Last week’s meat loaf may no longer be the most malicious thing in your refrigerator. As reported by Proofpoint back in January 2014, a global attack campaign was carried out through conventional household smart appliances (including a refrigerator) that were hacked and used to deliver 750,000-plus malicious emails. This proved what many security experts had feared for some time: The lack of security on most Internet of Things devices makes them ripe for exploitation.
The topic of IoT security was addressed recently during a panel discussion at SC Congress Chicago, a conference and expo for public- and private-sector information security professionals. Early adopters of the IoT, especially manufacturers and energy companies, must now address unique security concerns that these devices bring as they connect to the network.
“It can be a challenge to network and enable shop floor systems when they may not be able to be patched at the same level of security as other systems in the office space,” commented John D. Johnson, Ph.D., global security strategist at John Deere. “We need to be able to find a way to enable network communications that are appropriate and, at the same time, segment these shop floor systems so that they don’t have a detrimental effect on other computers on the network.”
Part of the dilemma IT security teams that are grappling with onboarding IoT devices face is how to strike the right balance between security needs and business needs. “We want to enable this manufacturing equipment to communicate on the network in an appropriate way,” said Johnson, “and, at the same time, ensure that they aren’t attacked or used for attacks on other network systems.” What many IoT early adopters are finding is that it is essential to have an overview of the entire IT ecosystem to maintain security. “Organizations need a way to assess the entire environment,” Johnson explained. “They should be able to inventory devices, understanding their functions and roles, and then functionally restrict them so they can only do what they need to do.”
Going forward, some of this after-the-fact security work would be alleviated if security standards were established that could guide device manufacturers in securing their IoT products. Johnson believes that focusing on the communication protocols of IoT devices is crucial. “Standards would need to outline how the device associates with the network, determining what level of testing and hardening would be required — and how they could be updated in a cryptologically secure fashion.”
Unfortunately, it may be a while before any standards are drawn up and adopted. As reported on ZDNet, there are numerous consortiums working on a variety of universal technical standards for the IoT. Consensus is still a ways off.