being uploaded, processed and deposited in this cloud, and yet the current scenario is one that sees IoT data falling outside the realm of data leakage laws. Moreover, data collection is often vague, with little clarity on access controls and management, resulting in further complexities to segment and secure these massive volumes of data.
How to secure the Internet of Things
Fortunately, with overlaps in the world of the IoT and devices/endpoints, cloud/datacentre and the network, securing the multitude of potential attack points exists. This involves leveraging the same strategy as other IP-based communications.
Firstly, it is important to identify and understand which devices are part of the IoT network. Crucial knowledge about the nature of IoT devices is one of the stronger approaches in making decisions to protect the device and manage its data, similar to the security functions currently in existence for mobile endpoints. If a device is infected with malware, for example, it can be blocked from accessing the IoT network.
With widespread growth of new and unknown forms of malware, it is increasingly vital to ensure IoT devices are protected against potential threats. As IP-enabled devices differ in functionality, the most logical solution is to secure these devices at a network level rather than an endpoint level, overcoming the limitations present in endpoint security functions. Depending on the support of inspection of IoT communications protocol, IoT can also leverage on existing network security solutions like firewall and IPS. In addition, by using the Zero Trust principles of least privilege access with granular segmentation, enterprises can secure IoT data and application access.
To conclude, while the IoT may offer potential for improving the way that enterprises and government currently operate, it is fundamental to overcome the biggest challenge faced: the regulation surrounding IoT data collection system and the way these records will be used, shared and secured. To achieve this, it's imperative for enterprises, governments and standard organisations to collaborate and leverage expertise to overcome IoT's complex, multi-faceted security vulnerabilities.
Yong Shu is the Senior Regional Sales Director for China at Palo Alto Networks