Everything, from home appliances to industrial controls, is becoming wired and interconnected. Yet while the Internet of Things (IoT) promises to help make lives and many business activities easier and more efficient, the technology also has opened new attack vectors for cybercriminals, spies and various other troublemakers.
For IoT to live up to its potential, the medium must be made both secure and manageable. Yet by its sheer size and scope, IoT can inflate a single security vulnerability into a complex tangle of interrelated threats.
Security is the primary reason that many businesses are saying “slow down” to IoT deployments, says Anthony Grieco, senior director of Cisco Systems’ security and trust organization. “A recent study by Cisco found that a majority of executives believe that cybersecurity risks and threats were hindering innovation in their organizations, with 39 percent halting mission-critical initiatives due to cybersecurity concerns,” Grieco notes.
While IoT has barely emerged from the starting gate, there have already been several headline-grabbing security failures. “Highly publicized IoT security breaches, including those at Target and Jeep, have made IoT security top of mind,” says Mike Tennefoss, vice president of strategic partnerships for Aruba, a Hewlett Packard Enterprise company.
In 2015, security researchers Charlie Miller and Chris Valasek hacked into a Jeep Cherokee featuring built-in automated controls. As their volunteer victim was driving at 70 mph near downtown St. Louis, the researchers took control over the car’s brakes and accelerator, as well as other less-essential components including the radio, horn and windshield wipers. While the test exploit caused no human or property damage, it delivered an important message about the need for stringent IoT security.
While IoT poses security challenges on a nearly unprecedented scale, the good news is that existing best practices can often be used to address key IoT security risks. “All of the security controls and techniques that we have known about and worked with for years can absolutely be applied to the IoT space,” says Christos K. Dimitriadis, board of directors chair for ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.
Careful preparation is essential to create a solid and reliable IoT security strategy. “Any time you put a device on a network, you need to think very carefully about security,” says Craig Mathias, principal at Farpoint Group, a technology advisory firm. “Who has access to it? Under what circumstances? What can it do? How should transactions to and from it be logged? How do we manage it centrally?”
Complicating IoT security is the fact that many network sensors and related devices are small and inexpensive, have only limited memory/compute resources and often aren’t designed with security in mind. “One of the weak points that we see is that IoT vendors and the ‘things’ themselves aren’t as mature from a security and a posture perspective as they need to be,” Grieco says. He notes that most IoT developers aren’t seasoned IT technology vendors and do not necessarily think about security holistically. “As such, they don’t consider building it into everything that they’re developing and, as a result, we tend to see less mature practices when it comes to the basics of security,” he notes.
“Unfortunately, IoT in all of the forms that it can take is still an unknown, and security for the multiple devices has not been sufficiently thought through,” Dimitriadis says. “Developers need to recognize that there are long-term consequences that can occur from a failure to address security concerns early in the design and development lifecycle.”
IoT adopters can help ensure better security by taking matters into their own hands. “Existing best practices, such as network segmentation, will help take some of the security load off of these devices,” says Mark Blackmer, product marketing manager, industry solutions, for Cisco Systems’ security business group.
“External mechanisms, such as machine learning-based traffic analytics, can help close the [security] gap,” Tennefoss adds.
Most IoT devices are designed to function autonomously without backup connectivity. Secure and reliable remote management is essential to ensure faultless operation. “Strong encryption, robust authentication, compartmentalized access and other IT practices commonly used to remotely manage computer networks should also be applied to remotely managing IoT networks,” Tennefoss says.
Dimitriadis notes that there’s no fundamental difference between the techniques used to remotely manage IoT devices versus any other type of network device. “Essentially, it consists of understanding the usage parameters and the expectations for how the device will be used, applying the appropriate set of security controls and ensuring that those controls and countermeasures continue to function appropriately,” he says.
Unlike even the most widely distributed conventional networks, IoT networks present adopters with the unique challenge of managing ecosystems containing millions or even billions of devices. “Scale is the biggest challenge we’ll face in securing the IoT, and it’s going to require the security community to think differently,” Blackmer says. “This means more identity- and policy-based security, virtualization and the adaptability that brings, and using the network itself to detect and remediate malicious traffic and attacks.”
Perhaps the trickiest thing about remotely managing high-scale IoT environments is planning how each device gets online and how IT teams will be able to quickly and accurately identify all of the networked devices. “Remote management is only useful if you have appropriately brought the device online in a highly scalable and secure way, with the appropriate identities associated with it,” Grieco says.
Implementing a management tool that lets IT teams know where each device exists, and can be uniquely and securely identified for reliable performance, is essential for successful IoT network operation. Yet achieving this goal isn’t always easy. Teams may lack the skillset necessary to identify system vulnerabilities, Tennefoss warns. “Weak points may include the lack of physical security to device electronics and interfaces, inadequate security for legacy IoT devices, using of default passwords, failing to validate the trustworthiness of newly connecting devices, using a BIOS from outside the U.S., and poor encryption key and certificate management,” he says.
“Once you have this solid security foundation for remote management, the traditional systems that are used for remote management are going to have to be adjusted to focus on efficiency [and] for the necessary scale of secure management,” Grieco says.
The most useful strategy for managing complex IoT networks, according to Dimitriadis, is to draw from principles that have been honed and tested over many years. “The science of ensuring that devices, systems and applications work together in alignment with business objectives is already a well-established discipline, and leveraging those concepts [in IoT management] can be fruitful.”
Management and liability concerns can rapidly multiply when IoT networks are shared among multiple entities, such as when a municipal smart traffic light network has stakeholders including emergency services users, the municipality that owns the system and a provider that provisions access. “You want to make sure the lines of authority are clear, but that the responsibility for any given management task is in the hands of a single organization at any given moment in time,” Mathias says.
Security is a race with no finish line. There is no assurance that any particular IoT device type will be able to support future security advances. “For this reason, customers should expect to replace IoT devices on regular intervals that are based not on operational life, but rather on the expiration of security defenses, Tennefoss says.
It’s important for organizations that operate IoT networks to put on a black hat from time to time in order to identify and mitigate vulnerabilities before the real bad guys do, Blackmer says. “Bring in penetration testers on a regular basis, and if you can’t afford to do that, conduct red team exercises with your staff,” he suggests.
An organization always wants redundancy and resilience built into its systems, and IoT is no different, Blackmer says. “This is sound risk management, and it’s an ongoing process of identifying risk, mitigating those risks and creating contingencies.”
Ensuring the physical well-being of IoT devices is an important security measure that many organizations either neglect or ignore. “If someone can physically get hold of a device, hack it and put it back on the network, and the operator of that device is unable to determine that a hack had occurred, that’s a problem,” Mathias explains.
Blackmer, like most IoT experts, is confident that future advancements will lead to even better default security. “It is going to require that we in the security community make the effort to partner and work with manufacturers to help them along,” he says.
“We have basic principles of security that work,” Dimitriadis says. “We need to make sure that these principles are followed throughout the lifecycle ... from concept through deployment and use.”
Read this white paper for guidance on how wireless technologies support IoT: cdw.com/wireless-iot-wp.