The Internet of Things is growing massively, yet it also has a deepening security problem.
Indeed, in August a group of U.S. senators introduced a bill that would require vendors who supply the federal government with IoT devices to ensure that the devices can be patched, they have no known security vulnerabilities and the passwords can be changed, among other basic requirements. Experts seem to agree that legislation is necessary.
IoT security threats are not just digital, but physical as well, as malicious actors can potentially take control of security systems or hack into IoT devices to determine when a user is not at home or in the office. “Everything from the gateway down to the device is kind of the Wild West, and this new frontier is not an area that we’ve spent much time figuring out how to secure,” says Mike Krell, lead IoT analyst for research firm Moor Insights & Strategy.
Despite mounting security concerns, the IoT market continues a rapid expansion. A study sponsored by Aruba Networks recently found that 85 percent of businesses will implement an IoT strategy by 2019, driven by the need for innovation and business efficiency. The study also found that 88 percent of organizations already report a return on investments in IoT. Given the mission-critical nature of many IoT applications, it’s easy to see why data needs to be protected. Yet IoT devices currently are not being built with security as a primary consideration.
“By design, traditional IoT devices often lack even basic security protections, opting instead to focus on ease of use and affordability,” says Marc Laliberte, an information security threat analyst for security provider WatchGuard Technologies. “Even industrial IoT devices and medical equipment often remain vulnerable to basic attacks due to difficulties with patching security flaws.”
If IoT devices can’t be fully protected, then the surrounding environment needs to be secured. This approach requires multilayered, scalable security including firewalls, encryption, identity and access management, and network segmentation.
1. Next-Generation Firewalls Block Attackers
Next-generation firewalls (NGFW), a hardware- or software-based network security system, can detect and block attacks by enforcing security policies at the application, port and protocol levels. “Looking at security best practices, the NGFW provides some of the most critical ingredients of total IoT protection,” notes Yariv Fishman, head of IoT security for Check Point Software Technologies, an IT security technology provider. “NGFW appliances provide critical services like an intrusion prevention system (IPS) to detect and block exploitation of IoT devices without interfering with network access,” Laliberte adds. An IPS continuously examines network traffic flows to detect and prevent vulnerability exploits.
2. Encryption Helps Mitigate IoT Attack Risks
Encryption plays an important role in securing IoT devices as well as network communications. “For example, establishing an encrypted virtual private network (VPN) connection between a device and the network helps eliminate potential attacks, such as ‘Man in the Middle,’ that compromise the integrity and validity of the information provided from the device to the network and vice versa,” Fishman says.
Network connectivity built into IoT devices enables both remote monitoring and management. “These remote access connections more often than not opt for simplicity over security, using unencrypted HTTP instead of HTTPS, or even Telnet instead of Secure Shell (SSH),” Laliberte says.
One of the biggest mistakes IoT network administrators can make when enabling remote access to IoT devices is simply forwarding such insecure protocols through the perimeter firewall.
“Instead, they should use encrypted VPN solutions to allow remote access to their network, and ultimately the specific IoT devices, in a simple and secure way,” Laliberte suggests.
Yet encryption should be just one element in a holistic security strategy. “Security is only as good as its weakest link on the network,” Fishman says. “Therefore, having encryption helps mitigate some of the potential risks in an IoT network, but not all of them.”
3. Identity and Access Management Applies to IoT Devices
Identity and access management (IAM) provides mechanisms for authenticating, authorizing and auditing identities and access privileges of users and devices. “Traditionally, IAM was mostly focused on individuals; now it’s expanded from individuals to actual end devices,” Krell observes.
IAM tools have gradually gained the ability to manage hundreds of thousands — even millions — of interconnected “things,” as well as the people who communicate with IoT assets.
“The digital identity of these devices is key to securing the IoT,” says Leon Adato, “head geek” at SolarWinds, an IT infrastructure management company. “As the IoT becomes a more critical component of business and everyday life, an identity solution that can connect with anything and support IoT ecosystems, users, services and their relationships becomes necessary.”
4. Network Segmentation Limits the Spread of an Attack
Partitioning a network into secure segments helps isolate IoT devices from mainstream IT devices.
“Network segmentation enhances IoT security simply by mitigating the risk that one part of the network will be able to influence other parts,” Fishman says. “By doing so, we are keeping potential threats within a controlled environment without being able to extend the threat to other parts of the network.”
While traditional network endpoints typically run endpoint protection services, that’s not true for IoT devices.
“If an attacker is able to compromise an IoT device, they could sit there for months undetected while carrying out attacks behind your network perimeter,” Laliberte warns. “Because of this threat, IoT devices should be segmented from the rest of the network by an NGFW performing inspection on internetwork connections.”
5. Organizations Need a Comprehensive IoT Security Plan
Once there’s collective agreement about how many IoT devices will be in your environment, it’s up to the user to formulate a security policy incorporating best practices, Adato says.
“You may also need to consider Payment Card Industry, HIPAA and other compliance issues,” he notes. “The management burden falls to you, as the IT professional, to ensure that both your organization’s and end-users’ data is protected.”
Semiconductors Promise a Hardware Approach to IoT Security
While software-based security solutions are essential for safeguarding IoT data, technology leaders are beginning to understand that protection should start at the device level.
The semiconductor industry is beginning to offer hardware-based security solutions across the IoT ecosystem.
“While there’s never a 100 percent guarantee, a hardware solution is generally more difficult to crack than a software solution,” says Mike Krell, lead IoT analyst for research firm Moor Insights & Strategy. “A lot of the companies that produce processors for the embedded-device world deal with encryption on the physical device to validate keys and validate whatever is coming in from a particular direction.”
Security capabilities at the chip level will be extremely helpful to create a root of trust between the device and the network, says Yariv Fishman, head of IoT security for Check Point Software Technologies, an IT security technology provider.
“A root of trust mitigates the risk of any kind of tampering with the device data integrity and identity and provides a higher level of security for all surrounding IoT devices that share the same segment with that device,” he says. Yet organizations shouldn’t expect semiconductors to provide an all-encompassing IoT security solution. “The problem with chip-based security is that not all IoT devices have a chip that enables security by design — due to the device’s low-cost and low-functionality nature — and, therefore, security can’t be implemented across the entire IoT network,” Fishman explains.