Don’t let IoT hype distract from security fundamentals, experts say
The Internet of Things (IoT) is often portrayed as some kind of futuristic concept, but the reality is that ‘smart things’ already have an established presence in our homes and workplaces. NPD Group says the average U.S. household already possesses 5.7 connected ‘things’, while almost 65 percent of U.S. businesses had deployed IoT technologies in 2014, according to a study by Zebra Technologies, commissioned and conducted by Forrester Research.
The Internet of Things refers to pretty much any device connected to the web that isn’t a computer or smartphone. We’ve all heard of things like Google Glass, smart cars and smart refrigerators, but few appreciate the wealth of connected devices currently deployed in industries ranging from utilities and aerospace, to oil and environmental protection. The potential benefits of the so-called “Industrial Internet” are undeniably massive, but in an age in which cybercrime is a growing concern, each new device is a potential attack point. Attackers could conceivably use them as a backdoors to infiltrate networks, or they could hijack the devices themselves to carry out malicious operations – and it’s down to the organizations that use them to defend against these types of threats.
But just how big a threat does the Internet of Things really pose?
“The truth is we don’t know how bad the risk will be,” said Rich Mogull, an analyst with IT security research firm Securosis, L.L.C. However, Mogull notes that security is not the strong point of most connected devices at the moment. “What we do know is that most IoT devices will likely start with poor security. Even the ones that are secure probably won’t stay that way since you may not be able to patch them,” he said.
What could go wrong?
For organizations with active IoT deployments, it’s imperative they understand how these devices can be abused if an attacker manages to access them. Connected devices aren’t all that different from desktop or mobile assets in the sense that they connect to networks and interact with IT systems, which means they pose more or less the same dangers as traditional hardware.
“If compromised, they can be used by attackers, depending on the device capabilities, to penetrate IT systems and other devices on a network,” said Rick Bullotta, Chief Technology Officer at ThingWorx, an application platform for the Internet of Things.
The danger is two-fold. On the one hand, connected devices are potential system vulnerabilities that could allow attackers to access networks and steal data. Then again, the devices themselves are prone to being hijacked and misused in unpredictable ways.
“This presents a new type of risk to IT, the risk of connected things doing physical harm, such as a power grid being shut down, or a railway track being rerouted, or a heart defibrillator being hacked,” Bullotta said.
It’s a risk that’s already been felt, at least in simulated scenarios. Back in 2012, security researcher Barnaby Jack revealed at the Breakpoint security conference in Melbourne how several different types of pacemakers could be hacked and commanded to deliver a deadly, 830-volt shock to whoever is fitted with them. He blamed the weakness on poor software programming by medical device companies. More recently, hackers at last year’s BlackHat Security conference demonstrated how it’s possible to hack numerous home alarms, smart cars and an assortment of other devices with relative ease.
Securing the IoT
One of the difficulties with formulating any security strategy is there is such a vast array of different connected devices already out there, and this is just the beginning. IoT devices span a much wider range of capabilities and needs than traditional IT assets, and so anyone using them is forced to prioritize their security efforts on those that present the biggest threat. For Mogull of Securosis, the approach to security depends on what each device is capable of.
“I don’t overly care if someone can turn off my lights, for example. The real question is can this device actually hurt the organization in the context of all their other security controls?” he asked.
According to Bullotta, Internet of Things security should therefore be treated as its own distinct area, seperate from desktop, mobile and server security systems. But it’s also important to be aware of how different devices interact on their networks, and to adapt network monitoring and intrusion prevention/detection systems to take into account each different kind of device. “A formal risk process for risk assessment and mitigation should be a key element of any IoT deployment, as well as an ongoing operation,” Bullotta said.
But putting a security plan in place is just one part of the puzzle. Many organizations first need to assess if the benefits of having connected devices justifies the risks involved. Christopher Budd, Global Threat Communications Manager at security firm Trend Micro, Inc., believes the best approach is to reduce the threat surface as much as possible. That means locking down networks and only allowing access to devices when it’s absolutely necessary. Once the network is safely locked down, administrators can then develop policies and procedures to allow essential IoT devices to connect.
“IoT is the latest wave of cool consumer technology that people want to use, but organizations should say no to it,” said Budd. “Managing users is the most challenging thing that administrators face.”
Users aren’t the only factor that needs to be carefully managed. Paul Madsen, senior technical architect at Ping Identity Corp., says identity management is just as important. Any organization that’s contemplating the deployment of IoT devices should ensure that each device is provisioned with credentials, and that the rights and authorizations of each device are carefully managed by IT teams. That means building a scalable and flexible identity management infrastructure capable of dealing with users from different constituencies accessing distributed applications from a variety of device types – not exactly a simple feat, but essential if an organization is determined to avert attacks.
“Fundamentally, security must be built on a strong identity foundation,” said Madsen. “Securing the IoT requires that we be able to authenticate different devices, users and applications and apply appropriate authorizations to their interactions.”
Don’t be a victim of hype
Experts note, however, that another challenge for organizations is to avoid getting so caught up in the Internet of Things ‘hype’ that they lose focus on more pressing concerns. The risk needs to be put into perspective, and while it’s clear that IoT devices are becoming more commonplace, there are much bigger cybersecurity threats to worry about, such as attacks on core networks and servers, as well as more capable mobile devices.
“The Internet of Things just isn’t the big risk IT departments need to be focusing on in 2015,” said Jeremy Linden, Senior Security Product Manager at Lookout, Inc., a mobile security firm. “Smartphones are becoming the dominant computing platform and hackers are now starting to turn their attention toward these smaller screens. If I was an IT administrator, I’d be more worried about the smartphone in someone’s pocket than the smartwatch on someone’s wrist.”
In other words, don’t even think about the Internet of Things until you’re already well positioned to thwart attacks from more likely vectors. Putting a strong IT security system in place takes priority over anything else. That means protecting the network, carefully managing users’ rights and permissions and educating users, among other things. Only once this has been done should you start worrying about people switching off the lights or assassinating people with pacemakers.
“So far I’ve seen more hype than any real-world concerns outside of specific areas,” said Mogull of Securosis. “If focusing on IoT takes resources away from more established security issues that aren’t dealt with, that’s going to be a problem.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and soon to be Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We are holding our second cloud startup showcase on June 16. Click here to join the free and open Startup Showcase event.
We really want to hear from you. Thanks for taking the time to read this post. Looking forward to seeing you at the event and in theCUBE Club.